Computer hijacked

View previous topic View next topic Go down

Computer hijacked

Post by AngelsElf on Sat Apr 17, 2010 2:04 am

My main computer has a something that is preventing me from accessing the internet and keeps giving me pop ups and is asking me to buy software that can of course fix my problem. How can I get access of my main computer back and get rid of this whatever it is that it has.

Thank you again

Joann

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Sat Apr 17, 2010 12:34 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Sat Apr 17, 2010 3:18 pm

Sorry i had to post this on 3 post it was to big for only one


OTL logfile created on: 4/17/2010 11:24:23 AM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 3072 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 83.04 Gb Free Space | 55.72% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 249.72 Mb Total Space | 66.44 Mb Free Space | 26.60% Space Free | Partition Type: FAT
Drive K: | 244.48 Mb Total Space | 244.48 Mb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: ADMIN-42AEEB16E
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/17 11:23:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe
PRC - [2010/04/16 23:09:19 | 000,031,232 | ---- | M] () -- C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
PRC - [2010/04/16 19:22:01 | 000,189,952 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\ave.exe
PRC - [2010/04/16 19:15:59 | 000,154,624 | ---- | M] () -- c:\Documents and Settings\User\Local Settings\Temp\xjq .exe
PRC - [2010/04/16 19:15:48 | 000,164,352 | ---- | M] () -- C:\WINDOWS\Xbeloa.exe
PRC - [2010/04/02 10:06:20 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/24 14:17:47 | 000,952,768 | ---- | M] (Adobe Systems Incorporated) -- c:\Program Files\Common Files\Adobe\ARM\1.0\adobearm .exe
PRC - [2010/03/18 00:21:52 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
PRC - [2010/02/11 13:53:39 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/02/11 13:53:26 | 000,119,200 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\afwServ.exe
PRC - [2009/12/21 18:35:18 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- c:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
PRC - [2009/10/15 17:29:52 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- c:\Program Files\Java\jre6\bin\jusched .exe
PRC - [2009/01/03 04:10:30 | 001,031,848 | ---- | M] (Beepa P/L) -- c:\Fraps\Fraps INfo\fraps .exe
PRC - [2008/09/16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
PRC - [2008/08/28 19:34:14 | 013,145,448 | ---- | M] (Adobe Systems, Inc.) -- c:\Program Files\Adobe\Adobe Bridge CS4\bridge .exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2004/06/16 06:03:04 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- c:\Program Files\Common Files\InstallShield\UpdateService\issch .exe


========== Modules (SafeList) ==========

MOD - [2010/04/17 11:23:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe
MOD - [2010/02/11 13:43:00 | 000,122,880 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\snxBorder.dll
MOD - [2010/02/11 13:41:09 | 000,135,168 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\snxPlugins.dll
MOD - [2009/01/03 04:07:04 | 000,188,416 | ---- | M] (Beepa P/L) -- c:\Fraps\Fraps INfo\fraps.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/02/11 13:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/02/11 13:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/02/11 13:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Start_Pending] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/02/11 13:53:26 | 000,119,200 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\afwServ.exe -- (avast! Firewall)
SRV - [2009/10/06 12:03:28 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/09/16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor7.0)
SRV - [2008/08/15 05:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2010/02/11 13:44:07 | 000,102,480 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswFW.sys -- (aswFW)
DRV - [2010/02/11 13:43:50 | 000,291,920 | ---- | M] (ALWIL Software) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2010/02/11 13:43:30 | 000,195,408 | ---- | M] (ALWIL Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\aswNdis2.sys -- (aswNdis2)
DRV - [2010/02/11 13:42:34 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/02/11 13:42:13 | 000,162,512 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/02/11 13:39:01 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/02/11 13:38:34 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/02/11 13:38:23 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/02/11 13:38:07 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/01/09 16:22:02 | 000,012,112 | ---- | M] (ALWIL Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aswNdis.sys -- (aswNdis)
DRV - [2009/02/25 18:58:57 | 003,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/08/14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/04/14 00:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/06 09:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/07/16 11:29:34 | 000,017,432 | R--- | M] (Hewlett Packard) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
DRV - [2005/09/23 18:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2001/08/17 12:17:44 | 000,042,432 | ---- | M] (Digi International, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\digirlpt.sys -- (DIGIRPS)
DRV - [2001/08/17 10:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/07/14 00:02:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/14 15:42:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/07 15:05:29 | 000,000,000 | ---D | M]

[2009/05/24 18:51:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010/04/16 10:27:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions
[2009/07/05 22:30:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/14 19:25:50 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/04/16 10:27:53 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/08/11 15:54:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\browserhighlighter@ebay.com
[2009/07/26 18:10:37 | 000,036,864 | ---- | M] (Homestead Technologies, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nphssb.dll

O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe ()
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe ()
O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\versio~2 .exe ()
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe ()
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe ()
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe ()
O4 - HKLM..\Run: [net] C:\WINDOWS\System32\net.net (Privat)
O4 - HKLM..\Run: [QuickTime Task] c:\program files\quicktime\qttask .exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe ()
O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe ()
O4 - HKCU..\Run: [Fraps] C:\Fraps\Fraps INfo\fraps .exe (Beepa P/L)
O4 - HKCU..\Run: [YVIBBBHA8C] c:\Documents and Settings\User\Local Settings\Temp\xjq .exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} [You must be registered and logged in to see this link.] (asusTek_sysctrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.138,93.188.161.123
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/22 15:22:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/12/07 13:33:04 | 000,000,000 | RHSD | M] - I:\autorun.inf -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = secfile] -- "C:\Documents and Settings\User\Local Settings\Application Data\ave.exe" /START "%1" %* ()

========== Files/Folders - Created Within 30 Days ==========

[2010/04/16 21:39:19 | 000,162,512 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/16 21:39:19 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/16 21:39:18 | 000,291,920 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2010/04/16 21:39:18 | 000,102,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFW.sys
[2010/04/16 21:39:07 | 000,195,408 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswNdis2.sys
[2010/04/16 21:39:07 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/16 21:39:06 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/16 21:39:04 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/16 21:39:04 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/16 21:39:04 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/16 21:38:45 | 000,012,112 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswNdis.sys
[2010/04/16 21:38:44 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/16 21:38:44 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/16 19:24:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/16 19:24:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/16 19:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\avG
[2010/04/16 19:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avG
[2010/04/16 19:14:23 | 000,036,374 | ---- | C] (Privat) -- C:\WINDOWS\System32\net.net
[2010/04/14 09:48:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/04/11 16:11:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Google
[2010/04/11 15:46:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/04/11 15:46:09 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/04/10 16:12:03 | 000,110,621 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\dllcache\digirlpt.dll
[2010/04/10 16:12:03 | 000,110,621 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\digirlpt.dll
[2010/04/10 16:12:03 | 000,042,432 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\drivers\digirlpt.sys
[2010/04/10 16:12:03 | 000,042,432 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\dllcache\digirlpt.sys
[2010/04/07 15:05:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/04/06 16:59:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/03/27 14:29:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2010/03/23 10:30:03 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/03/23 10:29:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/03/23 10:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Apple
[2010/03/23 10:29:26 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/03/23 10:29:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2010/03/23 10:29:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Apple Computer
[2009/10/25 22:51:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/10/25 22:51:47 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/03 18:35:13 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/03 18:35:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/08/03 18:35:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/05/22 16:10:37 | 001,241,088 | ---- | C] (Auto FX Software) -- C:\Program Files\PGE_PlugIn.8bf
[1998/05/31 00:00:00 | 000,295,696 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\MSJTOR35.DLL
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/17 11:26:36 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003UA.job
[2010/04/17 11:21:10 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/17 11:13:06 | 000,000,244 | -H-- | M] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/04/17 11:07:26 | 000,000,292 | -H-- | M] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/04/17 11:07:26 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/17 11:07:21 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/04/17 11:04:43 | 000,009,582 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7
[2010/04/17 11:04:43 | 000,009,582 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7
[2010/04/17 11:04:39 | 000,009,574 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509
[2010/04/17 11:02:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/17 01:51:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/17 01:07:48 | 000,009,578 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3040322509
[2010/04/17 01:00:36 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/04/17 00:26:36 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003Core.job
[2010/04/17 00:02:36 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/04/16 23:34:17 | 000,004,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpcdd.sys
[2010/04/16 23:09:34 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/04/16 23:09:34 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/04/16 23:09:34 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/04/16 23:09:34 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/04/16 23:09:34 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/04/16 23:09:34 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/04/16 23:09:34 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/04/16 23:09:34 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/04/16 23:09:31 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/04/16 23:07:31 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/16 22:57:32 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\User\NTUSER.DAT
[2010/04/16 21:39:34 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010/04/16 21:39:20 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Internet Security.lnk
[2010/04/16 21:39:05 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413406.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413296.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413203.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413031.dat
[2010/04/16 19:28:50 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/04/16 19:22:01 | 000,189,952 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\ave.exe
[2010/04/16 19:16:38 | 000,001,268 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75
[2010/04/16 19:16:38 | 000,001,268 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75
[2010/04/16 19:15:48 | 000,164,352 | ---- | M] () -- C:\WINDOWS\Xbeloa.exe
[2010/04/16 19:14:23 | 000,036,374 | ---- | M] (Privat) -- C:\WINDOWS\System32\net.net
[2010/04/16 10:19:50 | 000,002,516 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/04/16 10:19:49 | 000,002,549 | ---- | M] () -- C:\Documents and Settings\User\Desktop\CorelDRAW X4.lnk
[2010/04/14 03:02:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/10 14:29:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/06 16:59:57 | 000,001,712 | ---- | M] () -- C:\Documents and Settings\User\Desktop\avast! Free Antivirus.lnk
[2010/03/20 16:46:16 | 000,005,018 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/16 21:39:20 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Internet Security.lnk
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413406.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413296.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413203.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413031.dat
[2010/04/16 19:47:38 | 000,009,578 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3040322509
[2010/04/16 19:47:38 | 000,009,574 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509
[2010/04/16 19:22:01 | 000,009,582 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7
[2010/04/16 19:22:01 | 000,009,582 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/04/16 19:16:33 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/04/16 19:16:32 | 000,189,952 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\ave.exe
[2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75
[2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75
[2010/04/16 19:16:02 | 000,000,292 | -H-- | C] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/04/16 19:15:56 | 000,164,352 | ---- | C] () -- C:\WINDOWS\Xbeloa.exe
[2010/04/16 19:15:50 | 000,000,244 | -H-- | C] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/04/16 19:15:30 | 000,020,000 | ---- | C] () -- C:\WINDOWS\System32\x7pwf26.dll
[2010/04/11 15:46:12 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/11 15:46:12 | 000,000,878 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/06 16:59:57 | 000,001,712 | ---- | C] () -- C:\Documents and Settings\User\Desktop\avast! Free Antivirus.lnk
[2010/03/23 10:29:30 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/07/29 13:28:40 | 000,000,070 | ---- | C] () -- C:\WINDOWS\polite.ini
[2009/07/07 19:13:11 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/07/07 19:13:10 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/10 21:49:38 | 000,000,120 | ---- | C] () -- C:\WINDOWS\WINRESAZ.INI
[2009/06/10 20:51:16 | 000,000,151 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/05/24 22:32:27 | 000,002,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2009/05/24 22:32:27 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\16071871B6.sys
[2009/05/24 19:42:36 | 000,005,018 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/05/24 19:42:36 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\16071871B6.sys
[2009/05/24 19:15:32 | 000,000,306 | ---- | C] () -- C:\Program Files\Shortcut to My Documents.lnk
[2009/05/22 21:47:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2009/05/22 21:29:30 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/22 19:00:48 | 000,024,423 | ---- | C] () -- C:\Documents and Settings\User\CCCInstall_200905221900489687.log
[2009/05/22 15:26:41 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\User\ntuser.ini
[2009/05/22 15:26:40 | 000,024,576 | -H-- | C] () -- C:\Documents and Settings\User\ntuser.dat.LOG
[2009/05/22 15:26:39 | 006,291,456 | -H-- | C] () -- C:\Documents and Settings\User\NTUSER.DAT
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 487 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
< End of report >


Last edited by AngelsElf on Sat Apr 17, 2010 11:55 pm; edited 1 time in total

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Sat Apr 17, 2010 3:43 pm

OTL Extras logfile created on: 4/17/2010 11:24:23 AM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 3072 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 83.04 Gb Free Space | 55.72% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 249.72 Mb Total Space | 66.44 Mb Free Space | 26.60% Space Free | Partition Type: FAT
Drive K: | 244.48 Mb Total Space | 244.48 Mb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: ADMIN-42AEEB16E
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.exe [@ = secfile] -- C:\Documents and Settings\User\Local Settings\Application Data\ave.exe ()
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS4 Server
"3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS4 Server
"51000:TCP" = 51000:TCP:*:Enabled:Adobe Version Cue CS4 Server
"51001:TCP" = 51001:TCP:*:Enabled:Adobe Version Cue CS4 Server

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\CDS\Nero\Installation\SetupX.exe" = D:\CDS\Nero\Installation\SetupX.exe:*:Enabled:Nero ProductSetup -- File not found
"C:\Program Files\Common Files\Ahead\Nero Web\SetupX.exe" = C:\Program Files\Common Files\Ahead\Nero Web\SetupX.exe:*:Enabled:Nero ProductSetup -- (Nero AG)
"C:\Documents and Settings\User\Local Settings\Temp\Nero Web\SetupXu.exe" = C:\Documents and Settings\User\Local Settings\Temp\Nero Web\SetupXu.exe:*:Enabled:Nero ProductSetup -- File not found
"C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe" = C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe:*:Enabled:PlayOnline Viewer -- (SQUARE ENIX CO., LTD.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- ()
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" = C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe:*:Enabled:Adobe Version Cue CS4 Server -- (Adobe Systems Incorporated)
"C:\Documents and Settings\User\Local Settings\Temp\Xjp.exe" = C:\Documents and Settings\User\Local Settings\Temp\Xjp.exe:*:Disabled:Xjp -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW(R) Graphics Suite X4
"_{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW(R) Graphics Suite X4 - Windows Shell Extension
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{0433C03E-D2F5-49BC-AC8F-688D7A2230D4}" = Customizer 19010
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{08C0729E-3E50-11DF-9D81-005056806466}" = Google Earth
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{11FC22F2-F582-40ED-B787-2C1FDC04CB3B}" = CorelDRAW Graphics Suite X4 - IPM
"{14F70205-1940-4000-88C7-BE799A6B2CAD}" = Adobe Soundbooth CS4
"{15BF7AAF-846C-4A6D-80E1-5D1FC7FB461B}" = Adobe SGM CS4
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{1B7C06E1-4888-47A6-992A-0990B9683486}" = Adobe Version Cue CS4 Server
"{1DCA3EAA-6EB5-4563-A970-EA14D75037BA}" = Adobe InDesign CS4
"{1E04CB54-AF4E-4AC3-B4B7-C0A160BE57F1}" = Adobe InDesign CS4 Icon Handler
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{2168245A-B5AD-40D8-A641-48E3E070B5B6}" = Adobe Flash CS4 STI-en
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 16
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{297190A1-4B0D-4CD6-8B9F-3907F15C3FD8}" = Adobe CS4 American English Speech Analysis Models
"{2BAF2B96-7560-48B4-87D4-10178DDBE217}" = Adobe InDesign CS4 Application Feature Set Files (Roman)
"{30C8AA56-4088-426F-91D1-0EDFD3A25678}" = Adobe Dreamweaver CS4
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3A6829EF-0791-4FDD-9382-C690DD0821B9}" = Adobe Flash Player 10 ActiveX
"{3C0619B4-4A2C-4244-8077-488E420DF907}" = FINAL FANTASY XI: Chains of Promathia
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{428FDF9F-E010-4C4C-A8BB-156960AFCA1C}" = Adobe Fireworks CS4
"{4324BC93-C82F-ED16-BA86-5E34B9E05303}" = ccc-core-static
"{43509E18-076E-40FE-AF38-CA5ED400A5A9}" = Pixel Bender Toolkit
"{44A27085-0616-4181-A0C3-81C7ECA17F73}" = CorelDRAW Graphics Suite X4
"{44E240EC-2224-4078-A88B-2CEE0D3016EF}" = Adobe After Effects CS4 Presets
"{45EC816C-0771-4C14-AE6D-72D1B578F4C8}" = Adobe After Effects CS4
"{47004155-7376-403E-89E9-4C9F44AAF0D0}" = PlayOnline Viewer and Tetra Master
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A52555C-032A-4083-BDD9-6A85ABFB39A8}" = Adobe SING CS4
"{4ED118EE-785C-CC18-5D2E-D5CA4BAA03F0}" = Catalyst Control Center Graphics Full New
"{500FB6E8-7127-11D8-9EFC-00B0D083537B}" = SoapMaker
"{52232EF4-CC12-4C21-ABCF-ADB79618302D}" = Adobe Soundbooth CS4 Codecs
"{539475B7-44B7-8B0A-134C-F01B9C8B7569}" = ccc-core-preinstall
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{561968FD-56A1-49FD-9ED0-F55482C7C5BC}" = Adobe Media Encoder CS4 Exporter
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5AC7AE54-55DF-1126-076C-623F008D40B6}" = Catalyst Control Center Graphics Full Existing
"{5B037ED7-0755-48D4-9554-808E5AF50F17}" = FINAL FANTASY XI: Wings of the Goddess
"{5B71C1EA-BB66-4E5B-A8E2-3A8EC979CC5B}" = SoapMaker3
"{5EAD5443-7194-46CC-A055-428E6ABB1BAF}" = Adobe Encore CS4
"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support
"{61D6891E-E822-4448-9F9A-0AAAAEB6AF6C}" = Adobe Creative Suite 4 Master Collection
"{6351D217-3EE3-1967-29BE-6A77635FE485}" = Skins
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2
"{678F6475-D227-432A-94FF-806178A34520}" = FINAL FANTASY XI
"{67A9747A-E1F5-4E9A-81CC-12B5D5B81B6E}" = Adobe After Effects CS4 Third Party Content
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6AB9CD3A-F91F-233B-923B-6C59BA63524D}" = Catalyst Control Center HydraVision Full
"{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}" = FINAL FANTASY XI: Rise of the Zilart
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7406DF60-016D-476B-A2C7-55D997592047}" = Adobe OnLocation CS4
"{793D1D88-6141-43DE-BE58-59BCE31B4090}" = Adobe Flash CS4 Extension - Flash Lite STI en
"{7CC7BDD5-6F10-4724-96A1-EAC7D9F2831C}" = Adobe InDesign CS4 Common Base Files
"{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW Graphics SUite X4 - ICA
"{7F05E704-30A6-421A-97A7-8EEB1C7FF012}" = CorelDRAW Graphics Suite X4 - Capture
"{7F05E704-30A6-421A-97A7-8EEB1C7FF013}" = CorelDRAW Graphics Suite X4 - Draw
"{7F05E704-30A6-421A-97A7-8EEB1C7FF014}" = CorelDRAW Graphics Suite X4 - PP
"{7F05E704-30A6-421A-97A7-8EEB1C7FF016}" = CorelDRAW Graphics Suite X4 - Content
"{7F05E704-30A6-421A-97A7-8EEB1C7FF017}" = CorelDRAW Graphics Suite X4 - Filters
"{7F05E704-30A6-421A-97A7-8EEB1C7FF019}" = CorelDRAW Graphics Suite X4 - FontNav
"{7F05E704-30A6-421A-97A7-8EEB1C7FF100}" = CorelDRAW Graphics Suite X4 - Lang EN
"{8186FF34-D389-4B7E-9A2F-C197585BCFBD}" = Adobe Media Encoder CS4 Importer
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{85A91C22-C369-FCFB-5F1F-D59EB21AD0E1}" = CCC Help English
"{87532CAB-7932-4F84-8937-823337622807}" = Adobe Illustrator CS4
"{8B7917E0-AF55-4E8A-9473-017F0AA03AC8}" = QuickTime
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A606C6FF-12E7-40BE-B777-D8F360FF00CD}" = FINAL FANTASY XI: Treasures of Aht Urhgan
"{A6D0140F-E62F-9D1E-2408-9CFF91FF6FC8}" = ccc-utility
"{A6EC82A0-1414-475D-8AFD-469089F3080D}" = Adobe Contribute CS4
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Français, Deutsch
"{AC76BA86-1033-F400-7760-000000000004}_931" = Adobe Acrobat 9.3.1 - CPSID_50570
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AFBBF30D-ADA9-4313-464E-14458B6BE034}" = PhotoshopdotcomInspirationBrowser
"{B05DE7B7-0B40-4411-BD4B-222CAE2D8F15}" = Adobe MotionPicture Color Files CS4
"{B15381DD-FF97-4FCD-A881-ED4DB0975500}" = Adobe Color Video Profiles AE CS4
"{B169BC97-B8AA-4ACA-9CF2-9D0FF5BABDF7}" = Adobe Premiere Pro CS4 Functional Content
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B61D21B6-469D-4423-B161-62DB20B8A70E}" = Visual Basic for Applications (R) Core - English
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B9F4561A-924D-4510-A85A-BB0960C338CB}" = Adobe Asset Services CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BE9CEAAA-F069-4331-BF2F-8D350F6504F4}" = Adobe Media Encoder CS4 Additional Exporter
"{BF439B41-0252-48DE-8B8B-0430CB26A181}" = CorelDRAW Graphics Suite X4 - VBA
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C44A7422-E380-44BE-79FE-1C032D8A03A7}" = Catalyst Control Center Core Implementation
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C938BE91-3BB5-4B84-9EF6-88F0505D0038}" = Adobe Premiere Pro CS4 Third Party Content
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB6075D9-F912-40AE-BEA6-E590DA24F16B}" = Adobe Photoshop Elements 7.0
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW(R) Graphics Suite X4 - Windows Shell Extension
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D499F8DE-3F31-4900-9157-61061613704B}" = Adobe Premiere Pro CS4
"{DB81779E-7CC5-4630-BCFC-754004956444}" = Visual Basic for Applications (R) Core
"{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}" = Adobe Media Encoder CS4
"{E5D24929-91A4-B0A1-DE00-AFC453921EF7}" = Catalyst Control Center Graphics Light
"{E6C09BFB-BA75-15C7-5B18-A2CE31C4F42B}" = Catalyst Control Center Graphics Previews Common
"{E8EE9410-8AC4-4F43-A626-DDECA75C79F3}" = Adobe Setup
"{EE353798-E875-42E0-B58D-7E6696182EA8}" = Adobe Media Encoder CS4 Dolby
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1362843-0E0E-4F74-8662-724CF101ADCE}" = Skype web features
"{F6E99614-F042-4459-82B7-8B38B2601356}" = Adobe Flash CS4
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe Extendscript Toolkit CS4
"{F90D6825-8F1F-4E3A-9E42-A9C8A9DD1033}" = Nero 7 Essentials
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FB2A5FCC-B81B-48C2-A009-7804694D83E9}" = Adobe Encore CS4 Codecs
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 7" = Adobe Photoshop Elements 7.0
"Adobe_b2d6abde968e6f277ddbfd501383e02" = Adobe Creative Suite 4 Master Collection
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"avast5" = avast! Internet Security
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"Electronic Shipping Tools" = Electronic Shipping Tools
"Embird 2008" = Embird 2008
"Fraps" = Fraps
"HijackThis" = HijackThis 2.0.2
"Homestead SiteBuilder" = Homestead SiteBuilder
"ie8" = Windows Internet Explorer 8
"InstallShield_{3C0619B4-4A2C-4244-8077-488E420DF907}" = FINAL FANTASY XI: Chains of Promathia
"InstallShield_{47004155-7376-403E-89E9-4C9F44AAF0D0}" = PlayOnline Viewer and Tetra Master
"InstallShield_{5B037ED7-0755-48D4-9554-808E5AF50F17}" = FINAL FANTASY XI: Wings of the Goddess
"InstallShield_{678F6475-D227-432A-94FF-806178A34520}" = FINAL FANTASY XI
"InstallShield_{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}" = FINAL FANTASY XI: Rise of the Zilart
"InstallShield_{A606C6FF-12E7-40BE-B777-D8F360FF00CD}" = FINAL FANTASY XI: Treasures of Aht Urhgan
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"net" = Advertisement Service
"PGE" = Uninstall PGE
"PhotoshopdotcomInspirationBrowser.4C35C4D325D350FE0114230CBADCA2DDD0AC8D25.1" = Adobe Photoshop.com Inspiration Browser
"SEDS II Achiever V3.2 (Demo)" = SEDS II Achiever V3.2 (Demo)
"SEDS II Anchor V3.2 (Demo)" = SEDS II Anchor V3.2 (Demo)
"StitchTools Lettering V3.0 (Demo)" = StitchTools Lettering V3.0 (Demo)
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip E-Mail Companion" = WinZip E-Mail Companion
"WinZip Self-Extractor" = WinZip Self-Extractor
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WriteItNow Novel Writing Software 4.0.2" = WriteItNow Novel Writing Software 4.0.2
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/17/2010 11:24:40 AM | Computer Name = ADMIN-42AEEB16E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 4/17/2010 11:24:40 AM | Computer Name = ADMIN-42AEEB16E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 4/17/2010 11:24:40 AM | Computer Name = ADMIN-42AEEB16E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 4/17/2010 11:24:40 AM | Computer Name = ADMIN-42AEEB16E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 4/17/2010 11:24:40 AM | Computer Name = ADMIN-42AEEB16E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 4/17/2010 11:24:40 AM | Computer Name = ADMIN-42AEEB16E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 4/17/2010 11:24:40 AM | Computer Name = ADMIN-42AEEB16E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 4/17/2010 11:24:45 AM | Computer Name = ADMIN-42AEEB16E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: A connection with the server could not be established

Error - 4/17/2010 11:28:08 AM | Computer Name = ADMIN-42AEEB16E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: A connection with the server could not be established

Error - 4/17/2010 11:28:15 AM | Computer Name = ADMIN-42AEEB16E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

[ System Events ]
Error - 4/17/2010 11:03:07 AM | Computer Name = ADMIN-42AEEB16E | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/17/2010 11:08:10 AM | Computer Name = ADMIN-42AEEB16E | Source = Service Control Manager | ID = 7022
Description = The avast! Antivirus service hung on starting.

Error - 4/17/2010 11:12:30 AM | Computer Name = ADMIN-42AEEB16E | Source = Service Control Manager | ID = 7022
Description = The avast! Antivirus service hung on starting.

Error - 4/17/2010 11:12:30 AM | Computer Name = ADMIN-42AEEB16E | Source = Service Control Manager | ID = 7001
Description = The avast! Mail Scanner service depends on the avast! Antivirus service
which failed to start because of the following error: %%1070

Error - 4/17/2010 11:16:50 AM | Computer Name = ADMIN-42AEEB16E | Source = Service Control Manager | ID = 7022
Description = The avast! Antivirus service hung on starting.

Error - 4/17/2010 11:16:50 AM | Computer Name = ADMIN-42AEEB16E | Source = Service Control Manager | ID = 7001
Description = The avast! Mail Scanner service depends on the avast! Antivirus service
which failed to start because of the following error: %%1070

Error - 4/17/2010 11:21:10 AM | Computer Name = ADMIN-42AEEB16E | Source = Service Control Manager | ID = 7022
Description = The avast! Antivirus service hung on starting.

Error - 4/17/2010 11:21:10 AM | Computer Name = ADMIN-42AEEB16E | Source = Service Control Manager | ID = 7001
Description = The avast! Web Scanner service depends on the avast! Antivirus service
which failed to start because of the following error: %%1070

Error - 4/17/2010 11:25:31 AM | Computer Name = ADMIN-42AEEB16E | Source = Service Control Manager | ID = 7022
Description = The avast! Antivirus service hung on starting.

Error - 4/17/2010 11:25:31 AM | Computer Name = ADMIN-42AEEB16E | Source = Service Control Manager | ID = 7001
Description = The avast! Mail Scanner service depends on the avast! Antivirus service
which failed to start because of the following error: %%1070


< End of report >

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Sat Apr 17, 2010 7:15 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Sat Apr 17, 2010 8:35 pm

ComboFix 10-04-17.01 - User 04/17/2010 16:12:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3199.2790 [GMT -4:00]
Running from: c:\geek police stuff\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\User\LOCALS~1\Temp\csrss.exe
c:\docume~1\User\LOCALS~1\Temp\lsass.exe
c:\docume~1\User\LOCALS~1\Temp\services.exe
c:\docume~1\User\LOCALS~1\Temp\svchost.exe
c:\documents and settings\User\Local Settings\Application Data\ave.exe
c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\User\Local Settings\Temporary Internet Files\1nH0swg7.jpg
c:\documents and settings\User\Local Settings\Temporary Internet Files\246RvML.jpg
c:\documents and settings\User\Local Settings\Temporary Internet Files\7G6yPe7O.jpg
c:\documents and settings\User\Local Settings\Temporary Internet Files\C1Tck0l1.jpg
c:\documents and settings\User\Local Settings\Temporary Internet Files\Idq243.jpg
c:\documents and settings\User\Local Settings\Temporary Internet Files\Jekyd.jpg
c:\documents and settings\User\Local Settings\Temporary Internet Files\n203O.jpg
c:\documents and settings\User\Local Settings\Temporary Internet Files\ylJmq.jpg
c:\fraps\FRAPS INFO\FRAPS .EXE
c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
c:\program files\Adobe\acrotray .exe
c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
c:\program files\Common Files\InstallShield\UpdateService\issch.exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\program files\Java\jre6\bin\jusched.exe
c:\program files\quicktime\qttask .exe
c:\program files\Windows Defender\MSASCui.exe
C:\Thumbs.db
c:\windows\system32\ctfmon .exe
c:\windows\system32\net.net
c:\windows\system32\OLD51F.tmp
c:\windows\system32\spool\prtprocs\w32x86\00007d96.tmp
c:\windows\system32\VB6KO.DLL
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\xbeloa .exe
c:\windows\xbeloa.exe

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
.

2010-04-17 19:47 . 2010-04-17 19:53 -------- d-----w- C:\Combo-Fix
2010-04-17 19:06 . 2010-04-17 19:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-17 19:05 . 2010-04-17 19:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-17 19:05 . 2010-04-17 19:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-17 19:04 . 2010-04-17 19:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-17 19:01 . 2010-04-17 19:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-17 15:38 . 2010-04-17 19:32 -------- d-----w- C:\geek police stuff
2010-04-17 01:31 . 2010-04-17 01:31 4 ----a-w- c:\program files\6413406.dat
2010-04-17 01:31 . 2010-04-17 01:31 4 ----a-w- c:\program files\6413296.dat
2010-04-17 01:31 . 2010-04-17 01:31 4 ----a-w- c:\program files\6413203.dat
2010-04-17 01:31 . 2010-04-17 01:31 4 ----a-w- c:\program files\6413031.dat
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\avG
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-14 23:25 . 2010-03-26 14:33 1496064 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-04-14 23:25 . 2010-03-26 14:33 43008 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-04-14 23:25 . 2010-03-26 14:33 339456 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-04-14 23:25 . 2010-03-26 14:32 346112 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-04-14 13:48 . 2010-04-14 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:47 -------- d-----w- c:\program files\Google
2010-04-10 20:12 . 2001-08-18 02:36 110621 -c--a-w- c:\windows\system32\dllcache\digirlpt.dll
2010-04-10 20:12 . 2001-08-18 02:36 110621 ----a-w- c:\windows\system32\digirlpt.dll
2010-04-10 20:12 . 2001-08-17 16:17 42432 -c--a-w- c:\windows\system32\dllcache\digirlpt.sys
2010-04-10 20:12 . 2001-08-17 16:17 42432 ----a-w- c:\windows\system32\drivers\digirlpt.sys
2010-04-07 19:05 . 2010-04-07 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-06 20:59 . 2010-04-17 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-27 18:29 . 2010-03-27 18:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.3\ARM\32088\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.3\ARM\32088\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.3\ARM\32088\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.3\ARM\32088\AcrobatUpdater.exe
2010-03-23 14:30 . 2010-04-17 20:26 -------- d-----w- c:\program files\QuickTime
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Common Files\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Apple Software Update
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 20:26 . 2009-05-23 01:43 -------- d-----w- c:\program files\Windows Defender
2010-04-17 20:07 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-17 20:03 . 2009-05-25 02:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-16 23:33 . 2009-07-07 02:02 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-04-16 20:09 . 2009-07-07 02:12 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-04-16 14:19 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-16 14:19 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-06 21:01 . 2009-05-23 01:31 -------- d-----w- c:\program files\Alwil Software
2010-03-20 20:46 . 2009-05-24 23:42 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-19 14:27 . 2009-05-23 01:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-17 05:31 . 2010-03-17 05:31 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-02 17:20 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:12 . 2009-05-25 01:40 -------- d-----w- c:\documents and settings\User\Application Data\SoapMakerData
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-----w- c:\program files\SoapMaker3
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-20 03:49 . 2009-05-24 23:15 306 ----a-w- c:\program files\Shortcut to My Documents.lnk
2004-07-06 17:54 . 2007-05-22 20:10 1241088 ----a-w- c:\program files\PGE_PlugIn.8bf
1998-05-31 04:00 . 1998-05-31 04:00 295696 ----a-w- c:\program files\Common Files\MSJTOR35.DLL
2009-05-24 23:42 . 2009-05-24 23:42 88 --sh--r- c:\windows\system32\16071871B6.sys
.
Code:
<pre>
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\Adobe\Adobe Bridge CS4\bridge .exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Windows Defender\msascui .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [N/A]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"QZAIB7KITK"="c:\windows\Xbeloa.exe" [N/A]
"Fraps"="c:\fraps\FRAPS INFO\FRAPS .EXE" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [N/A]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [N/A]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [N/A]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [N/A]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [N/A]
"Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 3:46 PM 136176]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [4/10/2010 4:12 PM 42432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Fraps - c:\fraps\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-17 16:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89A26AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7439bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7446a21
SendHandler -> NDIS.sys @ 0xf742487b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-17 16:32:59
ComboFix-quarantined-files.txt 2010-04-17 20:32

Pre-Run: 88,950,419,456 bytes free
Post-Run: 99,163,426,816 bytes free

- - End Of File - - 9C899A1AC564439D1F3E21E07110ED83

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Sat Apr 17, 2010 8:54 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Sat Apr 17, 2010 11:22 pm

I am not sure i was able to get all of what you need. This program shut down a few times. I had the most sucess after i had renamed filed. This was the last error message

Generic Host process for win 32 series

This is what i was able to get i hope it helps

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-17 17:43:23
Windows 5.1.2600 Service Pack 3
Running: hsq5d7tt.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kxeyraoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9787000, 0x1C5D58, 0xE8000020]
.rsrc C:\WINDOWS\System32\DRIVERS\RDPCDD.sys entry point in ".rsrc" section [0xF79CDC14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[256] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[256] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[256] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\system32\wuauclt.exe[2272] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuauclt.exe[2272] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[2272] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[4000] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0139000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4000] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4000] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0138000C

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 89A09AC8

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Sat Apr 17, 2010 11:33 pm

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    /md5start
    rdpcdd.sys
    atapi.sys
    /md5stop


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the pink Quick Scan button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Sat Apr 17, 2010 11:40 pm

Ummm what is OTL.exe. and where can i find it

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Sat Apr 17, 2010 11:42 pm

It should be located here from what I can see:
C:\Documents and Settings\User\My Documents\Downloads\OTL.exe


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Sat Apr 17, 2010 11:47 pm

[2010/04/14 03:02:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/10 14:29:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/17 17:18:58 | 000,000,004 | ---- | C] () -- C:\Program Files\42156.dat
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/04/17 17:12:58 | 000,031,232 | ---- | C] () -- C:\WINDOWS\xbeloa.exe
[2010/04/17 17:12:58 | 000,031,232 | ---- | C] () -- C:\WINDOWS\xbeloa .exe
[2010/04/17 16:34:57 | 000,008,704 | -HS- | C] () -- C:\Program Files\Thumbs.db
[2010/04/17 15:53:32 | 000,000,210 | ---- | C] () -- C:\Boot.bak
[2010/04/17 15:53:29 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/17 15:47:55 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/17 15:47:55 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/17 15:47:55 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/17 15:47:55 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/17 15:47:55 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/17 15:06:02 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/17 15:04:57 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413406.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413296.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413203.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413031.dat
[2010/04/16 19:47:38 | 000,009,578 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3040322509
[2010/04/16 19:47:38 | 000,009,574 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509
[2010/04/16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7
[2010/04/16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7
[2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75
[2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75
[2010/04/11 15:46:12 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/11 15:46:12 | 000,000,878 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/07/29 13:28:40 | 000,000,070 | ---- | C] () -- C:\WINDOWS\polite.ini
[2009/07/07 19:13:11 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/07/07 19:13:10 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/10 21:49:38 | 000,000,120 | ---- | C] () -- C:\WINDOWS\WINRESAZ.INI
[2009/06/10 20:51:16 | 000,000,151 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/05/24 22:32:27 | 000,002,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2009/05/24 22:32:27 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\16071871B6.sys
[2009/05/24 19:42:36 | 000,005,018 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/05/24 19:42:36 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\16071871B6.sys
[2009/05/24 19:15:32 | 000,000,306 | ---- | C] () -- C:\Program Files\Shortcut to My Documents.lnk
[2009/05/22 21:47:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2009/05/22 21:29:30 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/22 19:00:48 | 000,024,423 | ---- | C] () -- C:\Documents and Settings\User\CCCInstall_200905221900489687.log
[2009/05/22 15:26:41 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\User\ntuser.ini
[2009/05/22 15:26:40 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\User\ntuser.dat.LOG
[2009/05/22 15:26:39 | 006,291,456 | -H-- | C] () -- C:\Documents and Settings\User\NTUSER.DAT
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/04/16 21:29:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/16 19:24:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avG
[2009/08/21 12:51:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2010/04/17 19:39:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/05/25 10:02:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/05/25 10:07:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZipEC
[2009/05/25 10:08:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZipSE
[2010/02/22 23:12:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\SoapMakerData
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[2010/04/17 19:39:08 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Sat Apr 17, 2010 11:54 pm

========== Custom Scans ==========


< OTL logfile created on: 4/17/2010 7:45:08 PM - Run 2 >
Invalid Switch: 2010 7:45:08 PM - Run 2

~[Filtered]~

< Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation >

< Internet Explorer (Version = 8.0.6001.18702) >

< Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy >
Invalid Switch: yyyy


< >

< 3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free >

< 6.00 Gb Paging File | 6.00 Gb Available in Paging File | 92.00% Paging File free >

< Paging file location(s): C:\pagefile.sys 3072 4092 [binary data] >

< >

< %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files >

< Drive C: | 149.04 Gb Total Space | 92.40 Gb Free Space | 61.99% Space Free | Partition Type: NTFS >

< D: Drive not present or media not loaded >

< E: Drive not present or media not loaded >

< F: Drive not present or media not loaded >

< G: Drive not present or media not loaded >

< H: Drive not present or media not loaded >

< I: Drive not present or media not loaded >

< Drive K: | 244.48 Mb Total Space | 244.48 Mb Free Space | 100.00% Space Free | Partition Type: FAT >

< >

< Computer Name: ADMIN-42AEEB16E >

< Current User Name: User >

< Logged in as Administrator. >

< >

< Current Boot Mode: Normal >

< Scan Mode: Current user >

< Company Name Whitelist: Off >

< Skip Microsoft Files: Off >

< File Age = 30 Days >

< Output = Standard >

< >

< ========== Processes (SafeList) ========== >
Invalid Switch: color]


< >

< PRC - [2010/04/17 17:13:00 | 000,031,232 | ---- | M] () -- C:\Program Files\Windows Defender\msascui.exe >
Invalid Switch: 17 17:13:00 | 000,031,232 | ---- | M] () -- C:\Program Files\Windows Defender\msascui.exe


< PRC - [2010/04/17 11:23:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe >
Invalid Switch: 17 11:23:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe


< PRC - [2010/04/02 10:06:20 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe >
Invalid Switch: 02 10:06:20 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe


< PRC - [2010/03/24 14:17:47 | 000,952,768 | ---- | M] (Adobe Systems Incorporated) -- c:\Program Files\Common Files\Adobe\ARM\1.0\adobearm .exe >
Invalid Switch: 24 14:17:47 | 000,952,768 | ---- | M] (Adobe Systems Incorporated) -- c:\Program Files\Common Files\Adobe\ARM\1.0\adobearm .exe


< PRC - [2009/12/21 18:35:18 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- c:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe >
Invalid Switch: 21 18:35:18 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- c:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe


< PRC - [2009/10/15 17:29:52 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- c:\Program Files\Java\jre6\bin\jusched .exe >
Invalid Switch: 15 17:29:52 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- c:\Program Files\Java\jre6\bin\jusched .exe


< PRC - [2008/09/16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe >
Invalid Switch: 16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe


< PRC - [2008/08/28 19:34:14 | 013,145,448 | ---- | M] (Adobe Systems, Inc.) -- c:\Program Files\Adobe\Adobe Bridge CS4\bridge .exe >
Invalid Switch: 28 19:34:14 | 013,145,448 | ---- | M] (Adobe Systems, Inc.) -- c:\Program Files\Adobe\Adobe Bridge CS4\bridge .exe


< PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe >
Invalid Switch: 14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


< PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe >
Invalid Switch: 24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe


< PRC - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe >
Invalid Switch: 05 13:20:32 | 000,177,704 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe


< PRC - [2006/11/03 19:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Windows Defender\msascui .exe >
Invalid Switch: 03 19:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Windows Defender\msascui .exe


< PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe >
Invalid Switch: 03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe


< PRC - [2004/06/16 06:03:04 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- c:\Program Files\Common Files\InstallShield\UpdateService\issch .exe >
Invalid Switch: 16 06:03:04 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- c:\Program Files\Common Files\InstallShield\UpdateService\issch .exe


< >

< >

< ========== Modules (SafeList) ========== >
Invalid Switch: color]


< >

< MOD - [2010/04/17 11:23:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe >
Invalid Switch: 17 11:23:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe


< >

< >

< ========== Win32 Services (SafeList) ========== >
Invalid Switch: color]


< >

< SRV - [2009/10/06 12:03:28 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service) >
Invalid Switch: 06 12:03:28 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)


< SRV - [2008/09/16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor7.0) >
Invalid Switch: 16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor7.0)


< SRV - [2008/08/15 05:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4) >
Invalid Switch: 15 05:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)


< SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2) >
Invalid Switch: 24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)


< SRV - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing) >
Invalid Switch: 05 13:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)


< SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend) >
Invalid Switch: 03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)


< >

< >

< ========== Driver Services (SafeList) ========== >
Invalid Switch: color]


< >

< DRV - [2009/02/25 18:58:57 | 003,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) >
Invalid Switch: 25 18:58:57 | 003,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)


< DRV - [2008/08/14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs) >
Invalid Switch: 14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)


< DRV - [2008/04/14 00:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum) >
Invalid Switch: 14 00:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)


< DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM) >
Invalid Switch: 14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)


< DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus) >
Invalid Switch: 13 22:06:06 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)


< DRV - [2007/12/06 09:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp) >
Invalid Switch: 06 09:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)


< DRV - [2007/07/16 11:29:34 | 000,017,432 | R--- | M] (Hewlett Packard) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK) >
Invalid Switch: 16 11:29:34 | 000,017,432 | R--- | M] (Hewlett Packard) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)


< DRV - [2005/09/23 18:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM) >
Invalid Switch: 23 18:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)


< DRV - [2001/08/17 12:17:44 | 000,042,432 | ---- | M] (Digi International, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\digirlpt.sys -- (DIGIRPS) >
Invalid Switch: 17 12:17:44 | 000,042,432 | ---- | M] (Digi International, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\digirlpt.sys -- (DIGIRPS)


< DRV - [2001/08/17 10:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401) >
Invalid Switch: 17 10:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)


< >

< >

< ========== Standard Registry (SafeList) ========== >
Invalid Switch: color]


< >

< >

< ========== Internet Explorer ========== >
Invalid Switch: color]


< >

< >

< IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.] >
Invalid Switch:


< IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 >

< >

< ========== FireFox ========== >
Invalid Switch: color]


< >

< FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search" >

< FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=" >

< FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search" >

< FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0 >

< >

< FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/07/14 00:02:02 | 000,000,000 | ---D | M] >
Invalid Switch: 14 00:02:02 | 000,000,000 | ---D | M]


< FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/14 15:42:28 | 000,000,000 | ---D | M] >
Invalid Switch: 14 15:42:28 | 000,000,000 | ---D | M]


< FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/07 15:05:29 | 000,000,000 | ---D | M] >
Invalid Switch: 07 15:05:29 | 000,000,000 | ---D | M]


< >

< [2009/05/24 18:51:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions >
Invalid Switch: 24 18:51:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions


< [2010/04/17 11:42:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions >
Invalid Switch: 17 11:42:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions


< [2009/07/05 22:30:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} >
Invalid Switch: 05 22:30:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}


< [2010/04/14 19:25:50 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} >
Invalid Switch: 14 19:25:50 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}


< [2010/04/17 11:42:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions >
Invalid Switch: 17 11:42:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions


< [2009/08/11 15:54:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\browserhighlighter@ebay.com >
Invalid Switch: 11 15:54:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\browserhighlighter@ebay.com


< [2009/07/26 18:10:37 | 000,036,864 | ---- | M] (Homestead Technologies, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nphssb.dll >
Invalid Switch: 26 18:10:37 | 000,036,864 | ---- | M] (Homestead Technologies, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nphssb.dll


< >

< O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts >
Invalid Switch: 04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts


< O1 - Hosts: 127.0.0.1 localhost >

< O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll () >
Invalid Switch: contributeieplugin.dll ()


< O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) >

< O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) >

< O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) >

< O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll () >
Invalid Switch: contributeieplugin.dll ()


< O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) >

< O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe () >

< O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe () >

< O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\versio~2 .exe () >

< O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe () >

< O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe () >

< O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe () >

< O4 - HKLM..\Run: [QuickTime Task] c:\program files\quicktime\qttask .exe () >

< O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe () >

< O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe () >

< O4 - HKCU..\Run: [Fraps] C:\Fraps\Fraps INfo\fraps .exe () >

< O4 - HKCU..\Run: [QZAIB7KITK] C:\WINDOWS\xbeloa.exe () >

< O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 >

< O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 >

< O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 >

< O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 >

< O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present >

< O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 >

< O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 >

< O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 >

< O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) >

< O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) >

< O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) >

< O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) >

< O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} [You must be registered and logged in to see this link.] (asusTek_sysctrl Class) >
Invalid Switch: asusTek_sys_ctrl.cab (asusTek_sysctrl Class)


< O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16) >
Invalid Switch: jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)


< O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16) >
Invalid Switch: jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)


< O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16) >
Invalid Switch: jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)


< O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.) >
Invalid Switch: xmldso.cab (Reg Error: Key error.)


< O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 >

< O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) >

< O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) >

< O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) >

< O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp >

< O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp >

< O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation) >

< O32 - HKLM CDRom: AutoRun - 1 >

< O32 - AutoRun File - [2009/05/22 15:22:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] >
Invalid Switch: 22 15:22:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]


< O34 - HKLM BootExecute: (autocheck autochk *) - File not found >

< O35 - HKLM\..comfile [open] -- "%1" %* >

< O35 - HKLM\..exefile [open] -- "%1" %* >

< O37 - HKLM\...com [@ = ComFile] -- "%1" %* >

< O37 - HKLM\...exe [@ = exefile] -- "%1" %* >

< O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found >

< >

< ========== Files/Folders - Created Within 30 Days ========== >
Invalid Switch: color]


< >

< [2010/04/17 18:02:08 | 000,000,000 | -HSD | C] -- C:\RECYCLER >
Invalid Switch: 17 18:02:08 | 000,000,000 | -HSD | C] -- C:\RECYCLER


< [2010/04/17 17:38:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump >
Invalid Switch: 17 17:38:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump


< [2010/04/17 15:53:26 | 000,000,000 | RHSD | C] -- C:\cmdcons >
Invalid Switch: 17 15:53:26 | 000,000,000 | RHSD | C] -- C:\cmdcons


< [2010/04/17 15:47:55 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe >
Invalid Switch: 17 15:47:55 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe


< [2010/04/17 15:47:55 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe >
Invalid Switch: 17 15:47:55 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe


< [2010/04/17 15:47:55 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe >
Invalid Switch: 17 15:47:55 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe


< [2010/04/17 15:47:55 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe >
Invalid Switch: 17 15:47:55 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe


< [2010/04/17 15:47:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT >
Invalid Switch: 17 15:47:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT


< [2010/04/17 15:47:27 | 000,000,000 | ---D | C] -- C:\Combo-Fix >
Invalid Switch: 17 15:47:27 | 000,000,000 | ---D | C] -- C:\Combo-Fix


< [2010/04/17 15:36:11 | 000,000,000 | ---D | C] -- C:\Qoobox >
Invalid Switch: 17 15:36:11 | 000,000,000 | ---D | C] -- C:\Qoobox


< [2010/04/17 15:28:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe >
Invalid Switch: 17 15:28:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe


< [2010/04/17 15:05:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft >
Invalid Switch: 17 15:05:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft


< [2010/04/17 15:05:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\avG >
Invalid Switch: 17 15:05:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\avG


< [2010/04/17 15:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe >
Invalid Switch: 17 15:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe


< [2010/04/17 15:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun >
Invalid Switch: 17 15:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun


< [2010/04/17 11:38:40 | 000,000,000 | ---D | C] -- C:\geek police stuff >
Invalid Switch: 17 11:38:40 | 000,000,000 | ---D | C] -- C:\geek police stuff


< [2010/04/16 19:24:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia >
Invalid Switch: 16 19:24:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia


< [2010/04/16 19:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\avG >
Invalid Switch: 16 19:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\avG


< [2010/04/16 19:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avG >
Invalid Switch: 16 19:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avG


< [2010/04/14 09:48:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google >
Invalid Switch: 14 09:48:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google


< [2010/04/11 16:11:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Google >
Invalid Switch: 11 16:11:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Google


< [2010/04/11 15:46:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google >
Invalid Switch: 11 15:46:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google


< [2010/04/11 15:46:09 | 000,000,000 | ---D | C] -- C:\Program Files\Google >
Invalid Switch: 11 15:46:09 | 000,000,000 | ---D | C] -- C:\Program Files\Google


< [2010/04/10 16:12:03 | 000,110,621 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\dllcache\digirlpt.dll >
Invalid Switch: 10 16:12:03 | 000,110,621 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\dllcache\digirlpt.dll


< [2010/04/10 16:12:03 | 000,110,621 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\digirlpt.dll >
Invalid Switch: 10 16:12:03 | 000,110,621 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\digirlpt.dll


< [2010/04/10 16:12:03 | 000,042,432 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\drivers\digirlpt.sys >
Invalid Switch: 10 16:12:03 | 000,042,432 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\drivers\digirlpt.sys


< [2010/04/10 16:12:03 | 000,042,432 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\dllcache\digirlpt.sys >
Invalid Switch: 10 16:12:03 | 000,042,432 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\dllcache\digirlpt.sys


< [2010/04/07 15:05:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer >
Invalid Switch: 07 15:05:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer


< [2010/04/06 16:59:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software >
Invalid Switch: 06 16:59:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software


< [2010/03/27 14:29:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple >
Invalid Switch: 27 14:29:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple


< [2010/03/23 10:30:03 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime >
Invalid Switch: 23 10:30:03 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime


< [2010/03/23 10:29:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple >
Invalid Switch: 23 10:29:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple


< [2010/03/23 10:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Apple >
Invalid Switch: 23 10:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Apple


< [2010/03/23 10:29:26 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update >
Invalid Switch: 23 10:29:26 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update


< [2010/03/23 10:29:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple >
Invalid Switch: 23 10:29:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple


< [2010/03/23 10:29:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Apple Computer >
Invalid Switch: 23 10:29:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Apple Computer


< [2009/10/25 22:51:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe >
Invalid Switch: 25 22:51:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe


< [2009/10/25 22:51:47 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft >
Invalid Switch: 25 22:51:47 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft


< [2009/08/03 18:35:13 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft >
Invalid Switch: 03 18:35:13 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft


< [2009/08/03 18:35:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft >
Invalid Switch: 03 18:35:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft


< [2007/05/22 16:10:37 | 001,241,088 | ---- | C] (Auto FX Software) -- C:\Program Files\PGE_PlugIn.8bf >
Invalid Switch: 22 16:10:37 | 001,241,088 | ---- | C] (Auto FX Software) -- C:\Program Files\PGE_PlugIn.8bf


< [1998/05/31 00:00:00 | 000,295,696 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\MSJTOR35.DLL >
Invalid Switch: 31 00:00:00 | 000,295,696 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\MSJTOR35.DLL


< [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] >

< [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] >

< >

< ========== Files - Modified Within 30 Days ========== >
Invalid Switch: color]


< >

< [2010/04/17 19:39:08 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job >
Invalid Switch: 17 19:39:08 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job


< [2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At24.job >
Invalid Switch: 17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At24.job


< [2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At23.job >
Invalid Switch: 17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At23.job


< [2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At22.job >
Invalid Switch: 17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At22.job


< [2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At21.job >
Invalid Switch: 17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At21.job


< [2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At20.job >
Invalid Switch: 17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At20.job


< [2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At19.job >
Invalid Switch: 17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At19.job


< [2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At18.job >
Invalid Switch: 17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At18.job


< [2010/04/17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At17.job >
Invalid Switch: 17 19:37:55 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At17.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At9.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At9.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At8.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At8.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At7.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At7.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At6.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At6.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At5.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At5.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At4.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At4.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At3.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At3.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At2.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At2.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At16.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At16.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At15.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At15.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At14.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At14.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At13.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At13.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At12.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At12.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At11.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At11.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At10.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At10.job


< [2010/04/17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At1.job >
Invalid Switch: 17 19:37:54 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At1.job


< [2010/04/17 19:37:37 | 000,031,232 | ---- | M] () -- C:\WINDOWS\xbeloa.exe >
Invalid Switch: 17 19:37:37 | 000,031,232 | ---- | M] () -- C:\WINDOWS\xbeloa.exe


< [2010/04/17 19:36:22 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl >
Invalid Switch: 17 19:36:22 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl


< [2010/04/17 19:36:11 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job >
Invalid Switch: 17 19:36:11 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job


< [2010/04/17 19:36:05 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT >
Invalid Switch: 17 19:36:05 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT


< [2010/04/17 19:36:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat >
Invalid Switch: 17 19:36:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat


< [2010/04/17 19:11:24 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\User\NTUSER.DAT >
Invalid Switch: 17 19:11:24 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\User\NTUSER.DAT


< [2010/04/17 19:11:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini >
Invalid Switch: 17 19:11:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini


< [2010/04/17 18:51:06 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job >
Invalid Switch: 17 18:51:06 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job


< [2010/04/17 17:18:58 | 000,000,004 | ---- | M] () -- C:\Program Files\42156.dat >
Invalid Switch: 17 17:18:58 | 000,000,004 | ---- | M] () -- C:\Program Files\42156.dat


< [2010/04/17 17:12:58 | 000,031,232 | ---- | M] () -- C:\WINDOWS\xbeloa .exe >
Invalid Switch: 17 17:12:58 | 000,031,232 | ---- | M] () -- C:\WINDOWS\xbeloa .exe


< [2010/04/17 16:28:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini >
Invalid Switch: 17 16:28:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini


< [2010/04/17 15:53:33 | 000,000,281 | RHS- | M] () -- C:\boot.ini >
Invalid Switch: 17 15:53:33 | 000,000,281 | RHS- | M] () -- C:\boot.ini


< [2010/04/17 15:37:59 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT >
Invalid Switch: 17 15:37:59 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT


< [2010/04/17 15:06:02 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat >
Invalid Switch: 17 15:06:02 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat


< [2010/04/17 15:06:02 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat >
Invalid Switch: 17 15:06:02 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat


< [2010/04/17 14:41:31 | 000,009,732 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7 >
Invalid Switch: 17 14:41:31 | 000,009,732 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7


< [2010/04/17 14:41:31 | 000,009,732 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7 >
Invalid Switch: 17 14:41:31 | 000,009,732 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7


< [2010/04/17 11:04:39 | 000,009,574 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509 >
Invalid Switch: 17 11:04:39 | 000,009,574 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509


< [2010/04/17 01:07:48 | 000,009,578 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3040322509 >
Invalid Switch: 17 01:07:48 | 000,009,578 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3040322509


< [2010/04/16 23:34:17 | 000,004,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpcdd.sys >
Invalid Switch: 16 23:34:17 | 000,004,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpcdd.sys


< [2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413406.dat >
Invalid Switch: 16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413406.dat


< [2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413296.dat >
Invalid Switch: 16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413296.dat


< [2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413203.dat >
Invalid Switch: 16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413203.dat


< [2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413031.dat >
Invalid Switch: 16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413031.dat


< [2010/04/16 19:28:50 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk >
Invalid Switch: 16 19:28:50 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk


< [2010/04/16 19:16:38 | 000,001,268 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75 >
Invalid Switch: 16 19:16:38 | 000,001,268 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75


< [2010/04/16 19:16:38 | 000,001,268 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75 >
Invalid Switch: 16 19:16:38 | 000,001,268 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75


< [2010/04/16 10:19:50 | 000,002,516 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys >
Invalid Switch: 16 10:19:50 | 000,002,516 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys


< [2010/04/16 10:19:49 | 000,002,549 | ---- | M] () -- C:\Documents and Settings\User\Desktop\CorelDRAW X4.lnk >
Invalid Switch: 16 10:19:49 | 000,002,549 | ---- | M] () -- C:\Documents and Settings\User\Desktop\CorelDRAW X4.lnk


< [2010/04/14 03:02:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK >
Invalid Switch: 14 03:02:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK


< [2010/04/10 14:29:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job >
Invalid Switch: 10 14:29:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job


< [2010/03/20 16:46:16 | 000,005,018 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys >
Invalid Switch: 20 16:46:16 | 000,005,018 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys


< [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] >

< [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] >

< >

< ========== Files Created - No Company Name ========== >
Invalid Switch: color]

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Sat Apr 17, 2010 11:55 pm

< >

< [2010/04/17 17:18:58 | 000,000,004 | ---- | C] () -- C:\Program Files\42156.dat >
Invalid Switch: 17 17:18:58 | 000,000,004 | ---- | C] () -- C:\Program Files\42156.dat


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At9.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At9.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At8.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At8.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At7.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At7.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At6.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At6.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At5.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At5.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At4.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At4.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At3.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At3.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At24.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At24.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At23.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At23.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At22.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At22.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At21.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At21.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At20.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At20.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At2.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At2.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At19.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At19.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At18.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At18.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At17.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At17.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At16.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At16.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At15.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At15.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At14.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At14.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At13.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At13.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At12.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At12.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At11.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At11.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At10.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At10.job


< [2010/04/17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At1.job >
Invalid Switch: 17 17:13:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At1.job


< [2010/04/17 17:12:58 | 000,031,232 | ---- | C] () -- C:\WINDOWS\xbeloa.exe >
Invalid Switch: 17 17:12:58 | 000,031,232 | ---- | C] () -- C:\WINDOWS\xbeloa.exe


< [2010/04/17 17:12:58 | 000,031,232 | ---- | C] () -- C:\WINDOWS\xbeloa .exe >
Invalid Switch: 17 17:12:58 | 000,031,232 | ---- | C] () -- C:\WINDOWS\xbeloa .exe


< [2010/04/17 16:34:57 | 000,008,704 | -HS- | C] () -- C:\Program Files\Thumbs.db >
Invalid Switch: 17 16:34:57 | 000,008,704 | -HS- | C] () -- C:\Program Files\Thumbs.db


< [2010/04/17 15:53:32 | 000,000,210 | ---- | C] () -- C:\Boot.bak >
Invalid Switch: 17 15:53:32 | 000,000,210 | ---- | C] () -- C:\Boot.bak


< [2010/04/17 15:53:29 | 000,260,272 | ---- | C] () -- C:\cmldr >
Invalid Switch: 17 15:53:29 | 000,260,272 | ---- | C] () -- C:\cmldr


< [2010/04/17 15:47:55 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe >
Invalid Switch: 17 15:47:55 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe


< [2010/04/17 15:47:55 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe >
Invalid Switch: 17 15:47:55 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe


< [2010/04/17 15:47:55 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe >
Invalid Switch: 17 15:47:55 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe


< [2010/04/17 15:47:55 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe >
Invalid Switch: 17 15:47:55 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe


< [2010/04/17 15:47:55 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe >
Invalid Switch: 17 15:47:55 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe


< [2010/04/17 15:06:02 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat >
Invalid Switch: 17 15:06:02 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat


< [2010/04/17 15:04:57 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat >
Invalid Switch: 17 15:04:57 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat


< [2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413406.dat >
Invalid Switch: 16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413406.dat


< [2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413296.dat >
Invalid Switch: 16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413296.dat


< [2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413203.dat >
Invalid Switch: 16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413203.dat


< [2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413031.dat >
Invalid Switch: 16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413031.dat


< [2010/04/16 19:47:38 | 000,009,578 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3040322509 >
Invalid Switch: 16 19:47:38 | 000,009,578 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3040322509


< [2010/04/16 19:47:38 | 000,009,574 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509 >
Invalid Switch: 16 19:47:38 | 000,009,574 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509


< [2010/04/16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7 >
Invalid Switch: 16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7


< [2010/04/16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7 >
Invalid Switch: 16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7


< [2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75 >
Invalid Switch: 16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75


< [2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75 >
Invalid Switch: 16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75


< [2010/04/11 15:46:12 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job >
Invalid Switch: 11 15:46:12 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job


< [2010/04/11 15:46:12 | 000,000,878 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job >
Invalid Switch: 11 15:46:12 | 000,000,878 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job


< [2010/03/23 10:29:30 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job >
Invalid Switch: 23 10:29:30 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job


< [2009/07/29 13:28:40 | 000,000,070 | ---- | C] () -- C:\WINDOWS\polite.ini >
Invalid Switch: 29 13:28:40 | 000,000,070 | ---- | C] () -- C:\WINDOWS\polite.ini


< [2009/07/07 19:13:11 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini >
Invalid Switch: 07 19:13:11 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini


< [2009/07/07 19:13:10 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini >
Invalid Switch: 07 19:13:10 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini


< [2009/06/10 21:49:38 | 000,000,120 | ---- | C] () -- C:\WINDOWS\WINRESAZ.INI >
Invalid Switch: 10 21:49:38 | 000,000,120 | ---- | C] () -- C:\WINDOWS\WINRESAZ.INI


< [2009/06/10 20:51:16 | 000,000,151 | ---- | C] () -- C:\WINDOWS\wininit.ini >
Invalid Switch: 10 20:51:16 | 000,000,151 | ---- | C] () -- C:\WINDOWS\wininit.ini


< [2009/05/24 22:32:27 | 000,002,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys >
Invalid Switch: 24 22:32:27 | 000,002,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys


< [2009/05/24 22:32:27 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\16071871B6.sys >
Invalid Switch: 24 22:32:27 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\16071871B6.sys


< [2009/05/24 19:42:36 | 000,005,018 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys >
Invalid Switch: 24 19:42:36 | 000,005,018 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys


< [2009/05/24 19:42:36 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\16071871B6.sys >
Invalid Switch: 24 19:42:36 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\16071871B6.sys


< [2009/05/24 19:15:32 | 000,000,306 | ---- | C] () -- C:\Program Files\Shortcut to My Documents.lnk >
Invalid Switch: 24 19:15:32 | 000,000,306 | ---- | C] () -- C:\Program Files\Shortcut to My Documents.lnk


< [2009/05/22 21:47:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\lgfwup.ini >
Invalid Switch: 22 21:47:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\lgfwup.ini


< [2009/05/22 21:29:30 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI >
Invalid Switch: 22 21:29:30 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI


< [2009/05/22 19:00:48 | 000,024,423 | ---- | C] () -- C:\Documents and Settings\User\CCCInstall_200905221900489687.log >
Invalid Switch: 22 19:00:48 | 000,024,423 | ---- | C] () -- C:\Documents and Settings\User\CCCInstall_200905221900489687.log


< [2009/05/22 15:26:41 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\User\ntuser.ini >
Invalid Switch: 22 15:26:41 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\User\ntuser.ini


< [2009/05/22 15:26:40 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\User\ntuser.dat.LOG >
Invalid Switch: 22 15:26:40 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\User\ntuser.dat.LOG


< [2009/05/22 15:26:39 | 006,291,456 | -H-- | C] () -- C:\Documents and Settings\User\NTUSER.DAT >
Invalid Switch: 22 15:26:39 | 006,291,456 | -H-- | C] () -- C:\Documents and Settings\User\NTUSER.DAT


< [2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI >
Invalid Switch: 07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI


< >

~[Filtered]~
Invalid Switch: color]


< >

< @Alternate Data Stream - 487 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF >

< < End of report > >

========== Alternate Data Streams ==========

@Alternate Data Stream - 487 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF

< End of report >

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Sun Apr 18, 2010 4:41 pm

Hello.
Can you post the full log? it looks broken, did you use the script I gave you?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Mon Apr 19, 2010 1:31 pm

As requested, I'm sorry I misunderstood what you were asking me to do. I hope I did it correctly this time.

Thank you again

OTL logfile created on: 4/19/2010 9:15:56 AM - Run 3
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 3072 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 91.56 Gb Free Space | 61.43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 244.48 Mb Total Space | 244.48 Mb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: ADMIN-42AEEB16E
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/17 11:23:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe
PRC - [2010/04/14 12:47:08 | 002,790,472 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/04/14 12:46:53 | 000,119,200 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\afwServ.exe
PRC - [2010/04/02 10:06:20 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/31 02:02:36 | 002,181,040 | ---- | M] (Beepa P/L) -- C:\Fraps\fraps.exe
PRC - [2008/09/16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe


========== Modules (SafeList) ==========

MOD - [2010/04/17 11:23:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe
MOD - [2010/04/14 12:36:14 | 000,140,800 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\snxBorder.dll
MOD - [2010/04/14 12:33:44 | 000,140,288 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\snxPlugins.dll
MOD - [2010/03/31 01:20:46 | 000,206,768 | ---- | M] (Beepa P/L) -- C:\Fraps\fraps32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/04/14 12:46:53 | 000,119,200 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\afwServ.exe -- (avast! Firewall)
SRV - [2009/10/06 12:03:28 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/09/16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor7.0)
SRV - [2008/08/15 05:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/search?hl=en&client=firefox-a&hs=7JW&rlz=1R0WZPB_en&channel=s&q=wild+yeast+Ciabatta+recipe&start=30&sa=N"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/07/14 00:02:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/14 15:42:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/07 15:05:29 | 000,000,000 | ---D | M]

[2009/05/24 18:51:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010/04/18 16:12:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions
[2009/07/05 22:30:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/14 19:25:50 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/04/18 16:12:42 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/08/11 15:54:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\browserhighlighter@ebay.com
[2009/07/26 18:10:37 | 000,036,864 | ---- | M] (Homestead Technologies, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nphssb.dll

O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe File not found
O4 - HKCU..\Run: [Fraps] C:\Fraps\fraps.exe (Beepa P/L)
O4 - HKCU..\Run: [QZAIB7KITK] C:\WINDOWS\Xbeloa.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} [You must be registered and logged in to see this link.] (asusTek_sysctrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/22 15:22:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 14 Days ==========

[2010/04/17 23:11:36 | 000,000,000 | ---D | C] -- C:\New Folder
[2010/04/17 20:10:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/04/17 20:06:48 | 000,162,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/17 20:06:48 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/17 20:06:47 | 000,297,552 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2010/04/17 20:06:46 | 000,102,736 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFW.sys
[2010/04/17 20:06:37 | 000,196,048 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswNdis2.sys
[2010/04/17 20:06:37 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/17 20:06:36 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/17 20:06:34 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/17 20:06:34 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/17 20:06:34 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/17 20:06:16 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/17 20:06:16 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/17 20:06:16 | 000,012,112 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswNdis.sys
[2010/04/17 20:02:56 | 000,000,000 | ---D | C] -- C:\Avast Stuff
[2010/04/17 18:02:08 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/17 17:38:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/04/17 15:53:26 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/17 15:47:55 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/17 15:47:55 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/17 15:47:55 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/17 15:47:55 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/17 15:47:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/17 15:47:27 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010/04/17 15:36:11 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/17 15:28:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/17 15:05:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/17 15:05:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\avG
[2010/04/17 15:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/17 15:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/17 11:38:40 | 000,000,000 | ---D | C] -- C:\geek police stuff
[2010/04/16 19:24:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/16 19:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\avG
[2010/04/16 19:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avG
[2010/04/14 09:48:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/04/11 16:11:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Google
[2010/04/11 15:46:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/04/11 15:46:09 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/04/07 15:05:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/04/06 16:59:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/03/27 14:29:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/10/25 22:51:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/08/03 18:35:13 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/03 18:35:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/05/22 16:10:37 | 001,241,088 | ---- | C] (Auto FX Software) -- C:\Program Files\PGE_PlugIn.8bf
[1998/05/31 00:00:00 | 000,295,696 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\MSJTOR35.DLL
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/19 09:17:43 | 000,002,516 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/04/19 09:17:18 | 000,002,549 | ---- | M] () -- C:\Documents and Settings\User\Desktop\CorelDRAW X4.lnk
[2010/04/19 08:51:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/19 02:28:07 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/19 01:42:48 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/04/18 18:04:01 | 000,002,559 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Corel PHOTO-PAINT X4.lnk
[2010/04/18 15:51:00 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/18 09:19:35 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/18 09:18:44 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/18 09:18:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/18 07:33:21 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\User\NTUSER.DAT
[2010/04/18 07:33:21 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010/04/18 07:32:46 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/17 23:12:33 | 000,000,478 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Fraps.lnk
[2010/04/17 20:06:48 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Internet Security.lnk
[2010/04/17 17:18:58 | 000,000,004 | ---- | M] () -- C:\Program Files\42156.dat
[2010/04/17 16:28:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/17 15:53:33 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/17 15:06:02 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/17 14:41:31 | 000,009,732 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7
[2010/04/17 14:41:31 | 000,009,732 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7
[2010/04/17 11:04:39 | 000,009,574 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509
[2010/04/17 01:07:48 | 000,009,578 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3040322509
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413406.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413296.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413203.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413031.dat
[2010/04/16 19:28:50 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/04/16 19:16:38 | 000,001,268 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75
[2010/04/16 19:16:38 | 000,001,268 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75
[2010/04/14 12:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/14 12:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/14 12:37:30 | 000,102,736 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFW.sys
[2010/04/14 12:37:13 | 000,297,552 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2010/04/14 12:36:53 | 000,196,048 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswNdis2.sys
[2010/04/14 12:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/14 12:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/14 12:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/14 12:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/14 12:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/14 12:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/14 12:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/14 03:02:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/10 14:29:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/17 23:12:33 | 000,000,478 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Fraps.lnk
[2010/04/17 20:06:48 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Internet Security.lnk
[2010/04/17 17:18:58 | 000,000,004 | ---- | C] () -- C:\Program Files\42156.dat
[2010/04/17 16:34:57 | 000,008,704 | -HS- | C] () -- C:\Program Files\Thumbs.db
[2010/04/17 15:53:32 | 000,000,210 | ---- | C] () -- C:\Boot.bak
[2010/04/17 15:53:29 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/17 15:47:55 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/17 15:47:55 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/17 15:47:55 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/17 15:47:55 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/17 15:47:55 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/17 15:06:02 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/17 15:04:57 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413406.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413296.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413203.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413031.dat
[2010/04/16 19:47:38 | 000,009,578 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3040322509
[2010/04/16 19:47:38 | 000,009,574 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509
[2010/04/16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7
[2010/04/16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7
[2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75
[2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75
[2010/04/11 15:46:12 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/11 15:46:12 | 000,000,878 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/07/29 13:28:40 | 000,000,070 | ---- | C] () -- C:\WINDOWS\polite.ini
[2009/07/07 19:13:11 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/07/07 19:13:10 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/10 21:49:38 | 000,000,120 | ---- | C] () -- C:\WINDOWS\WINRESAZ.INI
[2009/06/10 20:51:16 | 000,000,151 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/05/24 22:32:27 | 000,002,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2009/05/24 22:32:27 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\16071871B6.sys
[2009/05/24 19:42:36 | 000,005,018 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/05/24 19:42:36 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\16071871B6.sys
[2009/05/24 19:15:32 | 000,000,306 | ---- | C] () -- C:\Program Files\Shortcut to My Documents.lnk
[2009/05/22 21:47:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2009/05/22 21:29:30 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/22 19:00:48 | 000,024,423 | ---- | C] () -- C:\Documents and Settings\User\CCCInstall_200905221900489687.log
[2009/05/22 15:26:41 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\User\ntuser.ini
[2009/05/22 15:26:40 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\User\ntuser.dat.LOG
[2009/05/22 15:26:39 | 006,291,456 | -H-- | C] () -- C:\Documents and Settings\User\NTUSER.DAT
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/04/16 21:29:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/16 19:24:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avG
[2009/08/21 12:51:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2010/04/17 20:11:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/05/25 10:02:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/05/25 10:07:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZipEC
[2009/05/25 10:08:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZipSE
[2010/02/22 23:12:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\SoapMakerData
[2010/04/19 01:42:48 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< >


< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\Embroidary file stuff\I386\sp2.cab:atapi.sys
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< MD5 for: RDPCDD.SYS >
[2010/04/16 23:34:17 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=4912D5B403614CE99C28420F75353332 -- C:\WINDOWS\system32\dllcache\rdpcdd.sys
[2010/04/17 16:07:13 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=4912D5B403614CE99C28420F75353332 -- C:\WINDOWS\system32\drivers\rdpcdd.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 487 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
< End of report >

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Mon Apr 19, 2010 2:50 pm

Hello.
Please reboot your machine.

As it is rebooting, you will notice an extra menu, and an extra option for the Microsoft Windows Recovery Console.

Please select that option to boot the RC, Windows will boot to a text based screen and ask you to select the installation to log into, please choose the correct one, usually option 1 and press enter.

In there, type in the following commands, 1 line at a time.

ren C:\WINDOWS\system32\drivers\rdpcdd.sys rdpcdd.old.sys
copy C:\WINDOWS\system32\dllcache\rdpcdd.sys C:\WINDOWS\system32\drivers\rdpcdd.sys
exit

After the copy command, you may be prompted with a yes/no to confirm the copy, type in "y" to confirm it.

After that, boot back to normal mode and re-run GMER, then post the new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Tue Apr 20, 2010 10:55 am

I have been trying for almost 2 days to get you this log. Last attempt was all night last night. I saved to notepad what I could but I am not sure why my system is taking so long to do this. Any ideas or is it suppose to take over 8 hours -.-

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-20 05:58:25
Windows 5.1.2600 Service Pack 3
Running: Gamer thingy.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kxeyraoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwClose [0xACBE405D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateEvent [0xACBCDF84]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateEventPair [0xACBCE008]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateIoCompletion [0xACBCE1A4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateKey [0xACBE3A11]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateMutant [0xACBCDE80]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateSection [0xACBCE084]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateSemaphore [0xACBCDF02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateTimer [0xACBCE124]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwDeleteKey [0xACBE4723]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwDeleteValueKey [0xACBE482A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwDuplicateObject [0xACBCE962]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwEnumerateKey [0xACBE458E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwEnumerateValueKey [0xACBE43F9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwLoadDriver [0xACBCC2E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenEvent [0xACBCDFCA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenEventPair [0xACBCE046]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenIoCompletion [0xACBCE1E6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenKey [0xACBE3D6D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenMutant [0xACBCDEC4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenProcess [0xACBCE76A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenSection [0xACBCE0DA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenSemaphore [0xACBCDF46]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenThread [0xACBCE866]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenTimer [0xACBCE166]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwQueryKey [0xACBE4274]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwQueryObject [0xACBCCE4A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwQueryValueKey [0xACBE40C6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xACC12146]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwReplyWaitReceivePort [0xACBCEB0A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwReplyWaitReceivePortEx [0xACBCE672]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwRestoreKey [0xACBE30AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwSetSystemInformation [0xACBCC352]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xACC11DFE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwShutdownSystem [0xACBCC48E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwSystemDebugControl [0xACBCC4A0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xACC1E50A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 186 804E49E0 4 Bytes JMP 43C1F6A1
.text ntoskrnl.exe!ZwYieldExecution + 276 804E4AD0 4 Bytes CALL C720F791
PAGE ntoskrnl.exe!ObInsertObject 8056DA64 5 Bytes JMP ACC1B97E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8059056D 7 Bytes JMP ACC1E50E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805E74E6 5 Bytes JMP ACC1A4AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9BF3000, 0x1C5D58, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[1068] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[1068] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswFW.SYS (avast! Filtering TDI driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswFW.SYS (avast! Filtering TDI driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswFW.SYS (avast! Filtering TDI driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Tue Apr 20, 2010 12:06 pm

Is that the full log? seems the bottom bit is missing. Never the less, the sign of the rootkit is gone, well done, you killed it.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    O4 - HKCU..\Run: [QZAIB7KITK] C:\WINDOWS\Xbeloa.exe File not found
    C:\Program Files\6413406.dat
    [2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413296.dat
    [2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413203.dat
    [2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413031.dat
    [2010/04/16 19:47:38 | 000,009,578 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3040322509
    [2010/04/16 19:47:38 | 000,009,574 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509
    [2010/04/16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7
    [2010/04/16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7
    [2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75
    [2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Tue Apr 20, 2010 3:13 pm

OTL logfile created on: 4/20/2010 11:04:27 AM - Run 4
OTL by OldTimer - Version 3.2.1.1 Folder = C:\geek police stuff
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 81.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 3072 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 94.82 Gb Free Space | 63.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 249.72 Mb Total Space | 66.32 Mb Free Space | 26.56% Space Free | Partition Type: FAT
Drive K: | 244.48 Mb Total Space | 244.48 Mb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: ADMIN-42AEEB16E
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/17 11:23:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\geek police stuff\OTL.exe
PRC - [2010/04/14 12:47:08 | 002,790,472 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/04/14 12:46:53 | 000,119,200 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\afwServ.exe
PRC - [2010/04/11 15:46:09 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
PRC - [2010/04/01 13:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/31 02:02:36 | 002,181,040 | ---- | M] (Beepa P/L) -- C:\Fraps\fraps.exe
PRC - [2008/09/16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
PRC - [2008/06/11 22:43:26 | 000,640,376 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe


========== Modules (SafeList) ==========

MOD - [2010/04/17 11:23:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\geek police stuff\OTL.exe
MOD - [2010/04/14 12:36:14 | 000,140,800 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\snxBorder.dll
MOD - [2010/04/14 12:33:44 | 000,140,288 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\snxPlugins.dll
MOD - [2010/03/31 01:20:46 | 000,206,768 | ---- | M] (Beepa P/L) -- C:\Fraps\fraps32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/04/14 12:46:53 | 000,119,200 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\afwServ.exe -- (avast! Firewall)
SRV - [2009/10/06 12:03:28 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/09/16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor7.0)
SRV - [2008/08/15 05:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2010/04/14 12:37:30 | 000,102,736 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswFW.sys -- (aswFW)
DRV - [2010/04/14 12:37:13 | 000,297,552 | ---- | M] (ALWIL Software) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2010/04/14 12:36:53 | 000,196,048 | ---- | M] (ALWIL Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\aswNdis2.sys -- (aswNdis2)
DRV - [2010/04/14 12:35:47 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/04/14 12:35:25 | 000,162,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/04/14 12:31:39 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/04/14 12:31:12 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/04/14 12:31:01 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/04/14 12:30:45 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/01/09 16:22:02 | 000,012,112 | ---- | M] (ALWIL Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aswNdis.sys -- (aswNdis)
DRV - [2009/02/25 18:58:57 | 003,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/08/14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/04/14 00:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/06 09:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/07/16 11:29:34 | 000,017,432 | R--- | M] (Hewlett Packard) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
DRV - [2005/09/23 18:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2001/08/17 12:17:44 | 000,042,432 | ---- | M] (Digi International, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\digirlpt.sys -- (DIGIRPS)
DRV - [2001/08/17 10:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/07/14 00:02:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/20 11:01:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/20 11:01:08 | 000,000,000 | ---D | M]

[2009/05/24 18:51:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010/04/19 19:05:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions
[2009/07/05 22:30:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/14 19:25:50 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/04/20 11:01:08 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/08/11 15:54:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\browserhighlighter@ebay.com
[2009/07/26 18:10:37 | 000,036,864 | ---- | M] (Homestead Technologies, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nphssb.dll

O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe File not found
O4 - HKCU..\Run: [Fraps] C:\Fraps\fraps.exe (Beepa P/L)
O4 - HKCU..\Run: [QZAIB7KITK] C:\WINDOWS\Xbeloa.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} [You must be registered and logged in to see this link.] (asusTek_sysctrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/22 15:22:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/12/07 13:33:04 | 000,000,000 | RHSD | M] - I:\autorun.inf -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/17 23:11:36 | 000,000,000 | ---D | C] -- C:\New Folder
[2010/04/17 20:10:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/04/17 20:06:48 | 000,162,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/17 20:06:48 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/17 20:06:47 | 000,297,552 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2010/04/17 20:06:46 | 000,102,736 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFW.sys
[2010/04/17 20:06:37 | 000,196,048 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswNdis2.sys
[2010/04/17 20:06:37 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/17 20:06:36 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/17 20:06:34 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/17 20:06:34 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/17 20:06:34 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/17 20:06:16 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/17 20:06:16 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/17 20:06:16 | 000,012,112 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswNdis.sys
[2010/04/17 20:02:56 | 000,000,000 | ---D | C] -- C:\Avast Stuff
[2010/04/17 18:02:08 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/17 17:38:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/04/17 15:53:26 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/17 15:47:55 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/17 15:47:55 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/17 15:47:55 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/17 15:47:55 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/17 15:47:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/17 15:47:27 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010/04/17 15:36:11 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/17 15:28:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/17 15:05:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/17 15:05:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\avG
[2010/04/17 15:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/17 15:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/17 11:38:40 | 000,000,000 | ---D | C] -- C:\geek police stuff
[2010/04/16 19:24:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/16 19:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\avG
[2010/04/16 19:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avG
[2010/04/14 09:48:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/04/11 16:11:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Google
[2010/04/11 15:46:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/04/11 15:46:09 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/04/10 16:12:03 | 000,110,621 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\dllcache\digirlpt.dll
[2010/04/10 16:12:03 | 000,110,621 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\digirlpt.dll
[2010/04/10 16:12:03 | 000,042,432 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\drivers\digirlpt.sys
[2010/04/10 16:12:03 | 000,042,432 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\dllcache\digirlpt.sys
[2010/04/07 15:05:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/04/06 16:59:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/03/31 02:00:46 | 000,086,016 | ---- | C] (Beepa P/L) -- C:\WINDOWS\System32\frapsvid.dll
[2010/03/27 14:29:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2010/03/23 10:30:03 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/03/23 10:29:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/03/23 10:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Apple
[2010/03/23 10:29:26 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/03/23 10:29:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2010/03/23 10:29:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Apple Computer
[2009/10/25 22:51:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/08/03 18:35:13 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/03 18:35:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/05/22 16:10:37 | 001,241,088 | ---- | C] (Auto FX Software) -- C:\Program Files\PGE_PlugIn.8bf
[1998/05/31 00:00:00 | 000,295,696 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\MSJTOR35.DLL
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/20 11:01:11 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/04/20 10:55:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003UA.job
[2010/04/20 10:55:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003Core.job
[2010/04/20 10:51:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/20 10:49:59 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/04/20 10:47:16 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/20 10:47:16 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/20 10:46:57 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/20 10:46:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/19 12:51:06 | 000,002,516 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/04/19 12:50:58 | 000,002,549 | ---- | M] () -- C:\Documents and Settings\User\Desktop\CorelDRAW X4.lnk
[2010/04/19 11:02:20 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\User\NTUSER.DAT
[2010/04/19 11:02:20 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010/04/19 09:52:19 | 000,002,559 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Corel PHOTO-PAINT X4.lnk
[2010/04/19 02:28:07 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/18 07:32:46 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/17 23:12:33 | 000,000,478 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Fraps.lnk
[2010/04/17 20:06:48 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Internet Security.lnk
[2010/04/17 17:18:58 | 000,000,004 | ---- | M] () -- C:\Program Files\42156.dat
[2010/04/17 16:28:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/17 15:53:33 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/17 15:06:02 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/17 14:41:31 | 000,009,732 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7
[2010/04/17 14:41:31 | 000,009,732 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7
[2010/04/17 11:04:39 | 000,009,574 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509
[2010/04/17 01:07:48 | 000,009,578 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3040322509
[2010/04/16 23:34:17 | 000,004,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpcdd.sys
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413406.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413296.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413203.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413031.dat
[2010/04/16 19:28:50 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/04/16 19:16:38 | 000,001,268 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75
[2010/04/16 19:16:38 | 000,001,268 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75
[2010/04/14 12:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/14 12:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/14 12:37:30 | 000,102,736 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFW.sys
[2010/04/14 12:37:13 | 000,297,552 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2010/04/14 12:36:53 | 000,196,048 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswNdis2.sys
[2010/04/14 12:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/14 12:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/14 12:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/14 12:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/14 12:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/14 12:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/14 12:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/14 03:02:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/10 14:29:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/31 02:00:46 | 000,086,016 | ---- | M] (Beepa P/L) -- C:\WINDOWS\System32\frapsvid.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/20 11:01:11 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/04/20 10:50:40 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003UA.job
[2010/04/20 10:50:39 | 000,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003Core.job
[2010/04/17 23:12:33 | 000,000,478 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Fraps.lnk
[2010/04/17 20:06:48 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Internet Security.lnk
[2010/04/17 17:18:58 | 000,000,004 | ---- | C] () -- C:\Program Files\42156.dat
[2010/04/17 16:34:57 | 000,008,704 | -HS- | C] () -- C:\Program Files\Thumbs.db
[2010/04/17 15:53:32 | 000,000,210 | ---- | C] () -- C:\Boot.bak
[2010/04/17 15:53:29 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/17 15:47:55 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/17 15:47:55 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/17 15:47:55 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/17 15:47:55 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/17 15:47:55 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/17 15:06:02 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/17 15:04:57 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413406.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413296.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413203.dat
[2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413031.dat
[2010/04/16 19:47:38 | 000,009,578 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3040322509
[2010/04/16 19:47:38 | 000,009,574 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509
[2010/04/16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7
[2010/04/16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7
[2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75
[2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75
[2010/04/11 15:46:12 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/11 15:46:12 | 000,000,878 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/23 10:29:30 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/07/29 13:28:40 | 000,000,070 | ---- | C] () -- C:\WINDOWS\polite.ini
[2009/07/07 19:13:11 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/07/07 19:13:10 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/10 21:49:38 | 000,000,120 | ---- | C] () -- C:\WINDOWS\WINRESAZ.INI
[2009/06/10 20:51:16 | 000,000,151 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/05/24 22:32:27 | 000,002,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2009/05/24 22:32:27 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\16071871B6.sys
[2009/05/24 19:42:36 | 000,005,018 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/05/24 19:42:36 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\16071871B6.sys
[2009/05/24 19:15:32 | 000,000,306 | ---- | C] () -- C:\Program Files\Shortcut to My Documents.lnk
[2009/05/22 21:47:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2009/05/22 21:29:30 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/22 19:00:48 | 000,024,423 | ---- | C] () -- C:\Documents and Settings\User\CCCInstall_200905221900489687.log
[2009/05/22 15:26:41 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\User\ntuser.ini
[2009/05/22 15:26:40 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\User\ntuser.dat.LOG
[2009/05/22 15:26:39 | 006,291,456 | -H-- | C] () -- C:\Documents and Settings\User\NTUSER.DAT
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< :OTL >

< O4 - HKCU..\Run: [QZAIB7KITK] C:\WINDOWS\Xbeloa.exe File not found >

< C:\Program Files\6413406.dat >
[2010/04/16 21:31:15 | 000,000,004 | ---- | M] () -- C:\Program Files\6413406.dat

< [2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413296.dat >
Invalid Switch: 16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413296.dat

< [2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413203.dat >
Invalid Switch: 16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413203.dat


< [2010/04/16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413031.dat >
Invalid Switch: 16 21:31:15 | 000,000,004 | ---- | C] () -- C:\Program Files\6413031.dat


< [2010/04/16 19:47:38 | 000,009,578 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3040322509 >
Invalid Switch: 16 19:47:38 | 000,009,578 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3040322509


< [2010/04/16 19:47:38 | 000,009,574 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509 >
Invalid Switch: 16 19:47:38 | 000,009,574 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\3040322509


< [2010/04/16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7 >
Invalid Switch: 16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7


< [2010/04/16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7 >
Invalid Switch: 16 19:22:01 | 000,009,732 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\B8u2j7


< [2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75 >
Invalid Switch: 16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75


< [2010/04/16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75 >
Invalid Switch: 16 19:16:32 | 000,001,268 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\IGI4W75


========== Alternate Data Streams ==========

@Alternate Data Stream - 487 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF

< End of report >

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Tue Apr 20, 2010 3:17 pm

Hello.

Please re-read my fix instructions, you hit the scan button again, this time, it's the Fix button.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Tue Apr 20, 2010 6:35 pm

oops sorry -.-

========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\QZAIB7KITK deleted successfully.
C:\Program Files\6413296.dat moved successfully.
C:\Program Files\6413203.dat moved successfully.
C:\Program Files\6413031.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\3040322509 moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\3040322509 moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\B8u2j7 moved successfully.
C:\Documents and Settings\All Users\Application Data\B8u2j7 moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\IGI4W75 moved successfully.
C:\Documents and Settings\All Users\Application Data\IGI4W75 moved successfully.

OTL by OldTimer - Version 3.2.1.1 log created on 04202010_143507

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Tue Apr 20, 2010 7:33 pm

Hello.

Please download exeHelper from one of the two links.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Tue Apr 20, 2010 7:54 pm

exeHelper by Raktor
Build 20100414
Run at 15:53:47 on 04/20/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Tue Apr 20, 2010 8:05 pm

Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 4013

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/20/2010 4:03:59 PM
mbam-log-2010-04-20 (16-03-59).txt

Scan type: Quick scan
Objects scanned: 105665
Time elapsed: 7 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Tue Apr 20, 2010 9:58 pm

Okay, good work so far, we need to make sure this stays dead, so please re-run Combofix and get an updated log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Wed Apr 21, 2010 12:02 am

Okay i ran Combofix it put text in log, I copied it then my computer froze. I had to manually reboot computer and the log was lost. I cant see that it automatically saved anywhere /sigh

It did remove some things, I saw that but what they were I have no idea. What should I do now?

Sorry to be such a pain

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Wed Apr 21, 2010 12:49 am

Try running it again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Wed Apr 21, 2010 3:57 am

As requested


ComboFix 10-04-19.08 - User 04/20/2010 23:36:50.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3199.2690 [GMT -4:00]
Running from: c:\geek police stuff\Combo-Fix.exe
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-20 19:55 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 19:55 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 18:35 . 2010-04-20 18:35 -------- d-----w- C:\_OTL
2010-04-18 00:02 . 2010-04-18 00:05 -------- d-----w- C:\Avast Stuff
2010-04-17 21:18 . 2010-04-17 21:18 4 ----a-w- c:\program files\42156.dat
2010-04-17 19:47 . 2010-04-17 19:53 -------- d-----w- C:\Combo-Fix
2010-04-17 19:06 . 2010-04-17 19:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-17 19:05 . 2010-04-17 19:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-17 19:05 . 2010-04-17 19:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-17 19:04 . 2010-04-19 06:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-17 19:01 . 2010-04-17 19:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-17 15:38 . 2010-04-21 03:30 -------- d-----w- C:\geek police stuff
2010-04-17 01:31 . 2010-04-17 01:31 4 ----a-w- c:\program files\6413406.dat
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\avG
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-14 23:25 . 2010-03-26 14:33 1496064 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-04-14 23:25 . 2010-03-26 14:33 43008 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-04-14 23:25 . 2010-03-26 14:33 339456 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-04-14 23:25 . 2010-03-26 14:32 346112 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-04-14 13:48 . 2010-04-14 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:47 -------- d-----w- c:\program files\Google
2010-04-10 20:12 . 2001-08-18 02:36 110621 -c--a-w- c:\windows\system32\dllcache\digirlpt.dll
2010-04-10 20:12 . 2001-08-18 02:36 110621 ----a-w- c:\windows\system32\digirlpt.dll
2010-04-10 20:12 . 2001-08-17 16:17 42432 -c--a-w- c:\windows\system32\dllcache\digirlpt.sys
2010-04-10 20:12 . 2001-08-17 16:17 42432 ----a-w- c:\windows\system32\drivers\digirlpt.sys
2010-04-07 19:05 . 2010-04-07 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-06 20:59 . 2010-04-17 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-31 06:00 . 2010-03-31 06:00 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-03-27 18:29 . 2010-03-27 18:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-03-23 14:30 . 2010-04-18 18:44 -------- d-----w- c:\program files\QuickTime
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Common Files\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Apple Software Update
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 00:51 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-21 00:51 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-20 22:36 . 2010-04-17 20:34 8704 --sha-w- c:\program files\Thumbs.db
2010-04-20 19:55 . 2009-08-03 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 13:18 . 2009-05-23 01:43 -------- d-----w- c:\program files\Windows Defender
2010-04-18 00:11 . 2009-05-25 02:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-17 03:34 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-16 23:33 . 2009-07-07 02:02 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-04-16 20:09 . 2009-07-07 02:12 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-04-14 16:47 . 2010-04-18 00:06 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-04-18 00:06 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:37 . 2010-04-18 00:06 102736 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-04-14 16:37 . 2010-04-18 00:06 297552 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-04-14 16:36 . 2010-04-18 00:06 196048 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-04-14 16:35 . 2010-04-18 00:06 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-04-18 00:06 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-04-18 00:06 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-04-18 00:06 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-04-18 00:06 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-04-18 00:06 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-04-18 00:06 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-06 21:01 . 2009-05-23 01:31 -------- d-----w- c:\program files\Alwil Software
2010-03-20 20:46 . 2009-05-24 23:42 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-19 14:27 . 2009-05-23 01:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-17 05:31 . 2010-03-17 05:31 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-02 17:20 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:12 . 2009-05-25 01:40 -------- d-----w- c:\documents and settings\User\Application Data\SoapMakerData
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-----w- c:\program files\SoapMaker3
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-20 03:49 . 2009-05-24 23:15 306 ----a-w- c:\program files\Shortcut to My Documents.lnk
2004-07-06 17:54 . 2007-05-22 20:10 1241088 ----a-w- c:\program files\PGE_PlugIn.8bf
1998-05-31 04:00 . 1998-05-31 04:00 295696 ----a-w- c:\program files\Common Files\MSJTOR35.DLL
2009-05-24 23:42 . 2009-05-24 23:42 88 --sh--r- c:\windows\system32\16071871B6.sys
.
Code:
<pre>
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\Adobe\Adobe Bridge CS4\bridge .exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\Windows Defender\msascui .exe
</pre>

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-20 23:11 . 2010-04-20 23:11 16384 c:\windows\Temp\Perflib_Perfdata_904.dat
+ 2010-04-18 00:06 . 2010-01-09 20:22 12112 c:\windows\system32\drivers\aswNdis.sys
- 2009-10-26 04:12 . 2010-03-19 20:24 25214 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_Distiller.exe
+ 2009-10-26 04:12 . 2010-04-19 16:08 25214 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_Distiller.exe
+ 2009-10-26 04:12 . 2010-04-19 16:08 36294 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_Acrobat_Standard.exe
+ 2009-10-26 04:12 . 2010-04-19 16:08 38926 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_Acrobat_3D.exe
+ 2009-10-26 04:12 . 2010-04-19 16:08 38926 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_Acrobat.exe
- 2009-10-26 04:12 . 2010-03-19 20:24 7278 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_ELEMENTS_DT.exe
+ 2009-10-26 04:12 . 2010-04-19 16:08 7278 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_ELEMENTS_DT.exe
- 2009-10-26 04:12 . 2010-03-19 20:24 335872 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2009-10-26 04:12 . 2010-04-19 16:08 335872 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-04-14 16:33 140288 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [N/A]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-11 136176]
"Fraps"="c:\fraps\FRAPS.EXE" [2010-03-31 2181040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [4/17/2010 8:06 PM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [4/17/2010 8:06 PM 196048]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [4/17/2010 8:06 PM 102736]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/17/2010 8:06 PM 297552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/17/2010 8:06 PM 162768]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/17/2010 8:06 PM 19024]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [4/17/2010 8:06 PM 119200]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 3:46 PM 136176]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [4/10/2010 4:12 PM 42432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-20 23:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1016)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1312)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-20 23:56:11
ComboFix-quarantined-files.txt 2010-04-21 03:56
ComboFix2.txt 2010-04-20 23:06

Pre-Run: 101,749,780,480 bytes free
Post-Run: 101,714,477,056 bytes free

- - End Of File - - 36526A93ED6DAA697F335C571DC0CD05

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Wed Apr 21, 2010 3:58 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    File::
    c:\program files\42156.dat
    c:\program files\6413406.dat

    RenV::
    c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
    c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
    c:\program files\Adobe\Adobe Bridge CS4\bridge .exe
    c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
    c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
    c:\program files\Common Files\InstallShield\UpdateService\issch .exe
    c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
    c:\program files\Java\jre6\bin\jusched .exe
    c:\program files\QuickTime\qttask                  .exe
    c:\program files\Windows Defender\msascui .exe
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Wed Apr 21, 2010 7:06 pm

As requested and is there anyway u can tell me if i missed copy and pasting these code lines?
c:\program files\QuickTime\qttask .exe
c:\program files\Windows Defender\msascui .exe

I am not sure I included them because I didn't see them till after I started everything


ComboFix 10-04-21.01 - User 04/21/2010 14:39:38.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3199.2422 [GMT -4]
Running from: c:\geek police stuff\Combo-Fix.exe
Command switches used :: c:\geek police stuff\CFscript.txt
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\42156.dat"
"c:\program files\6413406.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\42156.dat
c:\program files\6413406.dat

.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-21 18:03 . 2010-04-21 18:31 -------- d-----w- C:\Combo-Fix11551C
2010-04-20 19:55 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 19:55 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 18:35 . 2010-04-20 18:35 -------- d-----w- C:\_OTL
2010-04-18 00:02 . 2010-04-18 00:05 -------- d-----w- C:\Avast Stuff
2010-04-17 19:47 . 2010-04-17 19:53 -------- d-----w- C:\Combo-Fix
2010-04-17 19:06 . 2010-04-17 19:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-17 19:05 . 2010-04-17 19:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-17 19:05 . 2010-04-17 19:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-17 19:04 . 2010-04-19 06:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-17 19:01 . 2010-04-17 19:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-17 15:38 . 2010-04-21 18:39 -------- d-----w- C:\geek police stuff
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\avG
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-14 13:48 . 2010-04-14 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:47 -------- d-----w- c:\program files\Google
2010-04-10 20:12 . 2001-08-18 02:36 110621 -c--a-w- c:\windows\system32\dllcache\digirlpt.dll
2010-04-10 20:12 . 2001-08-18 02:36 110621 ----a-w- c:\windows\system32\digirlpt.dll
2010-04-10 20:12 . 2001-08-17 16:17 42432 -c--a-w- c:\windows\system32\dllcache\digirlpt.sys
2010-04-10 20:12 . 2001-08-17 16:17 42432 ----a-w- c:\windows\system32\drivers\digirlpt.sys
2010-04-07 19:05 . 2010-04-07 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-06 20:59 . 2010-04-17 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-31 06:00 . 2010-03-31 06:00 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-03-27 18:29 . 2010-03-27 18:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-03-23 14:30 . 2010-04-18 18:44 -------- d-----w- c:\program files\QuickTime
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Common Files\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Apple Software Update
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 18:39 . 2009-05-23 01:43 -------- d-----w- c:\program files\Windows Defender
2010-04-21 17:13 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-21 17:13 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-20 22:36 . 2010-04-17 20:34 8704 --sha-w- c:\program files\Thumbs.db
2010-04-20 19:55 . 2009-08-03 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 00:11 . 2009-05-25 02:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-17 03:34 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-16 23:33 . 2009-07-07 02:02 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-04-16 20:09 . 2009-07-07 02:12 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-04-14 16:47 . 2010-04-18 00:06 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-04-18 00:06 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:37 . 2010-04-18 00:06 102736 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-04-14 16:37 . 2010-04-18 00:06 297552 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-04-14 16:36 . 2010-04-18 00:06 196048 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-04-14 16:35 . 2010-04-18 00:06 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-04-18 00:06 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-04-18 00:06 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-04-18 00:06 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-04-18 00:06 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-04-18 00:06 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-04-18 00:06 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-06 21:01 . 2009-05-23 01:31 -------- d-----w- c:\program files\Alwil Software
2010-03-26 14:33 . 2010-04-14 23:25 1496064 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 14:33 . 2010-04-14 23:25 43008 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 14:33 . 2010-04-14 23:25 339456 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 14:32 . 2010-04-14 23:25 346112 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-20 20:46 . 2009-05-24 23:42 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-19 14:27 . 2009-05-23 01:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-17 05:31 . 2010-03-17 05:31 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-02 17:20 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:12 . 2009-05-25 01:40 -------- d-----w- c:\documents and settings\User\Application Data\SoapMakerData
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-----w- c:\program files\SoapMaker3
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-20 03:49 . 2009-05-24 23:15 306 ----a-w- c:\program files\Shortcut to My Documents.lnk
2004-07-06 17:54 . 2007-05-22 20:10 1241088 ----a-w- c:\program files\PGE_PlugIn.8bf
1998-05-31 04:00 . 1998-05-31 04:00 295696 ----a-w- c:\program files\Common Files\MSJTOR35.DLL
2009-05-24 23:42 . 2009-05-24 23:42 88 --sh--r- c:\windows\system32\16071871B6.sys
.
Code:
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-04-14 16:33 140288 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-28 13145448]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-11 136176]
"Fraps"="c:\fraps\FRAPS.EXE" [2010-03-31 2181040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [4/17/2010 8:06 PM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [4/17/2010 8:06 PM 196048]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [4/17/2010 8:06 PM 102736]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/17/2010 8:06 PM 297552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/17/2010 8:06 PM 162768]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/17/2010 8:06 PM 19024]
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [4/17/2010 8:06 PM 119200]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 3:46 PM 136176]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [4/10/2010 4:12 PM 42432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-21 14:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3964)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-04-21 15:04:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-21 19:04
ComboFix2.txt 2010-04-21 18:29
ComboFix3.txt 2010-04-21 03:56
ComboFix4.txt 2010-04-20 23:06

Pre-Run: 101,713,883,136 bytes free
Post-Run: 101,771,997,184 bytes free

- - End Of File - - C6031105B101C1BC418D08DC71DA4AE5

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Wed Apr 21, 2010 9:19 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    RenV::
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Thu Apr 22, 2010 5:08 am

ComboFix 10-04-21.01 - User 04/22/2010 0:35.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3199.2628 [GMT -4:00]
Running from: c:\geek police stuff\Combo-Fix.exe
Command switches used :: c:\geek police stuff\CFscript.txt
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-21 19:12 . 2010-04-21 19:12 -------- d-----w- C:\Combo-Fix29733C
2010-04-21 18:03 . 2010-04-21 18:31 -------- d-----w- C:\Combo-Fix11551C
2010-04-20 19:55 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 19:55 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 18:35 . 2010-04-20 18:35 -------- d-----w- C:\_OTL
2010-04-18 00:02 . 2010-04-18 00:05 -------- d-----w- C:\Avast Stuff
2010-04-17 19:47 . 2010-04-17 19:53 -------- d-----w- C:\Combo-Fix
2010-04-17 19:06 . 2010-04-17 19:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-17 19:05 . 2010-04-17 19:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-17 19:05 . 2010-04-17 19:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-17 19:04 . 2010-04-19 06:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-17 19:01 . 2010-04-17 19:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-17 15:38 . 2010-04-22 04:34 -------- d-----w- C:\geek police stuff
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\avG
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-14 13:48 . 2010-04-14 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:47 -------- d-----w- c:\program files\Google
2010-04-10 20:12 . 2001-08-18 02:36 110621 -c--a-w- c:\windows\system32\dllcache\digirlpt.dll
2010-04-10 20:12 . 2001-08-18 02:36 110621 ----a-w- c:\windows\system32\digirlpt.dll
2010-04-10 20:12 . 2001-08-17 16:17 42432 -c--a-w- c:\windows\system32\dllcache\digirlpt.sys
2010-04-10 20:12 . 2001-08-17 16:17 42432 ----a-w- c:\windows\system32\drivers\digirlpt.sys
2010-04-07 19:05 . 2010-04-07 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-06 20:59 . 2010-04-17 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-31 06:00 . 2010-03-31 06:00 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-03-27 18:29 . 2010-03-27 18:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-03-23 14:30 . 2010-04-18 18:44 -------- d-----w- c:\program files\QuickTime
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Common Files\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Apple Software Update
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 18:39 . 2009-05-23 01:43 -------- d-----w- c:\program files\Windows Defender
2010-04-21 17:13 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-21 17:13 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-20 22:36 . 2010-04-17 20:34 8704 --sha-w- c:\program files\Thumbs.db
2010-04-20 19:55 . 2009-08-03 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 00:11 . 2009-05-25 02:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-17 03:34 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-16 23:33 . 2009-07-07 02:02 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-04-16 20:09 . 2009-07-07 02:12 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-04-14 16:47 . 2010-04-18 00:06 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-04-18 00:06 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:37 . 2010-04-18 00:06 102736 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-04-14 16:37 . 2010-04-18 00:06 297552 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-04-14 16:36 . 2010-04-18 00:06 196048 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-04-14 16:35 . 2010-04-18 00:06 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-04-18 00:06 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-04-18 00:06 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-04-18 00:06 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-04-18 00:06 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-04-18 00:06 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-04-18 00:06 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-06 21:01 . 2009-05-23 01:31 -------- d-----w- c:\program files\Alwil Software
2010-03-26 14:33 . 2010-04-14 23:25 1496064 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 14:33 . 2010-04-14 23:25 43008 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 14:33 . 2010-04-14 23:25 339456 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 14:32 . 2010-04-14 23:25 346112 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-20 20:46 . 2009-05-24 23:42 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-19 14:27 . 2009-05-23 01:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-17 05:31 . 2010-03-17 05:31 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-02 17:20 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:12 . 2009-05-25 01:40 -------- d-----w- c:\documents and settings\User\Application Data\SoapMakerData
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-----w- c:\program files\SoapMaker3
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-20 03:49 . 2009-05-24 23:15 306 ----a-w- c:\program files\Shortcut to My Documents.lnk
2004-07-06 17:54 . 2007-05-22 20:10 1241088 ----a-w- c:\program files\PGE_PlugIn.8bf
1998-05-31 04:00 . 1998-05-31 04:00 295696 ----a-w- c:\program files\Common Files\MSJTOR35.DLL
2009-05-24 23:42 . 2009-05-24 23:42 88 --sh--r- c:\windows\system32\16071871B6.sys
.
Code:
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-04-14 16:33 140288 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-28 13145448]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-11 136176]
"Fraps"="c:\fraps\FRAPS.EXE" [2010-03-31 2181040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [4/17/2010 8:06 PM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [4/17/2010 8:06 PM 196048]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [4/17/2010 8:06 PM 102736]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/17/2010 8:06 PM 297552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/17/2010 8:06 PM 162768]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/17/2010 8:06 PM 19024]
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [4/17/2010 8:06 PM 119200]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 3:46 PM 136176]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [4/10/2010 4:12 PM 42432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-22 00:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2136)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-04-22 01:06:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-22 05:06
ComboFix2.txt 2010-04-21 19:46
ComboFix3.txt 2010-04-21 19:04
ComboFix4.txt 2010-04-21 18:29
ComboFix5.txt 2010-04-22 04:29

Pre-Run: 101,790,699,520 bytes free
Post-Run: 101,805,592,576 bytes free

- - End Of File - - C9F6AA75F0219AFF2304430018BFBB6C

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Thu Apr 22, 2010 6:16 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm.exe


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Thu Apr 22, 2010 6:19 pm

========== FILES ==========
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe moved successfully.

OTM by OldTimer - Version 3.1.10.2 log created on 04222010_141844

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Thu Apr 22, 2010 6:40 pm

Okay, now locate this file:

c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe

Remove the space between the M and the .


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Thu Apr 22, 2010 8:07 pm

Okay I see it in my system, do u mean just rename it by removing the space between the M and the . ?

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Fri Apr 23, 2010 12:21 am

Yes, there is an extra space there, so remove it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Fri Apr 23, 2010 12:51 am

done as requested

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Fri Apr 23, 2010 12:56 am

Okay, next.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Fri Apr 23, 2010 3:47 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85c3d03e9a417645bc8a5d401379b993
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-23 06:57:18
# local_time=2010-04-23 02:57:18 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 22017837 22017837 0 0
# compatibility_mode=768 16777191 100 0 1319302 1319302 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=298363
# found=1
# cleaned=1
# scan_time=8827
C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\ave.exe.vir a variant of Win32/Kryptik.DSW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85c3d03e9a417645bc8a5d401379b993
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-23 12:30:53
# local_time=2010-04-23 08:30:53 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 22031417 22031417 0 0
# compatibility_mode=768 16777191 100 0 1336482 1336482 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=298369
# found=0
# cleaned=0
# scan_time=15262

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on Fri Apr 23, 2010 3:57 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on Mon Apr 26, 2010 10:09 pm

Thank you so much my computer seems to be working just fine thanks to you guys.

You guys rock Hooray!

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30347
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum