Rootkit Win32:Bubnix-H

View previous topic View next topic Go down

Rootkit Win32:Bubnix-H

Post by iDhitz on Sat 24 Jul 2010, 2:53 pm

Received a pop-up from avast! saying that it found Win:32Bubnix-H[RtK] and asks me if I wanted to delete it, I clicked yes but still receive the same message every so often . I am unable to connect to the internet and the avast! mail scanner icon shows up in my system tray at random times.

OTL

OTL logfile created on: 2010-07-23 5:21:42 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = F:\
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2500 2500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 108.69 Gb Free Space | 36.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 4.27 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 3.74 Gb Total Space | 3.74 Gb Free Space | 99.95% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EXPLICIT
Current User Name: HP_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010-07-23 04:37:06 | 000,574,976 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2010-07-22 20:08:44 | 000,219,537 | ---- | M] () -- C:\WINDOWS\szetyj67v.exe
PRC - [2010-06-09 17:46:50 | 000,116,104 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2010-06-09 17:45:59 | 000,378,248 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2009-11-24 13:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009-11-24 13:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009-11-24 13:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009-11-24 13:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009-11-24 13:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009-02-27 01:06:42 | 000,160,592 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2008-08-11 12:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2008-07-07 15:12:42 | 000,600,680 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2008-04-13 14:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005-09-21 10:24:02 | 000,086,016 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (SafeList) ==========

MOD - [2010-07-23 04:37:06 | 000,574,976 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
MOD - [2008-07-07 15:11:06 | 000,073,728 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll
MOD - [2008-04-13 14:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\P.exe -- (P)
SRV - File not found [Disabled | Stopped] -- C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\E.exe -- (E)
SRV - [2010-07-22 20:08:44 | 000,219,537 | ---- | M] () [Auto | Running] -- C:\WINDOWS\szetyj67v.exe -- (NetLog)
SRV - [2010-06-09 17:46:50 | 000,116,104 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2009-11-24 13:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009-11-24 13:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009-11-24 13:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009-11-24 13:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009-11-17 12:19:02 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009-08-05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009-04-28 10:06:06 | 001,195,008 | ---- | M] (Agnitum Ltd.) [Auto | Running] -- C:\Program Files\Agnitum\Outpost Firewall\acs.exe -- (acssrv)
SRV - [2009-03-30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2008-09-09 13:49:52 | 000,906,504 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe -- (PD91Engine)
SRV - [2008-09-09 13:49:50 | 000,693,512 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe -- (PD91Agent)
SRV - [2008-08-11 12:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2006-08-10 04:11:14 | 000,057,344 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9)
SRV - [2006-08-10 04:10:50 | 000,294,912 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe -- (Roxio Upnp Server 9)
SRV - [1998-06-06 00:00:00 | 000,034,036 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Visual Studio\COMMON\Tools\VS-Ent98\Vanalyzr\VARPC.EXE -- (Visual Studio Analyzer RPC bridge)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\windows\System32\DRIVERS\MRVW245.sys -- (MRVW245)
DRV - File not found [Kernel | On_Demand | Running] -- C:\windows\System32\3.tmp -- (MEMSWEEP2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\Linksys\WMP300N\GTNDIS5.SYS -- (GTNDIS5)
DRV - File not found [Kernel | Boot | Stopped] -- C:\windows\System32\DRIVERS\ftsata2.sys -- (ftsata2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010-06-09 17:46:06 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010-01-13 21:02:54 | 000,014,848 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2010-01-13 21:02:52 | 000,123,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2010-01-13 21:02:52 | 000,098,560 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2009-11-24 13:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\windows\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009-11-24 13:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2009-11-24 13:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009-11-24 13:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009-11-24 13:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009-11-24 13:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009-08-05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009-04-06 11:37:12 | 000,704,384 | ---- | M] (Agnitum Ltd.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SandBox.sys -- (SandBox)
DRV - [2009-03-25 06:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2009-03-10 04:57:35 | 000,163,712 | ---- | M] () [Kernel | Boot | Stopped] -- C:\windows\System32\drivers\vidstub.sys -- (BootScreen)
DRV - [2009-02-24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2009-02-18 17:30:56 | 000,031,128 | ---- | M] (Agnitum Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afw.sys -- (afw)
DRV - [2009-02-10 16:15:42 | 000,257,432 | ---- | M] (Agnitum Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afwcore.sys -- (afwcore)
DRV - [2008-08-28 13:16:40 | 000,071,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\windows\System32\drivers\DefragFS.sys -- (DefragFS)
DRV - [2008-08-11 12:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008-08-11 12:41:00 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008-07-23 23:37:04 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008-06-23 15:59:08 | 000,991,400 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008-06-20 01:08:27 | 000,225,856 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2008-05-29 17:46:12 | 000,534,568 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2008-04-13 08:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008-04-13 08:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008-04-13 06:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008-03-10 00:18:42 | 000,057,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2008-02-03 23:57:44 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2007-12-28 07:02:12 | 000,287,232 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wg111v3.sys -- (RTL8187B)
DRV - [2007-10-10 17:41:50 | 000,042,112 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motodrv.sys -- (MotDev)
DRV - [2007-09-19 17:59:14 | 000,156,392 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2007-06-18 15:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007-04-09 02:27:07 | 000,031,548 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\windows\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2006-09-24 03:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] -- C:\windows\system32\speedfan.sys -- (speedfan)
DRV - [2006-08-09 04:30:42 | 000,050,688 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RxFilter.sys -- (RxFilter)
DRV - [2006-08-08 09:18:50 | 000,009,432 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006-08-08 09:18:28 | 000,035,128 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006-08-08 09:18:26 | 000,097,880 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006-08-08 09:18:26 | 000,094,680 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006-08-08 09:18:24 | 000,026,136 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006-08-08 09:18:22 | 000,032,504 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006-08-08 09:18:20 | 000,104,504 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006-08-08 09:18:20 | 000,014,552 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006-08-04 08:37:28 | 000,099,208 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\windows\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2006-08-01 20:06:20 | 000,012,952 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006-08-01 20:06:18 | 000,028,216 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006-08-01 19:46:34 | 000,051,800 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2006-07-07 14:24:24 | 000,564,224 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006-01-07 12:09:50 | 000,007,548 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Samhid.sys -- (samhid)
DRV - [2005-09-23 18:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005-03-09 15:09:18 | 000,870,912 | ---- | M] (Intel Corporation) [Kernel | Boot | Stopped] -- C:\windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2005-01-07 21:07:16 | 000,145,920 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2004-12-15 12:18:32 | 000,220,928 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004-12-15 12:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004-12-15 12:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004-08-10 09:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004-08-10 09:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004-08-04 02:41:36 | 000,606,684 | ---- | M] (LT) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2004-08-04 02:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003-11-06 23:50:00 | 000,014,092 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LCcfltr.sys -- (LCcfltr)
DRV - [1996-04-03 09:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\windows\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643

========== FireFox ==========

FF - prefs.js..browser.search.defaulturl: "http://flvdirect.iamwired.net/websearch.php?src=tops&search="
FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://tmq.bingstart.com/?cfg=2-168-0-14y04"
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.96
FF - prefs.js..extensions.enabledItems: FasterFox_Lite@BigRedBrent:3.8.2Lite
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100211.5
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {BBF2A085-5D02-4E75-8960-8312166AE2CA}:1.9.1
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.5.8.6
FF - prefs.js..extensions.enabledItems: {e2c58150-9d72-11dd-ad8b-0800200c9a66}:1.3.1
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.6.20100207
FF - prefs.js..keyword.URL: "http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJman000&fl=0&ptb=.ZqatOVHZw2NkMiVVsTJ0A&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=kwd&n=77c0c861&searchfor="
FF - prefs.js..sweetim.toolbar.previous.keyword.URL: "chrome://browser-region/locale/region.properties"

FF - user.js..browser.search.selectedEngine: "Google"
FF - user.js..browser.search.order.1: "Google"
FF - user.js..keyword.URL: "http://search.search-star.net/?sid=10101038100&s="

FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2009-02-27 01:07:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBF2A085-5D02-4E75-8960-8312166AE2CA}: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{BBF2A085-5D02-4E75-8960-8312166AE2CA} [2010-07-22 20:10:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-07-23 00:31:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-07-23 00:31:07 | 000,000,000 | ---D | M]

[2009-09-26 21:55:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Extensions
[2010-06-29 04:58:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\88b0jld6.MW2\extensions
[2010-03-10 10:35:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\88b0jld6.MW2\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010-03-10 10:39:02 | 000,000,000 | ---D | M] (AI Roboform Toolbar for Firefox) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\88b0jld6.MW2\extensions\{22119944-ED35-4ab1-910B-E619EA06A115}
[2010-06-29 04:44:04 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\88b0jld6.MW2\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010-06-26 11:58:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions
[2009-09-26 22:04:06 | 000,000,000 | ---D | M] (AI Roboform Toolbar for Firefox) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\{22119944-ED35-4ab1-910B-E619EA06A115}
[2009-11-28 07:44:30 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009-09-26 23:23:21 | 000,000,000 | ---D | M] (IE Tab) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2010-05-20 08:44:12 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2009-11-16 21:21:03 | 000,000,000 | ---D | M] (Black Steel) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\{e2c58150-9d72-11dd-ad8b-0800200c9a66}
[2010-02-19 11:39:52 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2009-10-21 17:53:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\FasterFox_Lite@BigRedBrent
[2010-02-19 11:39:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\nasanightlaunch@example.com
[2010-07-22 18:35:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\mfa8b2hn.MW1\extensions
[2010-06-27 21:39:59 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\mfa8b2hn.MW1\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010-03-08 22:06:54 | 000,000,000 | ---D | M] (AI Roboform Toolbar for Firefox) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\mfa8b2hn.MW1\extensions\{22119944-ED35-4ab1-910B-E619EA06A115}
[2010-05-18 23:59:49 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\mfa8b2hn.MW1\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2010-06-27 21:39:51 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\mfa8b2hn.MW1\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010-05-09 09:52:56 | 000,001,949 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\searchplugins\bing-zugo.xml
[2009-12-21 00:08:59 | 000,002,179 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\searchplugins\inbox-search.xml
[2009-12-29 12:54:10 | 000,009,977 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\searchplugins\mywebsearch.xml
[2009-11-29 16:43:10 | 000,003,915 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\searchplugins\sweetim.xml
[2009-11-29 17:24:02 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009-09-21 12:24:16 | 000,001,329 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\crawlersrch.xml
[2010-07-22 01:17:34 | 000,002,076 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2008-09-13 17:11:30 | 000,264,036 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 9157 more lines...
O2 - BHO: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Documents and Settings\HP_Administrator\My Documents\Unzipped\A Simple A264019142001\Alarm Clock\MSDXM.OCX ()
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Zynga Toolbar) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [BootSkin Startup Jobs] C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe ()
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [OutpostMonitor] C:\Program Files\Agnitum\Outpost Firewall\op_mon.exe (Agnitum Ltd.)
O4 - HKLM..\Run: [SoundMan] C:\windows\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonscripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffscripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonscriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupscriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupscripts = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonscripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffscripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupscripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonscriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupscriptSync = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra Button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: live.com ([onecare] http in Trusted sites)
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} [You must be registered and logged in to see this link.] (ScrabbleCubes Control)
O16 - DPF: {038E2507-7A48-41E2-94AD-7F23D199AF4E} [You must be registered and logged in to see this link.] (ZenGems Control)
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} [You must be registered and logged in to see this link.] (Mines Control)
O16 - DPF: {0B195D55-0AB4-48C7-828F-34BE10BA4266} [You must be registered and logged in to see this link.] (DealOrNoDeal Control)
O16 - DPF: {13EB7AC8-4811-461C-8581-89650F3D716B} [You must be registered and logged in to see this link.] (WallOfFame Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} [You must be registered and logged in to see this link.] (SkillGam Control)
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} [You must be registered and logged in to see this link.] (FunGamesLoader Object)
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} [You must be registered and logged in to see this link.] (TPIR Control)
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} [You must be registered and logged in to see this link.] (Brickout Control)
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} [You must be registered and logged in to see this link.] (Pool Control)
O16 - DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} [You must be registered and logged in to see this link.] (MoneyList Control)
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} [You must be registered and logged in to see this link.] (Jigsaw Genius Control)
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} [You must be registered and logged in to see this link.] (SolitaireRush Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} [You must be registered and logged in to see this link.] (MySpace Uploader Control)
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} [You must be registered and logged in to see this link.] (SysData Class)
O16 - DPF: {4AB16005-E995-4A60-89DE-8B8A3E6EB5B0} [You must be registered and logged in to see this link.] (TrivialPursuit Control)
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} [You must be registered and logged in to see this link.] (WWHearts Control)
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} [You must be registered and logged in to see this link.] (BJA Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} [You must be registered and logged in to see this link.] (Windows Live Safety Center Base Module)
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} [You must be registered and logged in to see this link.] (SpiderSolitaire Control)
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} [You must be registered and logged in to see this link.] (Blockwerx Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {64CD313F-F079-4D93-959F-4D28B5519449} [You must be registered and logged in to see this link.] (Jeopardy Control)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class)
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} [You must be registered and logged in to see this link.] (FreeCell Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} [You must be registered and logged in to see this link.] (HP Download Manager)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} [You must be registered and logged in to see this link.] (GMNRev Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} [You must be registered and logged in to see this link.] (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} [You must be registered and logged in to see this link.] (WorldWinner ActiveX Launcher Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} [You must be registered and logged in to see this link.] (WordMojo Control)
O16 - DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} [You must be registered and logged in to see this link.] (BejeweledTwist Control)
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} [You must be registered and logged in to see this link.] (Cubis Control)
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} [You must be registered and logged in to see this link.] (Sol Control)
O16 - DPF: {A021A215-6CDC-44B4-8C16-90491CED9605} [You must be registered and logged in to see this link.] (Clue Control)
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} [You must be registered and logged in to see this link.] (WoF Control)
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} [You must be registered and logged in to see this link.] (FujifilmUploader Class)
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} [You must be registered and logged in to see this link.] (WwLuxor Control)
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} [You must be registered and logged in to see this link.] (SwapIt Control)
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} [You must be registered and logged in to see this link.] (Hangman Control)
O16 - DPF: {B6FA2311-5F85-47D3-B885-7055340FC740} [You must be registered and logged in to see this link.] (GrandSlamTrivia Control)
O16 - DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} [You must be registered and logged in to see this link.] (Monopoly Control)
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} [You must be registered and logged in to see this link.] (Tilecity Control)
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} [You must be registered and logged in to see this link.] (Royal Control)
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} [You must be registered and logged in to see this link.] (DinerDash Control)
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} [You must be registered and logged in to see this link.] (Chess Control)
O16 - DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} [You must be registered and logged in to see this link.] (MysteryPI Control)
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} [You must be registered and logged in to see this link.] (Paint Control)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} [You must be registered and logged in to see this link.] (FamilyFeud Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} [You must be registered and logged in to see this link.] (GolfSol Control)
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} [You must be registered and logged in to see this link.] (WWSpades Control)
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} [You must be registered and logged in to see this link.] (Photo Upload Plugin Class)
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} [You must be registered and logged in to see this link.] (H2hPool Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\Documents and Settings\HP_Administrator\My Documents\Unzipped\A Simple A264019142001\Alarm Clock\MSDXM.OCX ()
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\windows\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\windows\System32\LMIinit.dll (LogMeIn, Inc.)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005-10-27 23:59:12 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{463fa1ac-5834-11de-9696-0018f8a6f077}\Shell - "" = AutoRun
O33 - MountPoints2\{463fa1ac-5834-11de-9696-0018f8a6f077}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{463fa1ac-5834-11de-9696-0018f8a6f077}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{73e9f891-3317-11dc-88f1-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{73e9f891-3317-11dc-88f1-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d5ced691-50ae-11de-9691-0018f8a6f077}\Shell - "" = AutoRun
O33 - MountPoints2\{d5ced691-50ae-11de-9691-0018f8a6f077}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d5ced691-50ae-11de-9691-0018f8a6f077}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{d86458c0-c05d-11dc-957f-0018f8a6f077}\Shell - "" = AutoRun
O33 - MountPoints2\{d86458c0-c05d-11dc-957f-0018f8a6f077}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (PDBoot.exe) - C:\windows\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (smrgdf C:\Documents and Settings\HP_Administrator\Application Data\iolo\) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found



Last edited by iDhitz on Sat 24 Jul 2010, 3:38 pm; edited 1 time in total

iDhitz

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-09-29
Operating System : Windows XP Pro

View user profile

Back to top Go down

Re: Rootkit Win32:Bubnix-H

Post by iDhitz on Sat 24 Jul 2010, 2:54 pm

OTL cont


MsConfig - StartUpFolder: C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe - (MagicISO, Inc.)
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: H/PC Connection Agent - hkey= - key= - C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
MsConfig - StartUpReg: SkinClock - hkey= - key= - C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe ()
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 2
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: PSEXESVC - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: nm - File not found
SafeBootNet: nm.sys - File not found
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: PSEXESVC - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 11.0.3
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 11.0.3
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {407408d4-94ed-4d86-ab69-a7f649d112ee} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\windows\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\windows\system32\Rundll32.exe c:\windows\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {BDE0FA43-6952-4BA8-8C58-09AF690F88E1} - Microsoft .NET Framework 1.0 Hotfix (KB930494)
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E8EA5BD6-D931-4001-ABF6-81BAA500360A} - Microsoft .NET Framework 1.0 Hotfix (KB953295)
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {E9B05189-9F29-AE9F-F582-753BD058D95B} - Vector Graphics Rendering (VML)
ActiveX: {EA29D410-CE41-4953-A862-2DE706A1DAD7} - Microsoft .NET Framework 1.0 Service Pack 3
ActiveX: {EA89635A-08DC-F3C3-D4AA-C9D7DB66445A} - Java (Sun)
ActiveX: {ECD292A0-0347-4244-8C24-5DBCE990FB40} - Hotfix for Microsoft .NET Framework 3.0 (KB932471)
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: {FDC11A6F-17D1-48f9-9EA3-9051954BAA24} - .NET Framework
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\windows\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\windows\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\windows\system32\rundll32.exe" "C:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: KB910393 - rundll32.exe advpack.dll,LaunchINFSection C:\windows\INF\EasyCDBlock.inf,PerUserInstall
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.ac3acm - C:\windows\System32\AC3ACM.acm (fccHandler)
Drivers32: msacm.ac3filter - C:\windows\System32\ac3filter.acm ()
Drivers32: msacm.alf2cd - C:\windows\System32\alf2cd.acm (NCT Company)
Drivers32: msacm.at3 - C:\windows\System32\atrac3.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.scg726 - C:\windows\System32\Scg726.acm (SHARP Corporation)
Drivers32: msacm.siren - C:\windows\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\windows\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\windows\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.voxacm160 - C:\windows\System32\vct3216.acm (Voxware, Inc.)
Drivers32: MSVideo8 - C:\windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\windows\System32\DivX.dll (DivXNetworks)
Drivers32: vidc.dvsd - C:\windows\System32\mcdvd_32.dll (MainConcept)
Drivers32: vidc.ffds - C:\windows\System32\ffdshow.ax ()
Drivers32: vidc.iv31 - C:\windows\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\windows\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\windows\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\windows\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.LEAD - C:\windows\System32\LCodcCMP.dll (LEAD Technologies, Inc.)
Drivers32: vidc.mp42 - C:\windows\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mp43 - C:\windows\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mpg4 - C:\windows\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.xvid - C:\windows\System32\xvidvfw.dll ()
Drivers32: vidc.yv12 - C:\windows\System32\DivX.dll (DivXNetworks)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (69819404975603712)

========== Files/Folders - Created Within 30 Days ==========

[2010-07-23 17:08:35 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010-07-23 00:40:11 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010-07-23 00:22:23 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Administrator\Recent
[2010-07-22 20:10:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{BBF2A085-5D02-4E75-8960-8312166AE2CA}
[2010-07-22 20:08:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\qwmgwwevi
[2010-07-22 20:08:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update
[2010-07-22 17:54:09 | 000,000,000 | ---D | C] -- C:\Program Files\Samsung Electronics
[2010-07-19 20:20:21 | 000,123,648 | ---- | C] (MCCI Corporation) -- C:\windows\System32\drivers\sscdmdm.sys
[2010-07-19 20:20:21 | 000,014,848 | ---- | C] (MCCI Corporation) -- C:\windows\System32\drivers\sscdmdfl.sys
[2010-07-19 20:20:21 | 000,012,416 | ---- | C] (MCCI Corporation) -- C:\windows\System32\drivers\sscdcmnt.sys
[2010-07-19 20:20:21 | 000,012,416 | ---- | C] (MCCI Corporation) -- C:\windows\System32\drivers\sscdcm.sys
[2010-07-19 20:20:19 | 000,098,560 | ---- | C] (MCCI Corporation) -- C:\windows\System32\drivers\sscdbus.sys
[2010-07-19 20:20:19 | 000,012,288 | ---- | C] (MCCI Corporation) -- C:\windows\System32\drivers\sscdwhnt.sys
[2010-07-19 20:20:19 | 000,012,288 | ---- | C] (MCCI Corporation) -- C:\windows\System32\drivers\sscdwh.sys
[2010-07-19 20:20:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Samsung
[2010-07-19 20:18:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\My Documents\Samsung Moment
[2010-07-18 20:45:09 | 000,000,000 | ---D | C] -- C:\Program Files\YouTube Downloader
[2010-07-17 23:44:03 | 000,000,000 | ---D | C] -- C:\Program Files\Moccatroller PC
[2006-07-11 14:29:00 | 000,028,672 | R--- | C] ( ) -- C:\windows\System32\DivXGraphBuilderCallback.dll

========== Files - Modified Within 30 Days ==========

[2010-07-23 17:24:46 | 000,766,976 | ---- | M] () -- C:\windows\System32\drivers\nnshqyy.sys
[2010-07-23 17:12:30 | 000,557,306 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI
[2010-07-23 17:12:30 | 000,467,076 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2010-07-23 17:12:30 | 000,080,182 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2010-07-23 17:11:26 | 000,000,886 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2010-07-23 17:08:00 | 000,000,436 | ---- | M] () -- C:\windows\tasks\Updater.job
[2010-07-23 17:07:23 | 000,000,882 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2010-07-23 17:07:20 | 000,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT
[2010-07-23 17:06:39 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2010-07-23 17:06:38 | 2138,427,392 | -HS- | M] () -- C:\hiberfil.sys
[2010-07-23 04:34:25 | 014,155,776 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\NTUSER.DAT
[2010-07-23 04:34:25 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\HP_Administrator\ntuser.ini
[2010-07-23 00:40:12 | 000,000,700 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\SpywareBlaster.lnk
[2010-07-23 00:12:57 | 000,002,528 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\$_hpcst$.hpc
[2010-07-23 00:09:31 | 000,000,000 | ---- | M] () -- C:\windows\Ifolilulokuzoxu.bin
[2010-07-22 23:54:39 | 000,001,174 | ---- | M] () -- C:\windows\win.ini
[2010-07-22 23:54:39 | 000,000,279 | -HS- | M] () -- C:\boot.ini
[2010-07-22 23:54:39 | 000,000,246 | ---- | M] () -- C:\windows\SYSTEM.INI
[2010-07-22 21:24:04 | 000,002,499 | ---- | M] () -- C:\windows\lsrslt.ini
[2010-07-22 20:10:01 | 000,000,150 | ---- | M] () -- C:\zrpt.xml
[2010-07-22 20:08:44 | 000,219,537 | ---- | M] () -- C:\windows\szetyj67v.exe
[2010-07-22 17:54:19 | 000,001,888 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SWUpgrade.lnk
[2010-07-18 20:45:11 | 000,000,807 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\YouTube Downloader.lnk
[2010-07-18 00:05:56 | 000,000,180 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Moccatroller.cfg
[2010-07-16 19:22:28 | 000,001,158 | ---- | M] () -- C:\windows\System32\wpa.dbl
[2010-07-11 19:10:15 | 000,000,069 | ---- | M] () -- C:\windows\NeroDigital.ini
[2010-07-11 18:39:02 | 000,196,608 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2010-07-23 04:10:37 | 2138,427,392 | -HS- | C] () -- C:\hiberfil.sys
[2010-07-23 00:40:12 | 000,000,700 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\SpywareBlaster.lnk
[2010-07-23 00:12:57 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\$_hpcst$.hpc
[2010-07-22 21:24:04 | 000,002,499 | ---- | C] () -- C:\windows\lsrslt.ini
[2010-07-22 20:10:11 | 000,766,976 | ---- | C] () -- C:\windows\System32\drivers\nnshqyy.sys
[2010-07-22 20:08:44 | 000,219,537 | ---- | C] () -- C:\windows\szetyj67v.exe
[2010-07-22 20:08:30 | 000,000,150 | ---- | C] () -- C:\zrpt.xml
[2010-07-22 20:08:16 | 000,000,436 | ---- | C] () -- C:\windows\tasks\Updater.job
[2010-07-22 17:54:19 | 000,001,888 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SWUpgrade.lnk
[2010-07-18 20:45:11 | 000,000,807 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\YouTube Downloader.lnk
[2010-07-17 23:44:15 | 000,000,180 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Moccatroller.cfg
[2009-09-16 22:41:24 | 000,006,827 | ---- | C] () -- C:\windows\hpdj3600.ini
[2009-09-16 22:39:12 | 000,000,522 | ---- | C] () -- C:\windows\hpbvspst.ini
[2009-09-02 17:01:33 | 000,000,185 | ---- | C] () -- C:\windows\mdm.ini
[2009-04-06 15:50:51 | 000,043,520 | ---- | C] () -- C:\windows\System32\CmdLineExt03.dll
[2009-03-03 12:18:04 | 000,073,728 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
[2009-02-26 06:53:04 | 000,163,712 | ---- | C] () -- C:\windows\System32\drivers\vidstub.sys
[2008-07-13 08:29:10 | 000,000,127 | ---- | C] () -- C:\windows\System32\MRT.INI
[2008-07-07 15:11:32 | 002,854,912 | ---- | C] () -- C:\windows\System32\btwicons.dll
[2008-03-25 08:29:08 | 000,000,025 | ---- | C] () -- C:\windows\cdplayer.ini
[2008-03-05 10:49:02 | 000,000,051 | ---- | C] () -- C:\windows\iTouch.ini
[2008-02-03 12:06:22 | 000,094,208 | ---- | C] () -- C:\windows\System32\GTW32N50.dll
[2008-01-02 18:32:01 | 000,000,069 | ---- | C] () -- C:\windows\NeroDigital.ini
[2007-12-29 03:15:58 | 000,000,194 | ---- | C] () -- C:\windows\System32\sam.ini
[2007-12-29 03:14:19 | 000,487,424 | ---- | C] () -- C:\windows\System32\FDRpage.dll
[2007-12-29 03:14:19 | 000,007,548 | ---- | C] () -- C:\windows\System32\drivers\Samhid.sys
[2007-12-03 07:19:43 | 000,524,288 | ---- | C] () -- C:\windows\System32\xvidcore.dll
[2007-12-03 07:19:43 | 000,139,264 | ---- | C] () -- C:\windows\System32\xvidvfw.dll
[2007-09-27 10:51:02 | 000,020,698 | ---- | C] () -- C:\windows\System32\idxcntrs.ini
[2007-09-27 10:48:48 | 000,030,628 | ---- | C] () -- C:\windows\System32\gsrvctr.ini
[2007-09-27 10:48:28 | 000,031,698 | ---- | C] () -- C:\windows\System32\gthrctr.ini
[2007-09-23 17:45:07 | 000,000,038 | ---- | C] () -- C:\windows\AviSplitter.INI
[2007-08-30 01:43:23 | 000,000,274 | ---- | C] () -- C:\windows\TheMatrix.ini
[2007-08-27 11:39:01 | 000,086,016 | ---- | C] () -- C:\windows\System32\preflib.dll
[2007-08-27 11:39:00 | 000,757,760 | ---- | C] () -- C:\windows\System32\bcm1xsup.dll
[2007-08-12 21:21:29 | 000,000,000 | ---- | C] () -- C:\windows\iPlayer.INI
[2007-08-12 06:03:05 | 000,000,227 | ---- | C] () -- C:\windows\HP_CounterReport_Update_HPSU.ini
[2007-08-12 06:02:49 | 000,000,214 | ---- | C] () -- C:\windows\HP_48BitScanUpdatePatch.ini
[2007-08-12 06:01:08 | 000,000,214 | ---- | C] () -- C:\windows\HP_InstantSHareJPG.ini
[2007-08-12 06:00:52 | 000,000,217 | ---- | C] () -- C:\windows\HP_IZClosingDiscErrorPatch.ini
[2007-08-12 05:59:22 | 000,000,221 | ---- | C] () -- C:\windows\HP_RedboxHprblog_HPSU.ini
[2007-07-28 22:32:58 | 000,000,073 | ---- | C] () -- C:\windows\webica.ini
[2007-07-22 04:13:05 | 000,000,555 | ---- | C] () -- C:\windows\SysMech6.INI
[2007-07-16 00:07:21 | 000,056,056 | ---- | C] () -- C:\windows\System32\DLAAPI_W.DLL
[2006-08-15 19:47:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\px.ini
[2006-08-09 04:19:50 | 000,520,192 | ---- | C] () -- C:\windows\System32\CddbPlaylist2Roxio.dll
[2006-08-09 04:19:50 | 000,204,800 | ---- | C] () -- C:\windows\System32\CddbFileTaggerRoxio.dll
[2006-08-09 01:00:00 | 000,028,672 | ---- | C] () -- C:\windows\System32\besched.dll
[2005-10-28 00:26:01 | 000,000,061 | ---- | C] () -- C:\windows\smscfg.ini
[2005-10-28 00:02:06 | 000,014,317 | ---- | C] () -- C:\windows\System32\CHODDI.SYS
[2005-10-28 00:01:58 | 000,045,056 | ---- | C] () -- C:\windows\System32\hpreg.dll
[2005-10-27 23:59:55 | 000,000,180 | ---- | C] () -- C:\windows\Quicken.ini
[2005-10-27 23:55:08 | 000,000,636 | ---- | C] () -- C:\windows\ODBC.INI
[2005-10-27 23:44:11 | 000,000,265 | ---- | C] () -- C:\windows\wininit.ini
[2005-10-27 23:30:32 | 000,001,793 | ---- | C] () -- C:\windows\System32\fxsperf.ini
[2005-10-27 23:11:34 | 000,000,791 | ---- | C] () -- C:\windows\orun32.ini
[2005-10-27 23:06:14 | 000,323,584 | ---- | C] () -- C:\windows\System32\pythoncom22.dll
[2005-10-27 23:06:14 | 000,094,208 | ---- | C] () -- C:\windows\System32\pywintypes22.dll
[2005-10-27 23:05:55 | 000,016,896 | ---- | C] () -- C:\windows\System32\bcbmm.dll
[2005-08-05 14:01:54 | 000,235,008 | ---- | C] () -- C:\windows\System32\psisdecd.dll
[2005-07-15 08:35:56 | 000,696,320 | ---- | C] () -- C:\windows\System32\libeay32.dll
[2005-07-15 08:35:56 | 000,155,648 | ---- | C] () -- C:\windows\System32\ssleay32.dll
[2005-07-15 08:35:24 | 003,596,288 | ---- | C] () -- C:\windows\System32\qt-dx331.dll
[2005-05-09 20:52:32 | 000,022,396 | ---- | C] () -- C:\windows\System32\drivers\USBkey.sys
[2005-02-17 12:41:32 | 000,000,603 | ---- | C] () -- C:\windows\System32\BTNeighborhood.dll.manifest
[2005-02-17 12:41:30 | 000,000,593 | ---- | C] () -- C:\windows\System32\btcss.dll.manifest
[2004-07-26 19:51:38 | 000,000,560 | ---- | C] () -- C:\windows\System32\oeminfo.ini
[2003-10-02 01:00:00 | 000,208,896 | ---- | C] () -- C:\windows\System32\lockout.dll
[2003-10-02 01:00:00 | 000,045,056 | ---- | C] () -- C:\windows\System32\lockres.dll
[2001-11-14 13:56:00 | 001,802,240 | ---- | C] () -- C:\windows\System32\lcppn21.dll
[2001-07-06 19:30:00 | 000,003,399 | ---- | C] () -- C:\windows\System32\hptcpmon.ini
[1999-07-05 00:00:00 | 000,075,334 | ---- | C] () -- C:\windows\System32\mfc45.dll
[1998-06-10 00:00:00 | 000,015,120 | ---- | C] () -- C:\windows\System32\REPUTIL.DLL
[1998-05-18 00:00:00 | 000,014,017 | ---- | C] () -- C:\windows\JAUTOEXP.INI
[1998-04-24 00:00:00 | 000,000,218 | ---- | C] () -- C:\windows\FRONTPG.INI
[1996-04-03 09:33:26 | 000,005,248 | ---- | C] () -- C:\windows\System32\giveio.sys

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\system32\*.exe /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010-07-23 17:26:02 | 000,766,976 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\nnshqyy.sys

< %systemroot%\System32\config\*.sav >
[2004-11-16 17:20:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004-11-16 17:20:24 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004-11-16 17:20:24 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2004-08-10 09:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2006-10-12 16:28:42 | 000,604,928 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\bcmwl5.sys
[2005-10-28 00:02:06 | 000,014,317 | ---- | M] () -- C:\WINDOWS\system32\CHODDI.SYS
[2004-08-10 09:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[1996-04-03 09:33:26 | 000,005,248 | ---- | M] () -- C:\WINDOWS\system32\giveio.sys
[2003-09-25 22:15:32 | 000,015,872 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\system32\GTNDIS5.sys
[2004-08-10 09:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2004-08-10 09:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2004-08-10 09:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2004-08-10 09:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2004-08-10 09:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2004-08-10 09:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2004-08-10 09:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2004-08-10 09:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004-08-10 09:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004-08-10 09:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004-08-10 09:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004-08-10 09:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004-08-10 09:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2006-09-24 03:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\system32\speedfan.sys
[2008-04-13 08:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2009-08-14 03:21:25 | 001,850,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys

< %systemroot%\system32\drivers\*.dll >
[2008-04-13 14:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008-04-13 14:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008-04-13 14:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008-04-13 14:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008-04-13 14:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008-04-13 14:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008-04-13 14:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008-04-13 14:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008-04-13 14:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008-04-13 14:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008-04-13 14:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008-04-13 14:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008-04-13 14:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008-04-13 14:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008-04-13 14:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2010-04-26 18:44:40 | 000,001,024 | ---- | M] () -- C:\.rnd
[2005-10-27 23:59:12 | 000,000,100 | ---- | M] () -- C:\AUTOEXEC.BAT
[2007-07-15 11:14:06 | 000,000,211 | RHS- | M] () -- C:\BOOT.BAK
[2010-07-22 23:54:39 | 000,000,279 | -HS- | M] () -- C:\boot.ini
[2004-08-10 05:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2004-11-17 01:32:46 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010-03-01 18:46:39 | 000,013,940 | ---- | M] () -- C:\DTLog.txt
[2010-07-23 17:06:38 | 2138,427,392 | -HS- | M] () -- C:\hiberfil.sys
[2009-11-06 21:00:30 | 000,004,198 | ---- | M] () -- C:\hpfr3600.log
[2004-11-17 01:32:46 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009-03-11 10:08:04 | 000,000,367 | -H-- | M] () -- C:\IPH.PH
[2010-05-09 10:08:17 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2004-11-17 01:32:46 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004-08-10 05:00:00 | 000,047,564 | RHS- | M] () -- C:\ntdetect.com
[2008-09-13 18:33:08 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010-07-23 17:06:36 | 2621,440,000 | -HS- | M] () -- C:\pagefile.sys
[2010-07-22 20:10:01 | 000,000,150 | ---- | M] () -- C:\zrpt.xml

< %PROGRAMFILES%\*. >
[2009-08-22 11:26:28 | 000,000,000 | ---D | M] -- C:\Program Files\7-Zip
[2010-04-27 21:48:30 | 000,000,000 | ---D | M] -- C:\Program Files\a-squared Free
[2009-11-17 12:25:22 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2009-11-17 12:25:00 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe Media Player
[2009-08-03 19:42:43 | 000,000,000 | ---D | M] -- C:\Program Files\Agnitum
[2002-01-01 00:53:27 | 000,000,000 | ---D | M] -- C:\Program Files\Alwil Software
[2010-01-27 07:43:31 | 000,000,000 | ---D | M] -- C:\Program Files\Atomic Alarm Clock
[2009-02-23 12:36:58 | 000,000,000 | ---D | M] -- C:\Program Files\AVSMedia
[2009-02-28 16:38:00 | 000,000,000 | ---D | M] -- C:\Program Files\BFG
[2007-07-15 19:46:10 | 000,000,000 | ---D | M] -- C:\Program Files\Broadcom
[2009-12-13 11:59:16 | 000,000,000 | ---D | M] -- C:\Program Files\Broderbund
[2009-08-16 17:19:03 | 000,000,000 | ---D | M] -- C:\Program Files\BVRP Software
[2010-05-18 21:27:17 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2007-09-02 21:25:32 | 000,000,000 | ---D | M] -- C:\Program Files\Citrix
[2010-07-19 20:20:28 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2009-09-02 17:04:40 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2010-02-19 09:45:14 | 000,000,000 | ---D | M] -- C:\Program Files\Conduit
[2007-07-15 19:46:23 | 000,000,000 | ---D | M] -- C:\Program Files\CONEXANT
[2010-06-14 21:34:05 | 000,000,000 | ---D | M] -- C:\Program Files\Defraggler
[2007-07-15 23:57:17 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2007-12-30 04:12:55 | 000,000,000 | ---D | M] -- C:\Program Files\DVDFab Platinum 4
[2009-07-31 23:37:51 | 000,000,000 | ---D | M] -- C:\Program Files\Easy Cleaner 2.0
[2007-07-15 19:46:26 | 000,000,000 | ---D | M] -- C:\Program Files\EnglishOtto
[2010-01-12 15:08:25 | 000,000,000 | ---D | M] -- C:\Program Files\Eusing Free Registry Cleaner
[2009-12-28 16:45:18 | 000,000,000 | ---D | M] -- C:\Program Files\Exact Audio Copy
[2008-12-18 02:32:15 | 000,000,000 | ---D | M] -- C:\Program Files\Exact Audio Copy PSP Edition
[2007-11-30 00:11:30 | 000,000,000 | ---D | M] -- C:\Program Files\FreshDevices
[2010-05-18 22:39:24 | 000,000,000 | ---D | M] -- C:\Program Files\FrostWire
[2008-05-18 00:48:02 | 000,000,000 | ---D | M] -- C:\Program Files\Game Elements
[2009-02-15 08:52:28 | 000,000,000 | ---D | M] -- C:\Program Files\GameHouse
[2010-03-12 14:21:39 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2008-06-04 21:44:58 | 000,000,000 | ---D | M] -- C:\Program Files\Guild Wars
[2009-09-30 17:18:04 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2009-09-16 22:41:55 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2009-08-22 11:35:46 | 000,000,000 | ---D | M] -- C:\Program Files\ImgBurn
[2010-05-18 21:31:05 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallJammer Registry
[2010-07-22 17:54:22 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2007-07-15 19:47:20 | 000,000,000 | ---D | M] -- C:\Program Files\IntelliMover Data Transfer Demo
[2010-02-06 18:35:57 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2007-07-15 19:47:27 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2009-11-09 18:04:10 | 000,000,000 | ---D | M] -- C:\Program Files\JADMaker
[2009-09-25 20:36:47 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010-06-03 21:45:25 | 000,000,000 | ---D | M] -- C:\Program Files\JetAudio
[2007-09-23 03:07:25 | 000,000,000 | ---D | M] -- C:\Program Files\KSAW
[2009-08-03 18:21:33 | 000,000,000 | ---D | M] -- C:\Program Files\Logitech
[2010-07-23 00:09:38 | 000,000,000 | ---D | M] -- C:\Program Files\LogMeIn
[2010-02-17 20:01:45 | 000,000,000 | ---D | M] -- C:\Program Files\MagicDisc
[2007-07-15 23:33:48 | 000,000,000 | ---D | M] -- C:\Program Files\MagicISO
[2010-05-09 10:08:16 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008-09-13 18:43:11 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009-09-03 01:49:11 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2009-08-28 09:44:12 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2007-07-27 01:26:04 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2007-07-15 19:47:35 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2007-07-15 19:47:43 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Money 2005
[2009-03-23 07:28:04 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2009-09-03 01:58:48 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office Outlook Connector
[2010-02-06 18:35:57 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2009-07-31 22:29:05 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2009-09-02 16:56:20 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2009-03-23 07:24:40 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio 8
[2009-07-22 10:47:48 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2009-03-23 07:26:44 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2010-05-09 09:52:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mind Quiz
[2009-08-03 18:22:18 | 000,000,000 | ---D | M] -- C:\Program Files\Minilyrics
[2008-11-25 23:47:42 | 000,000,000 | ---D | M] -- C:\Program Files\MKVTOAVI
[2010-07-17 23:54:35 | 000,000,000 | ---D | M] -- C:\Program Files\Moccatroller PC
[2008-09-13 18:36:46 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010-07-23 00:35:55 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2009-03-23 07:28:19 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2009-09-30 17:28:19 | 000,000,000 | ---D | M] -- C:\Program Files\MSECACHE
[2007-07-15 19:47:57 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2007-07-15 19:47:57 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Encarta Standard
[2007-07-15 19:47:57 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2007-07-27 01:25:59 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2007-08-11 18:04:32 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2007-07-15 19:48:04 | 000,000,000 | ---D | M] -- C:\Program Files\muvee Technologies
[2009-08-24 22:03:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mystery Case Files - Ravenhearst
[2007-12-31 17:50:45 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2009-09-03 03:00:05 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2009-08-12 22:04:09 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2007-07-15 19:48:17 | 000,000,000 | ---D | M] -- C:\Program Files\PC-Doctor 5 for Windows
[2007-07-15 19:48:17 | 000,000,000 | ---D | M] -- C:\Program Files\PC-Doctor for DOS
[2010-03-07 09:45:01 | 000,000,000 | ---D | M] -- C:\Program Files\POP Peeper
[2007-07-15 21:50:43 | 000,000,000 | ---D | M] -- C:\Program Files\PowerISO
[2007-07-15 19:48:26 | 000,000,000 | ---D | M] -- C:\Program Files\Quicken
[2010-01-12 19:24:41 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009-02-22 20:37:11 | 000,000,000 | ---D | M] -- C:\Program Files\Raxco
[2009-07-04 19:24:11 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2007-08-11 17:58:49 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2008-10-15 23:26:50 | 000,000,000 | ---D | M] -- C:\Program Files\ReflexiveArcade
[2007-07-16 00:07:20 | 000,000,000 | ---D | M] -- C:\Program Files\Roxio
[2009-02-17 14:14:01 | 000,000,000 | ---D | M] -- C:\Program Files\Runtime Software
[2010-07-22 17:54:09 | 000,000,000 | ---D | M] -- C:\Program Files\Samsung Electronics
[2009-09-27 21:56:01 | 000,000,000 | ---D | M] -- C:\Program Files\Security Task Manager
[2007-07-16 00:27:11 | 000,000,000 | ---D | M] -- C:\Program Files\Siber Systems
[2007-07-15 19:48:26 | 000,000,000 | ---D | M] -- C:\Program Files\Sonic
[2010-07-23 17:08:35 | 000,000,000 | ---D | M] -- C:\Program Files\Sophos
[2010-05-18 21:25:12 | 000,000,000 | ---D | M] -- C:\Program Files\SpeedFan
[2010-07-23 00:40:12 | 000,000,000 | ---D | M] -- C:\Program Files\SpywareBlaster
[2009-02-26 06:53:04 | 000,000,000 | ---D | M] -- C:\Program Files\Stardock
[2009-12-02 04:55:24 | 000,000,000 | ---D | M] -- C:\Program Files\SUPERAntiSpyware
[2010-01-09 22:20:32 | 000,000,000 | ---D | M] -- C:\Program Files\The GodFather
[2010-04-27 21:54:49 | 000,000,000 | ---D | M] -- C:\Program Files\Trillian
[2007-07-15 19:48:27 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2009-12-24 12:22:48 | 000,000,000 | ---D | M] -- C:\Program Files\Unlocker
[2007-07-15 19:48:27 | 000,000,000 | ---D | M] -- C:\Program Files\Updates from HP
[2007-11-28 21:04:23 | 000,000,000 | ---D | M] -- C:\Program Files\utorrent
[2007-07-15 20:42:26 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2009-09-03 02:26:27 | 000,000,000 | ---D | M] -- C:\Program Files\Virtual Earth 3D
[2009-04-25 12:31:32 | 000,000,000 | ---D | M] -- C:\Program Files\VirtualDJ
[2007-07-23 09:22:55 | 000,000,000 | ---D | M] -- C:\Program Files\VSO
[2009-09-02 16:56:22 | 000,000,000 | ---D | M] -- C:\Program Files\Web Publish
[2010-05-20 07:09:52 | 000,000,000 | ---D | M] -- C:\Program Files\WIDCOMM
[2007-07-15 19:48:30 | 000,000,000 | ---D | M] -- C:\Program Files\WildTangent
[2009-07-22 11:09:34 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Desktop Search
[2009-09-30 17:28:32 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Installer Clean Up
[2009-09-03 01:53:30 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2009-09-28 20:31:27 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live Safety Center
[2009-07-31 22:27:00 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2010-07-17 23:56:53 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2007-07-19 11:02:27 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2008-09-13 18:34:54 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2007-07-15 19:48:33 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Plus
[2007-07-15 19:48:34 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2007-09-22 14:15:48 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2007-08-30 01:09:20 | 000,000,000 | ---D | M] -- C:\Program Files\Wordster
[2007-11-28 22:11:27 | 000,000,000 | ---D | M] -- C:\Program Files\WordWeb
[2007-07-15 19:48:37 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2009-02-22 21:47:16 | 000,000,000 | ---D | M] -- C:\Program Files\XP Codec Pack
[2007-12-30 21:59:05 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!
[2007-11-28 09:50:46 | 000,000,000 | ---D | M] -- C:\Program Files\YourWare Solutions
[2010-07-18 20:45:11 | 000,000,000 | ---D | M] -- C:\Program Files\YouTube Downloader
[2010-03-09 18:59:26 | 000,000,000 | ---D | M] -- C:\Program Files\Zynga

< %appdata%\*.* >
[2010-07-23 00:12:57 | 000,002,528 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\$_hpcst$.hpc
[2004-11-16 17:21:40 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\desktop.ini


< MD5 for: AGP440.SYS >
[2004-08-10 16:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008-09-13 18:27:22 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004-08-10 05:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2008-09-13 18:27:22 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008-04-13 08:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008-04-13 08:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004-08-10 16:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008-09-13 18:27:22 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004-08-10 05:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2008-09-13 18:27:22 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008-04-13 08:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008-04-13 08:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004-08-04 02:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004-08-10 09:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2004-08-10 16:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2008-09-13 18:27:22 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2004-08-10 05:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:disk.sys
[2008-09-13 18:27:22 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004-08-10 09:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008-04-13 08:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008-04-13 08:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008-04-13 14:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008-04-13 14:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008-04-13 14:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004-08-10 09:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005-03-09 15:09:18 | 000,870,912 | ---- | M] (Intel Corporation) MD5=79AE2A97C120F282845D854D0F070EA9 -- C:\hp\drivers\Intel_Emery_RAID_v5.0.0.1032\RAID\iaStor.sys
[2005-03-09 15:09:18 | 000,870,912 | ---- | M] (Intel Corporation) MD5=79AE2A97C120F282845D854D0F070EA9 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: LOGEVENT.DLL >
[2008-04-13 14:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\logevent.dll

< MD5 for: NETLOGON.DLL >
[2008-04-13 14:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008-04-13 14:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004-08-10 09:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004-08-10 09:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008-04-13 14:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008-04-13 14:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2004-08-10 16:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2008-09-13 18:27:22 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2004-08-10 05:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:usbstor.sys
[2008-09-13 18:27:22 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2004-08-04 03:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\$NtServicePackUninstall$\usbstor.sys
[2008-04-13 08:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008-04-13 08:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-03-03 00:23:26

========== Alternate Data Streams ==========

@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:260575F1
< End of report >

iDhitz

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-09-29
Operating System : Windows XP Pro

View user profile

Back to top Go down

Re: Rootkit Win32:Bubnix-H

Post by Sneakyone on Sat 24 Jul 2010, 6:11 pm

Hi, Welcome to GeekPolice.net!

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    PRC - [2010-07-22 20:08:44 | 000,219,537 | ---- | M] () -- C:\WINDOWS\szetyj67v.exe
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643

    :services
    SRV - File not found [Disabled | Stopped] -- C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\P.exe -- (P)
    SRV - File not found [Disabled | Stopped] -- C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\E.exe -- (E)
    SRV - [2010-07-22 20:08:44 | 000,219,537 | ---- | M] () [Auto | Running] -- C:\WINDOWS\szetyj67v.exe -- (NetLog)

    :Files
    C:\WINDOWS\szetyj67v.exe
    C:\WINDOWS\system32\drivers\nnshqyy.sys
    C:\windows\lsrslt.ini
    C:\zrpt.xml

    :commands
    [emptytemp]
    [resethosts]
    [reboot]


  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If this fix becomes unresponsive please move on to ComboFix.

=========

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Rootkit Win32:Bubnix-H

Post by iDhitz on Sat 24 Jul 2010, 9:03 pm

OTL kept freezing up, so I did the scan with Combofix. It found the rootkit and tried to remove it but I received a pop-up from advast! as it was turned back on. Here is the log from Combofix


ComboFix 10-07-23.02 - HP_Administrator 2010-07-23 23:34:33.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1443 [GMT -10:00]
Running from: c:\documents and settings\HP_Administrator\desktop\commy.exe
Command switches used :: /stepdel
AV: avast! antivirus 4.8.1368 [VPS 100722-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Application Data\Google\T-Scan
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{BBF2A085-5D02-4E75-8960-8312166AE2CA}
c:\documents and settings\HP_Administrator\Application Data\Google\T-Scan\n.gif
c:\documents and settings\HP_Administrator\Application Data\Google\T-Scan\t.gif
c:\documents and settings\HP_Administrator\Application Data\Google\T-Scan\y.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{BBF2A085-5D02-4E75-8960-8312166AE2CA}\chrome.manifest
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{BBF2A085-5D02-4E75-8960-8312166AE2CA}\chrome\content\_cfg.js
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{BBF2A085-5D02-4E75-8960-8312166AE2CA}\chrome\content\overlay.xul
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{BBF2A085-5D02-4E75-8960-8312166AE2CA}\install.rdf
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Install.txt
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\uxeqobycep.scr

Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
-------\Legacy_E
-------\Legacy_NETLOG
-------\Service_E
-------\Service_NetLog


((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 08:58 . 2010-07-24 08:58 -------- d-----w- C:\_OTL
2010-07-24 04:25 . 2010-05-26 20:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-07-24 03:08 . 2010-07-24 03:08 -------- d-----w- c:\program files\Sophos
2010-07-23 10:40 . 2010-07-23 10:40 -------- d-----w- c:\program files\SpywareBlaster
2010-07-23 06:10 . 2010-07-24 09:45 766976 ----a-w- c:\windows\system32\drivers\nnshqyy.sys
2010-07-23 06:08 . 2010-07-23 06:08 219537 ----a-w- c:\windows\szetyj67v.exe
2010-07-23 06:08 . 2010-07-23 07:34 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\qwmgwwevi
2010-07-23 06:08 . 2010-07-23 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-23 03:54 . 2010-07-23 03:54 -------- d-----w- c:\program files\Samsung Electronics
2010-07-20 06:20 . 2010-01-14 07:02 14848 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2010-07-20 06:20 . 2010-01-14 07:02 12416 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2010-07-20 06:20 . 2010-01-14 07:02 12416 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2010-07-20 06:20 . 2010-01-14 07:02 123648 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2010-07-20 06:20 . 2010-01-14 07:02 12288 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2010-07-20 06:20 . 2010-01-14 07:02 12288 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2010-07-20 06:20 . 2010-01-14 07:02 98560 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2010-07-20 06:20 . 2010-07-20 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Samsung
2010-07-19 06:45 . 2010-07-19 06:45 -------- d-----w- c:\program files\YouTube Downloader
2010-07-18 09:44 . 2010-07-18 09:54 -------- d-----w- c:\program files\Moccatroller PC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 06:25 . 2009-02-15 18:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-23 14:34 . 2008-03-11 19:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-23 10:09 . 2010-04-27 04:44 -------- d-----w- c:\program files\LogMeIn
2010-07-23 10:09 . 2009-09-20 18:20 0 ----a-w- c:\windows\Ifolilulokuzoxu.bin
2010-07-23 03:54 . 2007-07-16 05:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-20 06:19 . 2010-07-20 06:19 53248 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{64C85B95-E971-4705-B3ED-D4A0153C0D5B}\ARPPRODUCTICON.exe
2010-07-20 06:18 . 2009-08-01 09:04 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\vlc
2010-07-18 09:56 . 2007-07-17 00:55 -------- d-----w- c:\program files\Windows Media Connect 2
2010-07-17 06:55 . 2007-07-16 06:10 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent
2010-07-12 06:26 . 2007-07-16 09:47 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Vso
2010-06-22 05:27 . 2007-09-23 05:45 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\dvdcss
2010-06-20 15:27 . 2009-03-10 15:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FrostWire
2010-06-15 07:34 . 2010-01-12 13:50 -------- d-----w- c:\program files\Defraggler
2010-06-10 03:46 . 2010-04-27 04:44 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-10 03:46 . 2010-04-27 04:44 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-10 03:46 . 2010-04-27 04:44 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-06-04 07:45 . 2009-02-27 19:10 -------- d-----w- c:\program files\JetAudio
2010-05-22 05:23 . 2009-10-07 00:33 1055744 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\bigmoney\BigMoney.dll
2010-04-30 01:39 . 2002-01-01 10:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 01:39 . 2002-01-01 10:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-20 08:44 . 2009-09-20 08:44 19937 ----a-w- c:\program files\Common Files\topihafek.dl
2009-09-20 08:44 . 2009-09-20 08:44 17581 ----a-w- c:\program files\Common Files\dutidoj.db
2009-09-20 08:44 . 2009-09-20 08:44 17308 ----a-w- c:\program files\Common Files\exirutuj.exe
2009-09-20 08:35 . 2009-09-20 08:35 15910 ----a-w- c:\program files\Common Files\pefo.lib
2006-03-10 05:59 . 2007-07-15 21:07 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-22 22:05 2353176 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-27 160592]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\fcde06e5-0683-4925-ae4c-1efce00e4c5d.exe" [2009-12-02 2001648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-27 270336]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-7 600680]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-10 03:46 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0smrgdf c:\documents and settings\HP_Administrator\Application Data\iolo\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 23:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkinClock]
2008-09-30 10:29 1739776 ----a-w- c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Guild Wars\\Gw.exe"=
"c:\\windows\\system32\\sessmgr.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Roxio\\Creator Classic 9\\Creator9.exe"=
"c:\\Program Files\\Roxio\\Audio Master 9\\DVDMusicAssistant9.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Documents and Settings\\HP_Administrator\\My Documents\\Downloads\\FrostWire\\FrostWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-08-03 7:11 PM 114768]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-08-03 7:44 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-01-15 4:17 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 4:17 PM 74480]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-07-23 6:25 PM 18816]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-08-03 7:11 PM 20560]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-08-03 7:42 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-08-03 7:44 PM 257432]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 4:17 PM 7408]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2009-08-03 7:42 PM 1195008]
S2 gupdate1c9ac7991adc6b8;Google Update Service (gupdate1c9ac7991adc6b8);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 2:10 AM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-08-11 12856]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-08-28 1:50 PM 42112]
S3 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-09-09 1:49 PM 693512]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-09-09 1:49 PM 906504]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 7:02 AM 287232]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-12-29 3:14 AM 7548]
S4 P;P;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\P.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\P.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - nnshqyy
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 12:10]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 12:10]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride =
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: live.com\onecare
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\{22119944-ED35-4ab1-910B-E619EA06A115}\components\rfproxy_31.dll
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.] files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-23 23:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nnshqyy]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,11,d8,5c,97,93,32,4b,ba,33,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,11,d8,5c,97,93,32,4b,ba,33,6f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\LMIinit.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3896)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\windows\system32\igfxsrvc.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2010-07-23 23:52:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-24 09:51

Pre-Run: 118,085,271,552 bytes free
Post-Run: 117,975,003,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\windows="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - AB0B617EC4F94E2045E647E99508C534

iDhitz

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-09-29
Operating System : Windows XP Pro

View user profile

Back to top Go down

Re: Rootkit Win32:Bubnix-H

Post by Sneakyone on Sat 24 Jul 2010, 10:56 pm

Hi,

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Killall::

    File::
    c:\windows\system32\drivers\nnshqyy.sys
    c:\windows\szetyj67v.exe
    c:\windows\Ifolilulokuzoxu.bin
    c:\program files\Common Files\topihafek.dl
    c:\program files\Common Files\dutidoj.db
    c:\program files\Common Files\exirutuj.exe
    c:\program files\Common Files\pefo.lib
    c:\windows\system32\3.tmp
    c:\docume~1\HP_ADM~1\LOCALS~1\Temp\P.exe

    Folder::
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\qwmgwwevi
    c:\program files\Zynga

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{7b13ec3e-999a-4b70-b9cb-2617b8323822}"=-
    [-HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{7B13EC3E-999A-4B70-B9CB-2617B8323822}"=-
    [-HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nnshqyy]

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    uInternet Settings,ProxyOverride =

    Driver::
    MEMSWEEP2
    P

    Reboot::

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Rootkit Win32:Bubnix-H

Post by iDhitz on Sun 25 Jul 2010, 5:38 am

ComboFix 10-07-23.02 - HP_Administrator 2010-07-24 7:48.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1560 [GMT -10:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\commy.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100722-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

FILE ::
"c:\docume~1\HP_ADM~1\LOCALS~1\Temp\P.exe"
"c:\program files\Common Files\dutidoj.db"
"c:\program files\Common Files\exirutuj.exe"
"c:\program files\Common Files\pefo.lib"
"c:\program files\Common Files\topihafek.dl"
"c:\windows\Ifolilulokuzoxu.bin"
"c:\windows\system32\3.tmp"
"c:\windows\system32\drivers\nnshqyy.sys"
"c:\windows\szetyj67v.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Local Settings\Application Data\qwmgwwevi
c:\program files\Common Files\dutidoj.db
c:\program files\Common Files\exirutuj.exe
c:\program files\Common Files\pefo.lib
c:\program files\Common Files\topihafek.dl
c:\program files\Zynga
c:\program files\Zynga\INSTALL.LOG
c:\program files\Zynga\tbZyng.dll
c:\program files\Zynga\toolbar.cfg
c:\program files\Zynga\UNWISE.EXE
c:\program files\Zynga\ZyngaToolbarHelper.exe
c:\windows\Ifolilulokuzoxu.bin
c:\windows\system32\drivers\nnshqyy.sys
c:\windows\szetyj67v.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Legacy_P
-------\Service_P
-------\Legacy_nnshqyy
-------\Service_nnshqyy


((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 08:58 . 2010-07-24 08:58 -------- d-----w- C:\_OTL
2010-07-24 04:25 . 2010-05-26 20:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-07-24 03:08 . 2010-07-24 03:08 -------- d-----w- c:\program files\Sophos
2010-07-23 10:40 . 2010-07-23 10:40 -------- d-----w- c:\program files\SpywareBlaster
2010-07-23 06:08 . 2010-07-23 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-23 03:54 . 2010-07-23 03:54 -------- d-----w- c:\program files\Samsung Electronics
2010-07-20 06:20 . 2010-01-14 07:02 14848 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2010-07-20 06:20 . 2010-01-14 07:02 12416 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2010-07-20 06:20 . 2010-01-14 07:02 12416 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2010-07-20 06:20 . 2010-01-14 07:02 123648 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2010-07-20 06:20 . 2010-01-14 07:02 12288 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2010-07-20 06:20 . 2010-01-14 07:02 12288 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2010-07-20 06:20 . 2010-01-14 07:02 98560 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2010-07-20 06:20 . 2010-07-20 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Samsung
2010-07-20 06:19 . 2010-07-20 06:19 53248 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{64C85B95-E971-4705-B3ED-D4A0153C0D5B}\ARPPRODUCTICON.exe
2010-07-19 06:45 . 2010-07-19 06:45 -------- d-----w- c:\program files\YouTube Downloader
2010-07-18 09:44 . 2010-07-18 09:54 -------- d-----w- c:\program files\Moccatroller PC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 10:29 . 2010-04-27 04:44 -------- d-----w- c:\program files\LogMeIn
2010-07-24 06:25 . 2009-02-15 18:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-23 14:34 . 2008-03-11 19:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-23 03:54 . 2007-07-16 05:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-20 06:18 . 2009-08-01 09:04 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\vlc
2010-07-18 09:56 . 2007-07-17 00:55 -------- d-----w- c:\program files\Windows Media Connect 2
2010-07-17 06:55 . 2007-07-16 06:10 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent
2010-07-12 06:26 . 2007-07-16 09:47 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Vso
2010-06-22 05:27 . 2007-09-23 05:45 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\dvdcss
2010-06-20 15:27 . 2009-03-10 15:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FrostWire
2010-06-15 07:34 . 2010-01-12 13:50 -------- d-----w- c:\program files\Defraggler
2010-06-10 03:46 . 2010-04-27 04:44 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-10 03:46 . 2010-04-27 04:44 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-10 03:46 . 2010-04-27 04:44 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-06-04 07:45 . 2009-02-27 19:10 -------- d-----w- c:\program files\JetAudio
2010-05-22 05:23 . 2009-10-07 00:33 1055744 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\bigmoney\BigMoney.dll
2010-04-30 01:39 . 2002-01-01 10:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 01:39 . 2002-01-01 10:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2006-03-10 05:59 . 2007-07-15 21:07 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-24 17:43 . 2010-07-24 17:43 16384 c:\windows\temp\Perflib_Perfdata_7a0.dat
+ 2010-07-24 17:57 . 2010-07-24 17:57 16384 c:\windows\temp\Perflib_Perfdata_764.dat
+ 2005-06-07 06:55 . 2010-07-24 09:54 80182 c:\windows\system32\perfc009.dat
- 2005-06-07 06:55 . 2010-07-24 09:29 80182 c:\windows\system32\perfc009.dat
+ 2005-06-07 06:55 . 2010-07-24 09:54 467076 c:\windows\system32\perfh009.dat
- 2005-06-07 06:55 . 2010-07-24 09:29 467076 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-27 160592]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\fcde06e5-0683-4925-ae4c-1efce00e4c5d.exe" [2009-12-02 2001648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-27 270336]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-7 600680]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-10 03:46 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0smrgdf c:\documents and settings\HP_Administrator\Application Data\iolo\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 23:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkinClock]
2008-09-30 10:29 1739776 ----a-w- c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Guild Wars\\Gw.exe"=
"c:\\windows\\system32\\sessmgr.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Roxio\\Creator Classic 9\\Creator9.exe"=
"c:\\Program Files\\Roxio\\Audio Master 9\\DVDMusicAssistant9.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Documents and Settings\\HP_Administrator\\My Documents\\Downloads\\FrostWire\\FrostWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-08-03 7:11 PM 114768]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-08-03 7:44 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-01-15 4:17 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 4:17 PM 74480]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-07-23 6:25 PM 18816]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-08-03 7:11 PM 20560]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-08-11 12856]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-08-03 7:42 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-08-03 7:44 PM 257432]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 4:17 PM 7408]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2009-08-03 7:42 PM 1195008]
S2 gupdate1c9ac7991adc6b8;Google Update Service (gupdate1c9ac7991adc6b8);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 2:10 AM 133104]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-08-28 1:50 PM 42112]
S3 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-09-09 1:49 PM 693512]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-09-09 1:49 PM 906504]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 7:02 AM 287232]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-12-29 3:14 AM 7548]
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 12:10]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 12:10]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: live.com\onecare
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\{22119944-ED35-4ab1-910B-E619EA06A115}\components\rfproxy_31.dll
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eo6tdafs.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.] files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Zynga Toolbar - c:\progra~1\Zynga\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-24 07:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,11,d8,5c,97,93,32,4b,ba,33,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,11,d8,5c,97,93,32,4b,ba,33,6f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\LMIinit.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(2044)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-24 08:03:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-24 18:02
ComboFix2.txt 2010-07-24 09:52

Pre-Run: 117,982,007,296 bytes free
Post-Run: 117,944,659,968 bytes free

- - End Of File - - 3ECB4BDE8980BECC534E865024545168

iDhitz

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-09-29
Operating System : Windows XP Pro

View user profile

Back to top Go down

Re: Rootkit Win32:Bubnix-H

Post by Sneakyone on Sun 25 Jul 2010, 6:30 am

Hi,

Please download Malwarebytes Anti-Malware from Here.


Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Rootkit Win32:Bubnix-H

Post by iDhitz on Sun 01 Aug 2010, 6:46 am

Here is mbam log. While scanning avast! found rootkit again.



Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4375

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/31/2010 9:45:39 AM
mbam-log-2010-07-31 (09-45-39).txt

Scan type: Quick scan
Objects scanned: 162522
Time elapsed: 9 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

iDhitz

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-09-29
Operating System : Windows XP Pro

View user profile

Back to top Go down

Re: Rootkit Win32:Bubnix-H

Post by Sneakyone on Sun 01 Aug 2010, 7:02 am

Hi.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Rootkit Win32:Bubnix-H

Post by iDhitz on Sun 01 Aug 2010, 6:01 pm

After accepting terms and clicking start a second IE opens and tries to load. But I get an Application Error. With the message,
"The instruction at "0x06960068" referenced memory at"0x06960068" .The memory could not be "written".

Click OK to terminate program
click CANCEL to debug the program

What should I do?

iDhitz

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-09-29
Operating System : Windows XP Pro

View user profile

Back to top Go down

Re: Rootkit Win32:Bubnix-H

Post by Sneakyone on Sun 01 Aug 2010, 6:46 pm

Hi.

Please do this instead.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.


  • I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: Rootkit Win32:Bubnix-H

    Post by iDhitz on Mon 02 Aug 2010, 1:07 am

    Kaspersky Report

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Sunday, August 1, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Saturday, July 31, 2010 23:31:19
    Records in database: 4178720
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    G:\
    H:\
    I:\
    J:\
    K:\

    Scan statistics:
    Objects scanned: 139561
    Threats found: 2
    Infected objects found: 3
    Suspicious objects found: 0
    Scan duration: 03:52:44


    File name / Threat / Threats count
    C:\Documents and Settings\HP_Administrator\My Documents\Downloads\vnc-4_1_3-x86_win32\vnc-4_1_3-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 2
    C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\google_search.xml.vir Infected: Trojan.Win32.Clicker.hd 1

    Selected area has been scanned.

    iDhitz

    Newbie Surfer
    Newbie Surfer

    Posts : 14
    Joined : 2009-09-29
    Operating System : Windows XP Pro

    View user profile

    Back to top Go down

    Re: Rootkit Win32:Bubnix-H

    Post by Sneakyone on Mon 02 Aug 2010, 7:53 am

    Hi.

    What is your use for this?

    C:\Documents and Settings\HP_Administrator\My Documents\Downloads\vnc-4_1_3-x86_win32\vnc-4_1_3-x86_win32.exe

    If you have no use for it, please delete it.

    Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

    Updating System Restore
    Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
    • Select Start > All Programs > Accessories > System tools > System Restore.
    • On the dialogue box that appears select Create a Restore Point
    • Click NEXT
    • Enter a name e.g. Clean
    • Click CREATE.


    You now have a clean restore point.

    To get rid of the bad ones:
    • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
    • In the Drop down box that appears select your main drive e.g. C
    • Click OK
    • The System will do a calculation of temporary/old files, and then display a dialogue box.
    • Select the More Options Tab.
    • At the bottom will be a System Restore box with a CLEANUP button click this
    • Accept the Warning and select OK again, the program will close and you are done.


    ========

    Removing the tools
    Now, to remove all of the tools we used and the files and folders they created, please do the following:

    Download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


    ============

    Service Pack upgrade
    Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

    More info about SP3: [You must be registered and logged in to see this link.]

    =====

    Update Programs
    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs.
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.



    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs.
    Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    ============

    Here are some prevention tips I have provided:

    1. Don't download files from untrusted websites or websites that seem suspious.

    2. Don't use torrents they are a good way to get lots of malware.

    3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

    4. Disable autorun XP or Vista/7

    5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

    6. Don't ever click on the links inside of a popup.

    7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

    8. Use a Site Advisor so you don't go to sites that will infect you. Mcafee Siteadvisor

    9. Also there are many holes and flaws in Internet Explorer I recommend using Firefox 3 to keep you more safe.

    10. Always keep your Java and Adobe updated.

    11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

    12. Always have a Firewall and a Antivirus.

    Thanks for choosing GeekPolice, see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?

    For more information please visit [You must be registered and logged in to see this link.]


    I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: Rootkit Win32:Bubnix-H

    Post by iDhitz on Mon 02 Aug 2010, 9:34 am

    Thank you very much for all your help. Could you please recommend a good antivirus and firewall. Looking for freeware.

    iDhitz

    Newbie Surfer
    Newbie Surfer

    Posts : 14
    Joined : 2009-09-29
    Operating System : Windows XP Pro

    View user profile

    Back to top Go down

    Re: Rootkit Win32:Bubnix-H

    Post by Sneakyone on Tue 03 Aug 2010, 6:17 am

    Hi.

    You're welcome, glad to help.

    Please only choose one from each:
    AV:
    1. Microsoft Security Essentials
    2. AVG Free
    3. Avast!
    FW:
    1. Tallemu Online Armor
    2. Comodo Firewall


    I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: Rootkit Win32:Bubnix-H

    Post by Sponsored content Today at 7:34 am


    Sponsored content


    Back to top Go down

    View previous topic View next topic Back to top


     
    Permissions in this forum:
    You cannot reply to topics in this forum