Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bagle.IX and Download Bagle Trojan [RESOLVED]


  • This topic is locked This topic is locked

#1
Linda68

Linda68

    Member

  • Member
  • PipPip
  • 97 posts
Hi,
Here is my problem ...
Before I knew I had spyware, my Internet connection was dreadfully slow and my soundcard would not produce any sounds except for the WIndows Start sound and the pop-up box, svchost.exe - No Disk - cancel, try
again, continue

FIrst, I tried to run Avast, received the message "ashavast.exe is not a valid WIN32 application."

I secondly tried SuperAntispyare Free Edition. A majority of the time it was unable to finish the scan process, I'd receive the blue screen of death and my system would reboot and upon reboot would state it recovered from a serious error. If the process completed and I was asked to reboot, it would get to the XP screen, kick out and directo me to the F8
screen where I could pick safe mode, normal mode or last known good menu. If I chose ANY option other than the last known good menu, the boot process would fail and it would return me to the F8 boot options.

Before following the website directions and after the unsuccessfulness of SuperAntispyware, I installed paretologic Anti-Spyware and it found Bagle.IX Worm and Download Trojan Bagle. However, I notice the the second Trojan Bagle does not appear with Paretologic on subsequent scans.

After running Paretologic, I now receive upon opening IE, a pop-up box that states "Select FIle to Crack" When I cancel out of it, IE is very slow to load, but the I am able to surf quickly. However, I am still unable to open and view webcasts for a class I'm taking.

I want to mention that in my Recycle Bin last night, there was a 436MB entry for Windows XP Office that ATF Cleaner was unable to delete. It said something about the "ORK" directory couldn't be deleted. I restored it and tried to delete it
manually once I found the file. I was only able to find it through system search (it was in the emule directory) with a folder name of ORK, I clicked on it and was unable to delete it OR even select it. I then tried to search the exact same emule directory on a networked laptop and it could not even find the entry. However, this morning, I could not locate the file on any computer as it seems to have disappeared.

I have attached the combofix log and the uninstall log. XP SP2 was already installed on my computer. I am still unable to boot into Safe Mode. I pasted my software environment in the beginning of the combofix file. Hope it helps.

Any help I can get is greatly appreciated.

Linda

--------------------------------------------------------------------------
HIJACK THIS LOG FILE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:45 AM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Linda Kristina\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1183756517259
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1183756423524
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash...geUploader4.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 4687 bytes
----------------------------------------------------------------------------------------------------------------------------------

ComboFix
OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 2 Build 2600
OS Manufacturer Microsoft Corporation
System Name C-1722815
System Manufacturer VIA Technologies, Inc.
System Model VT8363
System Type X86-based PC
Processor x86 Family 6 Model 4 Stepping 2 AuthenticAMD ~1333 Mhz
BIOS Version/Date Award Software International, Inc. 6.00 PG, 5/11/2001
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"
User Name C-1722815\Linda Kristina
Time Zone Central Standard Time
Total Physical Memory 256.00 MB
Available Physical Memory 32.97 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 619.19 MB
Page File C:\pagefile.sys


------------------------------------------------------------------------------------------
ComboFix 08-04-10.7 - Linda Kristina 2008-04-10 22:52:43.1 - NTFSx86
Running from: C:\Documents and Settings\Linda Kristina\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-10 20:31 . 2008-04-10 21:49 <DIR> d-------- C:\paretologic
2008-04-09 21:51 . 2008-04-09 21:51 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Thinstall
2008-04-09 21:51 . 2008-04-09 21:21 12,828,619 --a------ C:\RegCure 1.5.exe
2008-04-09 20:11 . 2008-04-09 21:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 20:11 . 2008-04-09 21:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-09 19:53 . 2008-04-09 19:53 <DIR> d-------- C:\Program Files\CCleaner
2008-04-09 07:42 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-09 07:42 . 2008-04-09 07:42 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\SUPERAntiSpyware.com
2008-04-09 07:38 . 2008-04-09 07:38 1,239,357 --a------ C:\MGtools.exe
2008-04-08 21:05 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-08 21:05 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-08 21:05 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-08 21:05 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-08 21:05 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-08 21:05 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-08 21:05 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-08 21:05 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-08 21:05 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-08 21:05 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-05 17:10 . 2008-04-05 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-04-05 17:04 . 2008-04-05 18:12 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\U3
2008-04-05 17:03 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-05 10:18 . 2006-08-07 02:04 688,128 --a------ C:\WINDOWS\system32\drivers\mdelk.exe
2008-04-05 10:12 . 2008-04-10 22:45 <DIR> d-------- C:\WINDOWS\system32\drivers\downld
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-05 10:09 . 2008-04-05 15:21 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-04-04 22:40 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-04 22:36 . 2008-04-04 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 14:18 . 2008-03-21 14:18 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-21 14:17 . 2007-10-22 19:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll
2008-03-16 19:58 . 2008-03-16 19:58 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 02:22 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\ComcastToolbar
2008-04-10 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-06 19:03 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-03-21 19:21 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\Intuit
2008-03-21 19:17 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-20 12:03 --------- d-----w C:\Program Files\CrossTrainerII
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ParetoLogic Anti-Spyware"="C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2007-08-01 13:56 2643312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-04-10 22:21 79224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll [2007-04-11 17:47 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=C:\WINDOWS\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series (Copy 1) on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-04-10 22:21 79224 E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 15:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\devenv]
C:\WINDOWS\system\smvss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-03-10 16:16 204800 E:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-11-15 22:01 244512 C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-06 18:33 282624 E:\Program Files\QuickTime_4\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 E:\Program Files\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2006-08-07 02:04 688128 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsServicesStartup]
C:\DOCUME~1\LINDAK~1\LOCALS~1\Temp\svchost.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\dnloads\\eMule\\eMule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\EMule Extracts\\EMule.46c\\emule.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"D:\\dnloads\\eMule\\eMule_II\\eMule.exe"=
"D:\\Program Files\\EMule\\emule.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 04:10]
R0 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 10:12]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 12:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S1 srosa;Megadrv3;C:\WINDOWS\system32\drivers\srosa.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282e89-0346-11dd-a3b2-000103c623f3}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 01:37:31 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-04-11 01:36:31 C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job"
- C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
"2008-04-11 01:36:25 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 23:05:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2008-04-10 23:08:59 - machine was rebooted [Linda Kristina]
ComboFix-quarantined-files.txt 2008-04-11 04:08:49
Pre-Run: 940,396,544 bytes free
Post-Run: 1,049,980,928 bytes free
  • 0

Advertisements


#2
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
Hi, Linda68 :)

Welcome.

Download SafeBootKeyRepair.exe by sUBs and save it to your desktop. Double-click SafeBootKeyRepair.exe to run it. Follow all prompts.

Post the log it will produce in your next reply.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system\smvss.exe
C:\DOCUME~1\LINDAK~1\LOCALS~1\Temp\svchost.exe
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\drivers\srosa.sys

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\devenv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsServicesStartup]

Driver::
srosa


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..
  • 0

#3
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Thanks for the quick reply!
After creating all the new logs, I was unable to run hijackthis, not a valid win32 application. No luck when I renamed the file to hjt.exe. Attached are safeboot and new combofix logs


Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PSEXESVC

-------------------------------------------------------------------------------------------------------------------------------------


NEW COMBOFIX
ComboFix 08-04-10.7 - Linda Kristina 2008-04-11 10:28:29.2 - NTFSx86
Running from: C:\Documents and Settings\Linda Kristina\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Linda Kristina\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\DOCUME~1\LINDAK~1\LOCALS~1\Temp\svchost.exe
C:\WINDOWS\system\smvss.exe
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-11 10:20 . 2008-04-11 10:22 <DIR> d-------- C:\Geeks_New
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-10 20:31 . 2008-04-10 21:49 <DIR> d-------- C:\paretologic
2008-04-09 21:51 . 2008-04-09 21:51 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Thinstall
2008-04-09 21:51 . 2008-04-09 21:21 12,828,619 --a------ C:\RegCure 1.5.exe
2008-04-09 20:11 . 2008-04-09 21:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 20:11 . 2008-04-09 21:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-09 19:53 . 2008-04-09 19:53 <DIR> d-------- C:\Program Files\CCleaner
2008-04-09 07:42 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-09 07:42 . 2008-04-09 07:42 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\SUPERAntiSpyware.com
2008-04-09 07:38 . 2008-04-09 07:38 1,239,357 --a------ C:\MGtools.exe
2008-04-08 21:05 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-08 21:05 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-08 21:05 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-08 21:05 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-08 21:05 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-08 21:05 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-08 21:05 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-08 21:05 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-08 21:05 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-08 21:05 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-05 17:10 . 2008-04-05 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-04-05 17:04 . 2008-04-05 18:12 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\U3
2008-04-05 17:03 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-05 10:12 . 2008-04-11 10:00 <DIR> d-------- C:\WINDOWS\system32\drivers\downld
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-05 10:09 . 2008-04-05 15:21 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-04-04 22:40 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-04 22:36 . 2008-04-04 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 14:18 . 2008-03-21 14:18 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-21 14:17 . 2007-10-22 19:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll
2008-03-16 19:58 . 2008-03-16 19:58 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 15:18 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\ComcastToolbar
2008-04-10 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 19:21 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\Intuit
2008-03-21 19:17 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-20 12:03 --------- d-----w C:\Program Files\CrossTrainerII
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( [email protected]_23.07.47.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-11 12:37:47 715,780 ----a-w C:\WINDOWS\system32\drivers\downld\2020295.exe
+ 2008-04-11 14:59:02 15,373 ----a-w C:\WINDOWS\system32\drivers\downld\388208.exe
+ 2008-04-11 13:47:33 17,939 ----a-w C:\WINDOWS\system32\drivers\downld\390050.exe
+ 2008-04-11 13:48:09 28,139 ----a-w C:\WINDOWS\system32\drivers\downld\423258.exe
+ 2008-04-11 14:59:49 28,139 ----a-w C:\WINDOWS\system32\drivers\downld\433022.exe
+ 2008-04-11 13:48:42 25,577 ----a-w C:\WINDOWS\system32\drivers\downld\452460.exe
+ 2008-04-11 15:00:11 25,577 ----a-w C:\WINDOWS\system32\drivers\downld\460071.exe
+ 2008-04-11 15:00:27 44,762 ----a-w C:\WINDOWS\system32\drivers\downld\473420.exe
+ 2008-04-11 13:49:05 44,762 ----a-w C:\WINDOWS\system32\drivers\downld\480731.exe
+ 2008-04-11 14:53:57 73,308 ----a-w C:\WINDOWS\system32\drivers\downld\84621.exe
+ 2008-04-11 14:54:08 715,780 ----a-w C:\WINDOWS\system32\drivers\downld\91000.exe
+ 2008-04-11 13:42:32 73,308 ----a-w C:\WINDOWS\system32\drivers\downld\91621.exe
- 2008-04-10 00:09:44 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-11 04:08:54 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-10 00:09:44 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-11 04:08:54 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ParetoLogic Anti-Spyware"="C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2007-08-01 13:56 2643312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-04-10 22:21 79224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll [2007-04-11 17:47 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=C:\WINDOWS\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series (Copy 1) on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-04-10 22:21 79224 E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 15:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-03-10 16:16 204800 E:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-11-15 22:01 244512 C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-06 18:33 282624 E:\Program Files\QuickTime_4\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 E:\Program Files\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2006-08-07 02:04 688128 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\dnloads\\eMule\\eMule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\EMule Extracts\\EMule.46c\\emule.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"D:\\dnloads\\eMule\\eMule_II\\eMule.exe"=
"D:\\Program Files\\EMule\\emule.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 04:10]
R0 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 10:12]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 12:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S1 srosa;Megadrv3;C:\WINDOWS\system32\drivers\srosa.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282e89-0346-11dd-a3b2-000103c623f3}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 01:37:31 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-04-11 12:03:04 C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job"
- C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
"2008-04-11 05:33:00 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 10:33:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-04-11 10:36:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-11 15:36:21
ComboFix2.txt 2008-04-11 12:01:22
Pre-Run: 1,038,602,240 bytes free
Post-Run: 1,027,182,592 bytes free
  • 0

#4
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
Hi, Linda68 :)

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

Driver::
srosa

File
C:\WINDOWS\system32\drivers\srosa.sys

DirLook::
C:\WINDOWS\system32\drivers\downld

Suspect::
C:\WINDOWS\system32\drivers\downld\2020295.exe
C:\WINDOWS\system32\drivers\downld\388208.exe
C:\WINDOWS\system32\drivers\downld\390050.exe


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingc...e.php?channel=4

Please include a link to this topic in the message.

Have you tried booting in Safe Mode?
  • 0

#5
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Here is the new combofix log
I'm unable to boot into safe mode, still can't run hijackthis
My zip file has been posted to the requested website

ComboFix 08-04-10.7 - Linda Kristina 2008-04-11 11:41:37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.108 [GMT -5:00]
Running from: C:\Documents and Settings\Linda Kristina\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Linda Kristina\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_srosa


((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-11 10:20 . 2008-04-11 10:37 <DIR> d-------- C:\Geeks_New
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-10 20:31 . 2008-04-10 21:49 <DIR> d-------- C:\paretologic
2008-04-09 21:51 . 2008-04-09 21:51 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Thinstall
2008-04-09 21:51 . 2008-04-09 21:21 12,828,619 --a------ C:\RegCure 1.5.exe
2008-04-09 20:11 . 2008-04-09 21:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 20:11 . 2008-04-09 21:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-09 19:53 . 2008-04-09 19:53 <DIR> d-------- C:\Program Files\CCleaner
2008-04-09 07:42 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-09 07:42 . 2008-04-09 07:42 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\SUPERAntiSpyware.com
2008-04-09 07:38 . 2008-04-09 07:38 1,239,357 --a------ C:\MGtools.exe
2008-04-08 21:05 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-08 21:05 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-08 21:05 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-08 21:05 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-08 21:05 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-08 21:05 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-08 21:05 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-08 21:05 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-08 21:05 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-08 21:05 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-05 17:10 . 2008-04-05 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-04-05 17:04 . 2008-04-05 18:12 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\U3
2008-04-05 17:03 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-05 10:12 . 2008-04-11 11:41 <DIR> d-------- C:\WINDOWS\system32\drivers\downld
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-05 10:09 . 2008-04-05 15:21 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-04-04 22:40 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-04 22:36 . 2008-04-04 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 14:18 . 2008-03-21 14:18 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-21 14:17 . 2007-10-22 19:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll
2008-03-16 19:58 . 2008-03-16 19:58 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 15:18 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\ComcastToolbar
2008-04-10 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 19:21 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\Intuit
2008-03-21 19:17 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-20 12:03 --------- d-----w C:\Program Files\CrossTrainerII
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\drivers\downld ----

2008-04-11 10:00 44762 --a------ C:\WINDOWS\system32\drivers\downld\473420.exe
2008-04-11 10:00 25577 --a------ C:\WINDOWS\system32\drivers\downld\460071.exe
2008-04-11 09:59 28139 --a------ C:\WINDOWS\system32\drivers\downld\433022.exe
2008-04-11 09:59 15373 --a------ C:\WINDOWS\system32\drivers\downld\388208.exe
2008-04-11 09:55 766 --a------ C:\WINDOWS\system32\drivers\downld\175262.exe
2008-04-11 09:54 715780 --a------ C:\WINDOWS\system32\drivers\downld\91000.exe
2008-04-11 09:53 73308 --a------ C:\WINDOWS\system32\drivers\downld\84621.exe
2008-04-11 08:49 44762 --a------ C:\WINDOWS\system32\drivers\downld\480731.exe
2008-04-11 08:48 28139 --a------ C:\WINDOWS\system32\drivers\downld\423258.exe
2008-04-11 08:48 25577 --a------ C:\WINDOWS\system32\drivers\downld\452460.exe
2008-04-11 08:47 17939 --a------ C:\WINDOWS\system32\drivers\downld\390050.exe
2008-04-11 08:44 766 --a------ C:\WINDOWS\system32\drivers\downld\187239.exe
2008-04-11 08:42 73308 --a------ C:\WINDOWS\system32\drivers\downld\91621.exe
2008-04-11 07:37 715780 --a------ C:\WINDOWS\system32\drivers\downld\2020295.exe
2008-04-10 22:45 45632 --a------ C:\WINDOWS\system32\drivers\downld\384282.exe
2008-04-10 22:45 25577 --a------ C:\WINDOWS\system32\drivers\downld\371063.exe
2008-04-10 22:44 28139 --a------ C:\WINDOWS\system32\drivers\downld\351645.exe
2008-04-10 22:44 15385 --a------ C:\WINDOWS\system32\drivers\downld\321372.exe
2008-04-10 22:43 766 --a------ C:\WINDOWS\system32\drivers\downld\281204.exe
2008-04-10 22:42 715780 --a------ C:\WINDOWS\system32\drivers\downld\204003.exe
2008-04-10 21:23 715780 --a------ C:\WINDOWS\system32\drivers\downld\707377.exe
2008-04-10 21:23 68512 --a------ C:\WINDOWS\system32\drivers\downld\691304.exe
2008-04-10 21:20 715780 --a------ C:\WINDOWS\system32\drivers\downld\560616.exe
2008-04-10 21:20 68512 --a------ C:\WINDOWS\system32\drivers\downld\543421.exe
2008-04-10 21:19 766 --a------ C:\WINDOWS\system32\drivers\downld\506077.exe
2008-04-10 21:17 68512 --a------ C:\WINDOWS\system32\drivers\downld\352737.exe
2008-04-10 21:16 766 --a------ C:\WINDOWS\system32\drivers\downld\304187.exe
2008-04-10 21:15 68512 --a------ C:\WINDOWS\system32\drivers\downld\231342.exe
2008-04-10 20:52 45358 --a------ C:\WINDOWS\system32\drivers\downld\714467.exe
2008-04-10 20:51 28139 --a------ C:\WINDOWS\system32\drivers\downld\679396.exe
2008-04-10 20:51 25577 --a------ C:\WINDOWS\system32\drivers\downld\700397.exe
2008-04-10 20:50 766 --a------ C:\WINDOWS\system32\drivers\downld\605580.exe
2008-04-10 20:50 15408 --a------ C:\WINDOWS\system32\drivers\downld\648121.exe
2008-04-10 20:47 766 --a------ C:\WINDOWS\system32\drivers\downld\434254.exe
2008-04-10 20:46 715780 --a------ C:\WINDOWS\system32\drivers\downld\385824.exe
2008-04-10 15:54 45794 --a------ C:\WINDOWS\system32\drivers\downld\33352127.exe
2008-04-10 15:54 25577 --a------ C:\WINDOWS\system32\drivers\downld\33341833.exe
2008-04-10 15:53 28139 --a------ C:\WINDOWS\system32\drivers\downld\33321343.exe
2008-04-10 15:53 15414 --a------ C:\WINDOWS\system32\drivers\downld\33291901.exe
2008-04-10 15:50 766 --a------ C:\WINDOWS\system32\drivers\downld\33114966.exe
2008-04-10 15:49 715780 --a------ C:\WINDOWS\system32\drivers\downld\33074308.exe
2008-04-10 15:49 68512 --a------ C:\WINDOWS\system32\drivers\downld\33066497.exe
2008-04-10 11:49 44132 --a------ C:\WINDOWS\system32\drivers\downld\18656276.exe
2008-04-10 11:49 25577 --a------ C:\WINDOWS\system32\drivers\downld\18642676.exe
2008-04-10 11:48 27361 --a------ C:\WINDOWS\system32\drivers\downld\18622017.exe
2008-04-10 11:48 15400 --a------ C:\WINDOWS\system32\drivers\downld\18590882.exe
2008-04-10 11:45 766 --a------ C:\WINDOWS\system32\drivers\downld\18407268.exe
2008-04-10 11:44 68512 --a------ C:\WINDOWS\system32\drivers\downld\18337077.exe
2008-04-10 07:44 45952 --a------ C:\WINDOWS\system32\drivers\downld\3924843.exe
2008-04-10 07:43 27361 --a------ C:\WINDOWS\system32\drivers\downld\3864937.exe
2008-04-10 07:43 25577 --a------ C:\WINDOWS\system32\drivers\downld\3911584.exe
2008-04-10 07:42 15385 --a------ C:\WINDOWS\system32\drivers\downld\3829756.exe
2008-04-10 06:41 766 --a------ C:\WINDOWS\system32\drivers\downld\184835.exe
2008-04-10 06:40 715780 --a------ C:\WINDOWS\system32\drivers\downld\102347.exe
2008-04-10 06:40 68512 --a------ C:\WINDOWS\system32\drivers\downld\92342.exe
2008-04-10 03:03 46779 --a------ C:\WINDOWS\system32\drivers\downld\14857604.exe
2008-04-10 03:03 25577 --a------ C:\WINDOWS\system32\drivers\downld\14845997.exe
2008-04-10 03:02 27361 --a------ C:\WINDOWS\system32\drivers\downld\14831586.exe
2008-04-10 03:02 19830 --a------ C:\WINDOWS\system32\drivers\downld\14811658.exe
2008-04-10 03:01 766 --a------ C:\WINDOWS\system32\drivers\downld\14755086.exe
2008-04-10 03:01 715780 --a------ C:\WINDOWS\system32\drivers\downld\14722169.exe
2008-04-10 03:01 68512 --a------ C:\WINDOWS\system32\drivers\downld\14716330.exe
2008-04-09 23:00 45148 --a------ C:\WINDOWS\system32\drivers\downld\307762.exe
2008-04-09 23:00 27361 --a------ C:\WINDOWS\system32\drivers\downld\282736.exe
2008-04-09 23:00 25577 --a------ C:\WINDOWS\system32\drivers\downld\298459.exe
2008-04-09 23:00 15373 --a------ C:\WINDOWS\system32\drivers\downld\258161.exe
2008-04-09 22:59 766 --a------ C:\WINDOWS\system32\drivers\downld\228328.exe
2008-04-09 22:58 715780 --a------ C:\WINDOWS\system32\drivers\downld\151357.exe
2008-04-09 22:58 68512 --a------ C:\WINDOWS\system32\drivers\downld\140031.exe
2008-04-09 21:08 45147 --a------ C:\WINDOWS\system32\drivers\downld\3514173.exe
2008-04-09 21:08 25577 --a------ C:\WINDOWS\system32\drivers\downld\3501094.exe
2008-04-09 21:07 27361 --a------ C:\WINDOWS\system32\drivers\downld\3478611.exe
2008-04-09 21:07 19732 --a------ C:\WINDOWS\system32\drivers\downld\3445073.exe
2008-04-09 21:06 766 --a------ C:\WINDOWS\system32\drivers\downld\3390284.exe
2008-04-09 21:04 68512 --a------ C:\WINDOWS\system32\drivers\downld\3257994.exe
2008-04-09 21:02 715780 --a------ C:\WINDOWS\system32\drivers\downld\3161005.exe
2008-04-09 20:59 766 --a------ C:\WINDOWS\system32\drivers\downld\2993925.exe
2008-04-09 20:54 715780 --a------ C:\WINDOWS\system32\drivers\downld\2652003.exe
2008-04-09 20:53 68512 --a------ C:\WINDOWS\system32\drivers\downld\2600919.exe
2008-04-09 20:52 766 --a------ C:\WINDOWS\system32\drivers\downld\2546010.exe
2008-04-09 20:48 715780 --a------ C:\WINDOWS\system32\drivers\downld\2325213.exe
2008-04-09 20:48 68512 --a------ C:\WINDOWS\system32\drivers\downld\2292386.exe
2008-04-09 20:46 715780 --a------ C:\WINDOWS\system32\drivers\downld\2172834.exe
2008-04-09 20:45 68512 --a------ C:\WINDOWS\system32\drivers\downld\2145144.exe
2008-04-09 20:44 715780 --a------ C:\WINDOWS\system32\drivers\downld\2057598.exe
2008-04-09 20:43 68512 --a------ C:\WINDOWS\system32\drivers\downld\2031871.exe
2008-04-09 08:48 715780 --a------ C:\WINDOWS\system32\drivers\downld\1778136.exe
2008-04-09 08:48 68512 --a------ C:\WINDOWS\system32\drivers\downld\1743507.exe
2008-04-09 06:29 46352 --a------ C:\WINDOWS\system32\drivers\downld\33705746.exe
2008-04-09 06:28 26390 --a------ C:\WINDOWS\system32\drivers\downld\33662143.exe
2008-04-09 06:28 25577 --a------ C:\WINDOWS\system32\drivers\downld\33690734.exe
2008-04-09 06:27 19720 --a------ C:\WINDOWS\system32\drivers\downld\33628695.exe
2008-04-09 06:24 766 --a------ C:\WINDOWS\system32\drivers\downld\33451670.exe
2008-04-09 06:23 715780 --a------ C:\WINDOWS\system32\drivers\downld\33380007.exe
2008-04-09 06:23 68512 --a------ C:\WINDOWS\system32\drivers\downld\33369773.exe
2008-04-09 02:23 46524 --a------ C:\WINDOWS\system32\drivers\downld\18958460.exe
2008-04-09 02:22 26390 --a------ C:\WINDOWS\system32\drivers\downld\18924742.exe
2008-04-09 02:22 19720 --a------ C:\WINDOWS\system32\drivers\downld\18882711.exe
2008-04-09 02:21 766 --a------ C:\WINDOWS\system32\drivers\downld\18830586.exe
2008-04-09 02:19 715780 --a------ C:\WINDOWS\system32\drivers\downld\18754197.exe
2008-04-09 02:19 68512 --a------ C:\WINDOWS\system32\drivers\downld\18745474.exe
2008-04-08 22:19 43110 --a------ C:\WINDOWS\system32\drivers\downld\4334272.exe
2008-04-08 22:19 26390 --a------ C:\WINDOWS\system32\drivers\downld\4302326.exe
2008-04-08 22:18 19720 --a------ C:\WINDOWS\system32\drivers\downld\4260786.exe
2008-04-08 22:17 766 --a------ C:\WINDOWS\system32\drivers\downld\4221800.exe
2008-04-08 22:15 715780 --a------ C:\WINDOWS\system32\drivers\downld\4097812.exe
2008-04-08 22:14 68512 --a------ C:\WINDOWS\system32\drivers\downld\3928388.exe
2008-04-08 21:40 43370 --a------ C:\WINDOWS\system32\drivers\downld\1992995.exe
2008-04-08 21:39 26390 --a------ C:\WINDOWS\system32\drivers\downld\1955872.exe
2008-04-08 21:39 15425 --a------ C:\WINDOWS\system32\drivers\downld\1908133.exe
2008-04-08 21:38 766 --a------ C:\WINDOWS\system32\drivers\downld\1845984.exe
2008-04-08 21:37 715780 --a------ C:\WINDOWS\system32\drivers\downld\1771377.exe
2008-04-08 21:32 715780 --a------ C:\WINDOWS\system32\drivers\downld\1498164.exe
2008-04-08 21:32 68512 --a------ C:\WINDOWS\system32\drivers\downld\1490813.exe
2008-04-08 21:17 766 --a------ C:\WINDOWS\system32\drivers\downld\638117.exe
2008-04-08 21:14 715780 --a------ C:\WINDOWS\system32\drivers\downld\449105.exe
2008-04-08 21:14 68512 --a------ C:\WINDOWS\system32\drivers\downld\433273.exe
2008-04-08 20:57 766 --a------ C:\WINDOWS\system32\drivers\downld\1160899.exe
2008-04-08 20:57 715780 --a------ C:\WINDOWS\system32\drivers\downld\1140259.exe
2008-04-08 20:54 766 --a------ C:\WINDOWS\system32\drivers\downld\995651.exe
2008-04-08 20:54 68512 --a------ C:\WINDOWS\system32\drivers\downld\957046.exe
2008-04-08 20:51 715780 --a------ C:\WINDOWS\system32\drivers\downld\774073.exe
2008-04-08 20:51 68512 --a------ C:\WINDOWS\system32\drivers\downld\762055.exe
2008-04-08 20:46 43641 --a------ C:\WINDOWS\system32\drivers\downld\472559.exe
2008-04-08 20:45 26390 --a------ C:\WINDOWS\system32\drivers\downld\447162.exe
2008-04-08 20:45 15385 --a------ C:\WINDOWS\system32\drivers\downld\410340.exe
2008-04-08 20:44 766 --a------ C:\WINDOWS\system32\drivers\downld\374188.exe
2008-04-08 20:44 68512 --a------ C:\WINDOWS\system32\drivers\downld\345987.exe
2008-04-08 20:37 73308 --a------ C:\WINDOWS\system32\drivers\downld\99963.exe
2008-04-08 20:37 68512 --a------ C:\WINDOWS\system32\drivers\downld\98241.exe
2008-04-08 20:23 43773 --a------ C:\WINDOWS\system32\drivers\downld\247155.exe
2008-04-08 20:23 26390 --a------ C:\WINDOWS\system32\drivers\downld\223501.exe
2008-04-08 20:22 19720 --a------ C:\WINDOWS\system32\drivers\downld\184965.exe
2008-04-08 20:21 766 --a------ C:\WINDOWS\system32\drivers\downld\139750.exe
2008-04-08 20:21 715780 --a------ C:\WINDOWS\system32\drivers\downld\107554.exe
2008-04-08 20:21 68512 --a------ C:\WINDOWS\system32\drivers\downld\102206.exe
2008-04-08 19:51 715780 --a------ C:\WINDOWS\system32\drivers\downld\82302214.exe
2008-04-08 19:51 68512 --a------ C:\WINDOWS\system32\drivers\downld\82280513.exe
2008-04-08 19:47 715780 --a------ C:\WINDOWS\system32\drivers\downld\82088316.exe
2008-04-08 19:47 68512 --a------ C:\WINDOWS\system32\drivers\downld\82073215.exe
2008-04-08 19:45 766 --a------ C:\WINDOWS\system32\drivers\downld\81949016.exe
2008-04-08 19:44 68512 --a------ C:\WINDOWS\system32\drivers\downld\81907907.exe
2008-04-08 19:34 766 --a------ C:\WINDOWS\system32\drivers\downld\81311599.exe
2008-04-08 07:00 766 --a------ C:\WINDOWS\system32\drivers\downld\36025572.exe
2008-04-08 06:59 715780 --a------ C:\WINDOWS\system32\drivers\downld\35964123.exe
2008-04-08 06:25 766 --a------ C:\WINDOWS\system32\drivers\downld\33959631.exe
2008-04-08 06:24 715780 --a------ C:\WINDOWS\system32\drivers\downld\33901868.exe
2008-04-08 06:24 68512 --a------ C:\WINDOWS\system32\drivers\downld\33896140.exe
2008-04-07 21:21 715780 --a------ C:\WINDOWS\system32\drivers\downld\1323092.exe
2008-04-07 21:21 68512 --a------ C:\WINDOWS\system32\drivers\downld\1305056.exe
2008-04-07 21:08 26388 --a------ C:\WINDOWS\system32\drivers\downld\545494.exe
2008-04-07 21:07 766 --a------ C:\WINDOWS\system32\drivers\downld\498847.exe
2008-04-07 21:07 715780 --a------ C:\WINDOWS\system32\drivers\downld\469114.exe
2008-04-07 21:07 68512 --a------ C:\WINDOWS\system32\drivers\downld\454283.exe
2008-04-07 21:06 766 --a------ C:\WINDOWS\system32\drivers\downld\399574.exe
2008-04-07 21:05 715780 --a------ C:\WINDOWS\system32\drivers\downld\380837.exe
2008-04-07 21:05 68512 --a------ C:\WINDOWS\system32\drivers\downld\370202.exe
2008-04-07 21:04 715780 --a------ C:\WINDOWS\system32\drivers\downld\271580.exe
2008-04-07 21:04 68512 --a------ C:\WINDOWS\system32\drivers\downld\251581.exe
2008-04-07 21:01 766 --a------ C:\WINDOWS\system32\drivers\downld\136185.exe
2008-04-07 21:01 715780 --a------ C:\WINDOWS\system32\drivers\downld\108946.exe
2008-04-07 20:05 26388 --a------ C:\WINDOWS\system32\drivers\downld\108466867.exe
2008-04-07 20:04 766 --a------ C:\WINDOWS\system32\drivers\downld\108396756.exe
2008-04-07 20:04 715780 --a------ C:\WINDOWS\system32\drivers\downld\108365571.exe
2008-04-07 20:03 68512 --a------ C:\WINDOWS\system32\drivers\downld\108356898.exe
2008-04-07 16:03 31805 --a------ C:\WINDOWS\system32\drivers\downld\93914822.exe
2008-04-07 16:03 26388 --a------ C:\WINDOWS\system32\drivers\downld\93932708.exe
2008-04-07 16:00 766 --a------ C:\WINDOWS\system32\drivers\downld\93746510.exe
2008-04-07 15:59 715780 --a------ C:\WINDOWS\system32\drivers\downld\93719030.exe
2008-04-07 15:59 68512 --a------ C:\WINDOWS\system32\drivers\downld\93711449.exe
2008-04-07 11:59 49927 --a------ C:\WINDOWS\system32\drivers\downld\79267390.exe
2008-04-07 11:58 26388 --a------ C:\WINDOWS\system32\drivers\downld\79249765.exe
2008-04-07 11:58 15793 --a------ C:\WINDOWS\system32\drivers\downld\79226762.exe
2008-04-07 11:55 766 --a------ C:\WINDOWS\system32\drivers\downld\79030499.exe
2008-04-07 11:54 715780 --a------ C:\WINDOWS\system32\drivers\downld\79003430.exe
2008-04-07 11:54 68512 --a------ C:\WINDOWS\system32\drivers\downld\78991083.exe
2008-04-07 07:54 48920 --a------ C:\WINDOWS\system32\drivers\downld\64585579.exe
2008-04-07 07:53 26388 --a------ C:\WINDOWS\system32\drivers\downld\64555616.exe
2008-04-07 07:53 15346 --a------ C:\WINDOWS\system32\drivers\downld\64521056.exe
2008-04-07 07:50 766 --a------ C:\WINDOWS\system32\drivers\downld\64325665.exe
2008-04-07 07:49 715780 --a------ C:\WINDOWS\system32\drivers\downld\64299778.exe
2008-04-07 07:49 68512 --a------ C:\WINDOWS\system32\drivers\downld\64292287.exe
2008-04-07 03:49 49173 --a------ C:\WINDOWS\system32\drivers\downld\49874605.exe
2008-04-07 03:48 26388 --a------ C:\WINDOWS\system32\drivers\downld\49856289.exe
2008-04-07 03:48 12875 --a------ C:\WINDOWS\system32\drivers\downld\49837582.exe
2008-04-07 03:47 766 --a------ C:\WINDOWS\system32\drivers\downld\49769264.exe
2008-04-07 03:47 715780 --a------ C:\WINDOWS\system32\drivers\downld\49744849.exe
2008-04-07 03:46 68512 --a------ C:\WINDOWS\system32\drivers\downld\49736246.exe
2008-04-07 03:45 766 --a------ C:\WINDOWS\system32\drivers\downld\49682499.exe
2008-04-07 03:45 715780 --a------ C:\WINDOWS\system32\drivers\downld\49659837.exe
2008-04-07 03:45 68512 --a------ C:\WINDOWS\system32\drivers\downld\49651134.exe
2008-04-07 03:44 715780 --a------ C:\WINDOWS\system32\drivers\downld\49580162.exe
2008-04-07 03:44 68512 --a------ C:\WINDOWS\system32\drivers\downld\49569747.exe
2008-04-07 02:07 48932 --a------ C:\WINDOWS\system32\drivers\downld\43765661.exe
2008-04-07 02:07 26388 --a------ C:\WINDOWS\system32\drivers\downld\43748847.exe
2008-04-07 02:06 766 --a------ C:\WINDOWS\system32\drivers\downld\43685686.exe
2008-04-07 02:06 31805 --a------ C:\WINDOWS\system32\drivers\downld\43729319.exe
2008-04-07 02:05 715780 --a------ C:\WINDOWS\system32\drivers\downld\43660450.exe
2008-04-07 02:05 68512 --a------ C:\WINDOWS\system32\drivers\downld\43655853.exe
2008-04-06 22:05 48461 --a------ C:\WINDOWS\system32\drivers\downld\29250179.exe
2008-04-06 22:05 26168 --a------ C:\WINDOWS\system32\drivers\downld\29235608.exe
2008-04-06 22:04 766 --a------ C:\WINDOWS\system32\drivers\downld\29192857.exe
2008-04-06 22:04 31805 --a------ C:\WINDOWS\system32\drivers\downld\29220186.exe
2008-04-06 22:03 68512 --a------ C:\WINDOWS\system32\drivers\downld\29154451.exe
2008-04-06 18:03 49355 --a------ C:\WINDOWS\system32\drivers\downld\14748617.exe
2008-04-06 18:03 31805 --a------ C:\WINDOWS\system32\drivers\downld\14703843.exe
2008-04-06 18:03 26168 --a------ C:\WINDOWS\system32\drivers\downld\14725363.exe
2008-04-06 18:02 766 --a------ C:\WINDOWS\system32\drivers\downld\14671947.exe
2008-04-06 18:02 69499 --a------ C:\WINDOWS\system32\drivers\downld\14643255.exe
2008-04-06 14:01 49301 --a------ C:\WINDOWS\system32\drivers\downld\236339.exe
2008-04-06 14:01 31805 --a------ C:\WINDOWS\system32\drivers\downld\197854.exe
2008-04-06 14:01 28499 --a------ C:\WINDOWS\system32\drivers\downld\215840.exe
2008-04-06 14:00 766 --a------ C:\WINDOWS\system32\drivers\downld\153110.exe
2008-04-06 13:59 68512 --a------ C:\WINDOWS\system32\drivers\downld\107314.exe
2008-04-06 13:47 49140 --a------ C:\WINDOWS\system32\drivers\downld\3574559.exe
2008-04-06 13:46 28499 --a------ C:\WINDOWS\system32\drivers\downld\3557835.exe
2008-04-06 13:46 15311 --a------ C:\WINDOWS\system32\drivers\downld\3520762.exe
2008-04-06 13:45 766 --a------ C:\WINDOWS\system32\drivers\downld\3483899.exe
2008-04-06 13:45 68512 --a------ C:\WINDOWS\system32\drivers\downld\3455288.exe
2008-04-06 13:44 766 --a------ C:\WINDOWS\system32\drivers\downld\3401420.exe
2008-04-06 13:44 68512 --a------ C:\WINDOWS\system32\drivers\downld\3369915.exe
2008-04-06 12:54 49523 --a------ C:\WINDOWS\system32\drivers\downld\415136.exe
2008-04-06 12:54 28248 --a------ C:\WINDOWS\system32\drivers\downld\391703.exe
2008-04-06 12:53 15311 --a------ C:\WINDOWS\system32\drivers\downld\370352.exe
2008-04-06 12:49 766 --a------ C:\WINDOWS\system32\drivers\downld\123637.exe
2008-04-06 12:49 68512 --a------ C:\WINDOWS\system32\drivers\downld\99793.exe
2008-04-06 11:48 49590 --a------ C:\WINDOWS\system32\drivers\downld\55604064.exe
2008-04-06 11:48 28248 --a------ C:\WINDOWS\system32\drivers\downld\55577366.exe
2008-04-06 11:47 15311 --a------ C:\WINDOWS\system32\drivers\downld\55553461.exe
2008-04-06 11:45 766 --a------ C:\WINDOWS\system32\drivers\downld\55403536.exe
2008-04-06 11:44 3491 --a------ C:\WINDOWS\system32\drivers\downld\55366242.exe
2008-04-06 07:44 49137 --a------ C:\WINDOWS\system32\drivers\downld\40960758.exe
2008-04-06 07:44 28248 --a------ C:\WINDOWS\system32\drivers\downld\40945937.exe
2008-04-06 07:44 15334 --a------ C:\WINDOWS\system32\drivers\downld\40931296.exe
2008-04-06 07:43 766 --a------ C:\WINDOWS\system32\drivers\downld\40900011.exe
2008-04-06 07:43 68512 --a------ C:\WINDOWS\system32\drivers\downld\40865701.exe
2008-04-06 07:42 766 --a------ C:\WINDOWS\system32\drivers\downld\40805124.exe
2008-04-06 07:41 68512 --a------ C:\WINDOWS\system32\drivers\downld\40768321.exe
2008-04-06 04:56 48808 --a------ C:\WINDOWS\system32\drivers\downld\30900232.exe
2008-04-06 04:56 28248 --a------ C:\WINDOWS\system32\drivers\downld\30885390.exe
2008-04-06 04:56 15346 --a------ C:\WINDOWS\system32\drivers\downld\30871340.exe
2008-04-06 04:55 766 --a------ C:\WINDOWS\system32\drivers\downld\30841427.exe
2008-04-06 04:55 68512 --a------ C:\WINDOWS\system32\drivers\downld\30791545.exe
2008-04-06 00:55 46970 --a------ C:\WINDOWS\system32\drivers\downld\16384770.exe
2008-04-06 00:54 28248 --a------ C:\WINDOWS\system32\drivers\downld\16363819.exe
2008-04-06 00:54 15346 --a------ C:\WINDOWS\system32\drivers\downld\16343170.exe
2008-04-06 00:53 766 --a------ C:\WINDOWS\system32\drivers\downld\16321769.exe
2008-04-06 00:53 68512 --a------ C:\WINDOWS\system32\drivers\downld\16299687.exe
2008-04-05 20:53 47815 --a------ C:\WINDOWS\system32\drivers\downld\1894704.exe
2008-04-05 20:53 28248 --a------ C:\WINDOWS\system32\drivers\downld\1881205.exe
2008-04-05 20:53 15311 --a------ C:\WINDOWS\system32\drivers\downld\1867555.exe
2008-04-05 20:52 766 --a------ C:\WINDOWS\system32\drivers\downld\1828669.exe
2008-04-05 20:52 179 --a------ C:\WINDOWS\system32\drivers\downld\1797855.exe
2008-04-05 20:50 766 --a------ C:\WINDOWS\system32\drivers\downld\1727063.exe
2008-04-05 20:50 179 --a------ C:\WINDOWS\system32\drivers\downld\1690651.exe
2008-04-05 20:34 48150 --a------ C:\WINDOWS\system32\drivers\downld\743489.exe
2008-04-05 20:34 28248 --a------ C:\WINDOWS\system32\drivers\downld\727806.exe
2008-04-05 20:33 766 --a------ C:\WINDOWS\system32\drivers\downld\685075.exe
2008-04-05 20:33 179 --a------ C:\WINDOWS\system32\drivers\downld\663494.exe
2008-04-05 20:33 15823 --a------ C:\WINDOWS\system32\drivers\downld\701618.exe
2008-04-05 20:31 766 --a------ C:\WINDOWS\system32\drivers\downld\598500.exe
2008-04-05 20:31 179 --a------ C:\WINDOWS\system32\drivers\downld\582667.exe
2008-04-05 20:25 766 --a------ C:\WINDOWS\system32\drivers\downld\231953.exe
2008-04-05 20:25 179 --a------ C:\WINDOWS\system32\drivers\downld\202501.exe
2008-04-05 20:23 766 --a------ C:\WINDOWS\system32\drivers\downld\122085.exe
2008-04-05 20:23 179 --a------ C:\WINDOWS\system32\drivers\downld\105021.exe
2008-04-05 20:14 31805 --a------ C:\WINDOWS\system32\drivers\downld\22171530.exe
2008-04-05 20:13 766 --a------ C:\WINDOWS\system32\drivers\downld\22144472.exe
2008-04-05 20:13 179 --a------ C:\WINDOWS\system32\drivers\downld\22119115.exe
2008-04-05 20:12 766 --a------ C:\WINDOWS\system32\drivers\downld\22063425.exe
2008-04-05 20:11 766 --a------ C:\WINDOWS\system32\drivers\downld\22002297.exe
2008-04-05 20:11 179 --a------ C:\WINDOWS\system32\drivers\downld\22035224.exe
2008-04-05 20:11 179 --a------ C:\WINDOWS\system32\drivers\downld\21980306.exe
2008-04-05 20:09 766 --a------ C:\WINDOWS\system32\drivers\downld\21911987.exe
2008-04-05 20:09 179 --a------ C:\WINDOWS\system32\drivers\downld\21892519.exe
2008-04-05 20:07 179 --a------ C:\WINDOWS\system32\drivers\downld\21788199.exe
2008-04-05 16:22 49654 --a------ C:\WINDOWS\system32\drivers\downld\8278914.exe
2008-04-05 16:21 766 --a------ C:\WINDOWS\system32\drivers\downld\8204507.exe
2008-04-05 16:21 31805 --a------ C:\WINDOWS\system32\drivers\downld\8223184.exe
2008-04-05 16:21 28213 --a------ C:\WINDOWS\system32\drivers\downld\8237564.exe
2008-04-05 16:21 179 --a------ C:\WINDOWS\system32\drivers\downld\8162947.exe
2008-04-05 16:19 766 --a------ C:\WINDOWS\system32\drivers\downld\8091174.exe
2008-04-05 16:19 179 --a------ C:\WINDOWS\system32\drivers\downld\8067840.exe
2008-04-05 16:05 179 --a------ C:\WINDOWS\system32\drivers\downld\7255212.exe
2008-04-05 15:46 49565 --a------ C:\WINDOWS\system32\drivers\downld\6084729.exe
2008-04-05 15:45 766 --a------ C:\WINDOWS\system32\drivers\downld\6023331.exe
2008-04-05 15:45 28213 --a------ C:\WINDOWS\system32\drivers\downld\6066873.exe
2008-04-05 15:45 15311 --a------ C:\WINDOWS\system32\drivers\downld\6047025.exe
2008-04-05 15:44 179 --a------ C:\WINDOWS\system32\drivers\downld\5983664.exe
2008-04-05 15:43 766 --a------ C:\WINDOWS\system32\drivers\downld\5925620.exe
2008-04-05 15:43 179 --a------ C:\WINDOWS\system32\drivers\downld\5900895.exe
2008-04-05 15:41 766 --a------ C:\WINDOWS\system32\drivers\downld\5789084.exe
2008-04-05 15:40 179 --a------ C:\WINDOWS\system32\drivers\downld\5766882.exe
2008-04-05 15:38 766 --a------ C:\WINDOWS\system32\drivers\downld\5604558.exe
2008-04-05 15:37 179 --a------ C:\WINDOWS\system32\drivers\downld\5552243.exe
2008-04-05 15:35 766 --a------ C:\WINDOWS\system32\drivers\downld\5462945.exe
2008-04-05 15:35 179 --a------ C:\WINDOWS\system32\drivers\downld\5424560.exe
2008-04-05 15:34 766 --a------ C:\WINDOWS\system32\drivers\downld\5368870.exe
2008-04-05 15:33 179 --a------ C:\WINDOWS\system32\drivers\downld\5327180.exe
2008-04-05 15:26 179 --a------ C:\WINDOWS\system32\drivers\downld\4903430.exe
2008-04-05 14:32 49298 --a------ C:\WINDOWS\system32\drivers\downld\1659466.exe
2008-04-05 14:32 28213 --a------ C:\WINDOWS\system32\drivers\downld\1638826.exe
2008-04-05 14:31 766 --a------ C:\WINDOWS\system32\drivers\downld\1601883.exe
2008-04-05 14:31 179 --a------ C:\WINDOWS\system32\drivers\downld\1577999.exe
2008-04-05 14:31 17849 --a------ C:\WINDOWS\system32\drivers\downld\1625807.exe
2008-04-05 14:28 48959 --a------ C:\WINDOWS\system32\drivers\downld\1447641.exe
2008-04-05 14:28 31805 --a------ C:\WINDOWS\system32\drivers\downld\1413081.exe
2008-04-05 14:28 28213 --a------ C:\WINDOWS\system32\drivers\downld\1430156.exe
2008-04-05 14:27 766 --a------ C:\WINDOWS\system32\drivers\downld\1388196.exe
2008-04-05 14:27 179 --a------ C:\WINDOWS\system32\drivers\downld\1364492.exe
2008-04-05 14:07 49369 --a------ C:\WINDOWS\system32\drivers\downld\187840.exe
2008-04-05 14:07 31805 --a------ C:\WINDOWS\system32\drivers\downld\154101.exe
2008-04-05 14:07 28213 --a------ C:\WINDOWS\system32\drivers\downld\170855.exe
2008-04-05 14:06 766 --a------ C:\WINDOWS\system32\drivers\downld\127423.exe
2008-04-05 14:06 179 --a------ C:\WINDOWS\system32\drivers\downld\101045.exe
2008-04-05 13:47 49061 --a------ C:\WINDOWS\system32\drivers\downld\12269242.exe
2008-04-05 13:47 28213 --a------ C:\WINDOWS\system32\drivers\downld\12254501.exe
2008-04-05 13:47 15859 --a------ C:\WINDOWS\system32\drivers\downld\12236785.exe
2008-04-05 13:46 766 --a------ C:\WINDOWS\system32\drivers\downld\12218238.exe
2008-04-05 13:46 179 --a------ C:\WINDOWS\system32\drivers\downld\12189046.exe
2008-04-05 13:45 766 --a------ C:\WINDOWS\system32\drivers\downld\12136050.exe
2008-04-05 13:44 179 --a------ C:\WINDOWS\system32\drivers\downld\12102792.exe
2008-04-05 13:43 766 --a------ C:\WINDOWS\system32\drivers\downld\12004651.exe
2008-04-05 13:42 179 --a------ C:\WINDOWS\system32\drivers\downld\11978363.exe
2008-04-05 13:42 179 --a------ C:\WINDOWS\system32\drivers\downld\11954059.exe
2008-04-05 13:37 766 --a------ C:\WINDOWS\system32\drivers\downld\11670791.exe
2008-04-05 13:37 179 --a------ C:\WINDOWS\system32\drivers\downld\11683269.exe
2008-04-05 13:37 179 --a------ C:\WINDOWS\system32\drivers\downld\11642020.exe
2008-04-05 10:38 766 --a------ C:\WINDOWS\system32\drivers\downld\904059.exe
2008-04-05 10:37 179 --a------ C:\WINDOWS\system32\drivers\downld\877131.exe
2008-04-05 10:27 49851 --a------ C:\WINDOWS\system32\drivers\downld\275235.exe
2008-04-05 10:27 28213 --a------ C:\WINDOWS\system32\drivers\downld\249809.exe
2008-04-05 10:26 766 --a------ C:\WINDOWS\system32\drivers\downld\197333.exe
2008-04-05 10:26 31805 --a------ C:\WINDOWS\system32\drivers\downld\230190.exe
2008-04-05 10:26 179 --a------ C:\WINDOWS\system32\drivers\downld\179708.exe
2008-04-05 10:20 49810 --a------ C:\WINDOWS\system32\drivers\downld\303856.exe
2008-04-05 10:20 28213 --a------ C:\WINDOWS\system32\drivers\downld\282966.exe
2008-04-05 10:19 766 --a------ C:\WINDOWS\system32\drivers\downld\227246.exe
2008-04-05 10:19 31805 --a------ C:\WINDOWS\system32\drivers\downld\263859.exe
2008-04-05 10:18 179 --a------ C:\WINDOWS\system32\drivers\downld\206977.exe


((((((((((((((((((((((((((((( [email protected]0_23.07.47.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-11 12:37:47 715,780 ----a-w C:\WINDOWS\system32\drivers\downld\2020295.exe
+ 2008-04-11 14:59:02 15,373 ----a-w C:\WINDOWS\system32\drivers\downld\388208.exe
+ 2008-04-11 13:47:33 17,939 ----a-w C:\WINDOWS\system32\drivers\downld\390050.exe
+ 2008-04-11 13:48:09 28,139 ----a-w C:\WINDOWS\system32\drivers\downld\423258.exe
+ 2008-04-11 14:59:49 28,139 ----a-w C:\WINDOWS\system32\drivers\downld\433022.exe
+ 2008-04-11 13:48:42 25,577 ----a-w C:\WINDOWS\system32\drivers\downld\452460.exe
+ 2008-04-11 15:00:11 25,577 ----a-w C:\WINDOWS\system32\drivers\downld\460071.exe
+ 2008-04-11 15:00:27 44,762 ----a-w C:\WINDOWS\system32\drivers\downld\473420.exe
+ 2008-04-11 13:49:05 44,762 ----a-w C:\WINDOWS\system32\drivers\downld\480731.exe
+ 2008-04-11 14:53:57 73,308 ----a-w C:\WINDOWS\system32\drivers\downld\84621.exe
+ 2008-04-11 14:54:08 715,780 ----a-w C:\WINDOWS\system32\drivers\downld\91000.exe
+ 2008-04-11 13:42:32 73,308 ----a-w C:\WINDOWS\system32\drivers\downld\91621.exe
- 2008-04-10 00:09:44 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-11 04:08:54 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-10 00:09:44 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-11 04:08:54 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ParetoLogic Anti-Spyware"="C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2007-08-01 13:56 2643312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll [2007-04-11 17:47 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=C:\WINDOWS\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series (Copy 1) on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-04-10 22:21 79224 E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 15:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-03-10 16:16 204800 E:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-11-15 22:01 244512 C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-06 18:33 282624 E:\Program Files\QuickTime_4\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 E:\Program Files\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2006-08-07 02:04 688128 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\dnloads\\eMule\\eMule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\EMule Extracts\\EMule.46c\\emule.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"D:\\dnloads\\eMule\\eMule_II\\eMule.exe"=
"D:\\Program Files\\EMule\\emule.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 04:10]
R0 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 10:12]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 12:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282e89-0346-11dd-a3b2-000103c623f3}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 01:37:31 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-04-11 12:03:04 C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job"
- C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
"2008-04-11 05:33:00 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 11:45:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-04-11 11:48:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-11 16:48:15
ComboFix2.txt 2008-04-11 15:36:42
ComboFix3.txt 2008-04-11 12:01:22
Pre-Run: 1,017,417,728 bytes free
Post-Run: 1,003,491,328 bytes free
  • 0

#6
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
Hi, Linda68 :)

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

Folder::
C:\WINDOWS\system32\drivers\downld


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Remove and reinstall Hijackthis and attempt now to boot in Safe Mode after this process..
  • 0

#7
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hi :)
I tried to uninstall Hijackthis from Control Panel. It gave me the attached message. I changed the executable filename to HJT, but don't remember how it was originally. I selected No on the pop-up until further direction from you, so I obviously didn't reinstall hijackthis or try safe mode yet.

Also, after Malwarebytes ran and cleaned the system, Paretologic ran automatically immediately after and the Bagle.IX was still on the system.



ComboFix 08-04-10.7 - Linda Kristina 2008-04-11 13:19:00.4 - NTFSx86
Running from: C:\Documents and Settings\Linda Kristina\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Linda Kristina\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\101045.exe
C:\WINDOWS\system32\drivers\downld\102206.exe
C:\WINDOWS\system32\drivers\downld\102347.exe
C:\WINDOWS\system32\drivers\downld\105021.exe
C:\WINDOWS\system32\drivers\downld\107314.exe
C:\WINDOWS\system32\drivers\downld\107554.exe
C:\WINDOWS\system32\drivers\downld\108356898.exe
C:\WINDOWS\system32\drivers\downld\108365571.exe
C:\WINDOWS\system32\drivers\downld\108396756.exe
C:\WINDOWS\system32\drivers\downld\108466867.exe
C:\WINDOWS\system32\drivers\downld\108946.exe
C:\WINDOWS\system32\drivers\downld\1140259.exe
C:\WINDOWS\system32\drivers\downld\1160899.exe
C:\WINDOWS\system32\drivers\downld\11642020.exe
C:\WINDOWS\system32\drivers\downld\11670791.exe
C:\WINDOWS\system32\drivers\downld\11683269.exe
C:\WINDOWS\system32\drivers\downld\11954059.exe
C:\WINDOWS\system32\drivers\downld\11978363.exe
C:\WINDOWS\system32\drivers\downld\12004651.exe
C:\WINDOWS\system32\drivers\downld\12102792.exe
C:\WINDOWS\system32\drivers\downld\12136050.exe
C:\WINDOWS\system32\drivers\downld\12189046.exe
C:\WINDOWS\system32\drivers\downld\122085.exe
C:\WINDOWS\system32\drivers\downld\12218238.exe
C:\WINDOWS\system32\drivers\downld\12236785.exe
C:\WINDOWS\system32\drivers\downld\12254501.exe
C:\WINDOWS\system32\drivers\downld\12269242.exe
C:\WINDOWS\system32\drivers\downld\123637.exe
C:\WINDOWS\system32\drivers\downld\127423.exe
C:\WINDOWS\system32\drivers\downld\1305056.exe
C:\WINDOWS\system32\drivers\downld\1323092.exe
C:\WINDOWS\system32\drivers\downld\136185.exe
C:\WINDOWS\system32\drivers\downld\1364492.exe
C:\WINDOWS\system32\drivers\downld\1388196.exe
C:\WINDOWS\system32\drivers\downld\139750.exe
C:\WINDOWS\system32\drivers\downld\140031.exe
C:\WINDOWS\system32\drivers\downld\1413081.exe
C:\WINDOWS\system32\drivers\downld\1430156.exe
C:\WINDOWS\system32\drivers\downld\1447641.exe
C:\WINDOWS\system32\drivers\downld\14643255.exe
C:\WINDOWS\system32\drivers\downld\14671947.exe
C:\WINDOWS\system32\drivers\downld\14703843.exe
C:\WINDOWS\system32\drivers\downld\14716330.exe
C:\WINDOWS\system32\drivers\downld\14722169.exe
C:\WINDOWS\system32\drivers\downld\14725363.exe
C:\WINDOWS\system32\drivers\downld\14748617.exe
C:\WINDOWS\system32\drivers\downld\14755086.exe
C:\WINDOWS\system32\drivers\downld\14811658.exe
C:\WINDOWS\system32\drivers\downld\14831586.exe
C:\WINDOWS\system32\drivers\downld\14845997.exe
C:\WINDOWS\system32\drivers\downld\14857604.exe
C:\WINDOWS\system32\drivers\downld\1490813.exe
C:\WINDOWS\system32\drivers\downld\1498164.exe
C:\WINDOWS\system32\drivers\downld\151357.exe
C:\WINDOWS\system32\drivers\downld\153110.exe
C:\WINDOWS\system32\drivers\downld\154101.exe
C:\WINDOWS\system32\drivers\downld\1577999.exe
C:\WINDOWS\system32\drivers\downld\1601883.exe
C:\WINDOWS\system32\drivers\downld\1625807.exe
C:\WINDOWS\system32\drivers\downld\16299687.exe
C:\WINDOWS\system32\drivers\downld\16321769.exe
C:\WINDOWS\system32\drivers\downld\16343170.exe
C:\WINDOWS\system32\drivers\downld\16363819.exe
C:\WINDOWS\system32\drivers\downld\16384770.exe
C:\WINDOWS\system32\drivers\downld\1638826.exe
C:\WINDOWS\system32\drivers\downld\1659466.exe
C:\WINDOWS\system32\drivers\downld\1690651.exe
C:\WINDOWS\system32\drivers\downld\170855.exe
C:\WINDOWS\system32\drivers\downld\1727063.exe
C:\WINDOWS\system32\drivers\downld\1743507.exe
C:\WINDOWS\system32\drivers\downld\175262.exe
C:\WINDOWS\system32\drivers\downld\1771377.exe
C:\WINDOWS\system32\drivers\downld\1778136.exe
C:\WINDOWS\system32\drivers\downld\179708.exe
C:\WINDOWS\system32\drivers\downld\1797855.exe
C:\WINDOWS\system32\drivers\downld\1828669.exe
C:\WINDOWS\system32\drivers\downld\18337077.exe
C:\WINDOWS\system32\drivers\downld\18407268.exe
C:\WINDOWS\system32\drivers\downld\1845984.exe
C:\WINDOWS\system32\drivers\downld\184835.exe
C:\WINDOWS\system32\drivers\downld\184965.exe
C:\WINDOWS\system32\drivers\downld\18590882.exe
C:\WINDOWS\system32\drivers\downld\18622017.exe
C:\WINDOWS\system32\drivers\downld\18642676.exe
C:\WINDOWS\system32\drivers\downld\18656276.exe
C:\WINDOWS\system32\drivers\downld\1867555.exe
C:\WINDOWS\system32\drivers\downld\187239.exe
C:\WINDOWS\system32\drivers\downld\18745474.exe
C:\WINDOWS\system32\drivers\downld\18754197.exe
C:\WINDOWS\system32\drivers\downld\187840.exe
C:\WINDOWS\system32\drivers\downld\1881205.exe
C:\WINDOWS\system32\drivers\downld\18830586.exe
C:\WINDOWS\system32\drivers\downld\188611.exe
C:\WINDOWS\system32\drivers\downld\18882711.exe
C:\WINDOWS\system32\drivers\downld\18924742.exe
C:\WINDOWS\system32\drivers\downld\1894704.exe
C:\WINDOWS\system32\drivers\downld\18958460.exe
C:\WINDOWS\system32\drivers\downld\1908133.exe
C:\WINDOWS\system32\drivers\downld\1955872.exe
C:\WINDOWS\system32\drivers\downld\197333.exe
C:\WINDOWS\system32\drivers\downld\197854.exe
C:\WINDOWS\system32\drivers\downld\1992995.exe
C:\WINDOWS\system32\drivers\downld\2020295.exe
C:\WINDOWS\system32\drivers\downld\202501.exe
C:\WINDOWS\system32\drivers\downld\2031871.exe
C:\WINDOWS\system32\drivers\downld\204003.exe
C:\WINDOWS\system32\drivers\downld\2057598.exe
C:\WINDOWS\system32\drivers\downld\206977.exe
C:\WINDOWS\system32\drivers\downld\2145144.exe
C:\WINDOWS\system32\drivers\downld\215840.exe
C:\WINDOWS\system32\drivers\downld\2172834.exe
C:\WINDOWS\system32\drivers\downld\21788199.exe
C:\WINDOWS\system32\drivers\downld\21892519.exe
C:\WINDOWS\system32\drivers\downld\21911987.exe
C:\WINDOWS\system32\drivers\downld\21980306.exe
C:\WINDOWS\system32\drivers\downld\22002297.exe
C:\WINDOWS\system32\drivers\downld\22035224.exe
C:\WINDOWS\system32\drivers\downld\22063425.exe
C:\WINDOWS\system32\drivers\downld\22119115.exe
C:\WINDOWS\system32\drivers\downld\22144472.exe
C:\WINDOWS\system32\drivers\downld\22171530.exe
C:\WINDOWS\system32\drivers\downld\223501.exe
C:\WINDOWS\system32\drivers\downld\227246.exe
C:\WINDOWS\system32\drivers\downld\228328.exe
C:\WINDOWS\system32\drivers\downld\2292386.exe
C:\WINDOWS\system32\drivers\downld\230190.exe
C:\WINDOWS\system32\drivers\downld\231342.exe
C:\WINDOWS\system32\drivers\downld\231953.exe
C:\WINDOWS\system32\drivers\downld\2325213.exe
C:\WINDOWS\system32\drivers\downld\236339.exe
C:\WINDOWS\system32\drivers\downld\247155.exe
C:\WINDOWS\system32\drivers\downld\249809.exe
C:\WINDOWS\system32\drivers\downld\251581.exe
C:\WINDOWS\system32\drivers\downld\2546010.exe
C:\WINDOWS\system32\drivers\downld\258161.exe
C:\WINDOWS\system32\drivers\downld\2600919.exe
C:\WINDOWS\system32\drivers\downld\263859.exe
C:\WINDOWS\system32\drivers\downld\2652003.exe
C:\WINDOWS\system32\drivers\downld\271580.exe
C:\WINDOWS\system32\drivers\downld\275235.exe
C:\WINDOWS\system32\drivers\downld\281204.exe
C:\WINDOWS\system32\drivers\downld\282736.exe
C:\WINDOWS\system32\drivers\downld\282966.exe
C:\WINDOWS\system32\drivers\downld\29154451.exe
C:\WINDOWS\system32\drivers\downld\29192857.exe
C:\WINDOWS\system32\drivers\downld\29220186.exe
C:\WINDOWS\system32\drivers\downld\29235608.exe
C:\WINDOWS\system32\drivers\downld\29250179.exe
C:\WINDOWS\system32\drivers\downld\298459.exe
C:\WINDOWS\system32\drivers\downld\2993925.exe
C:\WINDOWS\system32\drivers\downld\303856.exe
C:\WINDOWS\system32\drivers\downld\304187.exe
C:\WINDOWS\system32\drivers\downld\307762.exe
C:\WINDOWS\system32\drivers\downld\30791545.exe
C:\WINDOWS\system32\drivers\downld\30841427.exe
C:\WINDOWS\system32\drivers\downld\30871340.exe
C:\WINDOWS\system32\drivers\downld\30885390.exe
C:\WINDOWS\system32\drivers\downld\30900232.exe
C:\WINDOWS\system32\drivers\downld\3161005.exe
C:\WINDOWS\system32\drivers\downld\321372.exe
C:\WINDOWS\system32\drivers\downld\3257994.exe
C:\WINDOWS\system32\drivers\downld\33066497.exe
C:\WINDOWS\system32\drivers\downld\33074308.exe
C:\WINDOWS\system32\drivers\downld\33114966.exe
C:\WINDOWS\system32\drivers\downld\33291901.exe
C:\WINDOWS\system32\drivers\downld\33321343.exe
C:\WINDOWS\system32\drivers\downld\33341833.exe
C:\WINDOWS\system32\drivers\downld\33352127.exe
C:\WINDOWS\system32\drivers\downld\33369773.exe
C:\WINDOWS\system32\drivers\downld\33380007.exe
C:\WINDOWS\system32\drivers\downld\33451670.exe
C:\WINDOWS\system32\drivers\downld\33628695.exe
C:\WINDOWS\system32\drivers\downld\33662143.exe
C:\WINDOWS\system32\drivers\downld\33690734.exe
C:\WINDOWS\system32\drivers\downld\3369915.exe
C:\WINDOWS\system32\drivers\downld\33705746.exe
C:\WINDOWS\system32\drivers\downld\33896140.exe
C:\WINDOWS\system32\drivers\downld\33901868.exe
C:\WINDOWS\system32\drivers\downld\3390284.exe
C:\WINDOWS\system32\drivers\downld\33959631.exe
C:\WINDOWS\system32\drivers\downld\3401420.exe
C:\WINDOWS\system32\drivers\downld\3445073.exe
C:\WINDOWS\system32\drivers\downld\3455288.exe
C:\WINDOWS\system32\drivers\downld\345987.exe
C:\WINDOWS\system32\drivers\downld\3478611.exe
C:\WINDOWS\system32\drivers\downld\3483899.exe
C:\WINDOWS\system32\drivers\downld\3501094.exe
C:\WINDOWS\system32\drivers\downld\3514173.exe
C:\WINDOWS\system32\drivers\downld\351645.exe
C:\WINDOWS\system32\drivers\downld\3520762.exe
C:\WINDOWS\system32\drivers\downld\352737.exe
C:\WINDOWS\system32\drivers\downld\3557835.exe
C:\WINDOWS\system32\drivers\downld\3574559.exe
C:\WINDOWS\system32\drivers\downld\35964123.exe
C:\WINDOWS\system32\drivers\downld\36025572.exe
C:\WINDOWS\system32\drivers\downld\370202.exe
C:\WINDOWS\system32\drivers\downld\370352.exe
C:\WINDOWS\system32\drivers\downld\371063.exe
C:\WINDOWS\system32\drivers\downld\374188.exe
C:\WINDOWS\system32\drivers\downld\380837.exe
C:\WINDOWS\system32\drivers\downld\3829756.exe
C:\WINDOWS\system32\drivers\downld\384282.exe
C:\WINDOWS\system32\drivers\downld\385824.exe
C:\WINDOWS\system32\drivers\downld\3864937.exe
C:\WINDOWS\system32\drivers\downld\388208.exe
C:\WINDOWS\system32\drivers\downld\390050.exe
C:\WINDOWS\system32\drivers\downld\3911584.exe
C:\WINDOWS\system32\drivers\downld\391703.exe
C:\WINDOWS\system32\drivers\downld\3924843.exe
C:\WINDOWS\system32\drivers\downld\3928388.exe
C:\WINDOWS\system32\drivers\downld\399574.exe
C:\WINDOWS\system32\drivers\downld\40768321.exe
C:\WINDOWS\system32\drivers\downld\40805124.exe
C:\WINDOWS\system32\drivers\downld\40865701.exe
C:\WINDOWS\system32\drivers\downld\40900011.exe
C:\WINDOWS\system32\drivers\downld\40931296.exe
C:\WINDOWS\system32\drivers\downld\40945937.exe
C:\WINDOWS\system32\drivers\downld\40960758.exe
C:\WINDOWS\system32\drivers\downld\4097812.exe
C:\WINDOWS\system32\drivers\downld\410340.exe
C:\WINDOWS\system32\drivers\downld\415136.exe
C:\WINDOWS\system32\drivers\downld\4221800.exe
C:\WINDOWS\system32\drivers\downld\423258.exe
C:\WINDOWS\system32\drivers\downld\4260786.exe
C:\WINDOWS\system32\drivers\downld\4302326.exe
C:\WINDOWS\system32\drivers\downld\433022.exe
C:\WINDOWS\system32\drivers\downld\433273.exe
C:\WINDOWS\system32\drivers\downld\4334272.exe
C:\WINDOWS\system32\drivers\downld\434254.exe
C:\WINDOWS\system32\drivers\downld\43655853.exe
C:\WINDOWS\system32\drivers\downld\43660450.exe
C:\WINDOWS\system32\drivers\downld\43685686.exe
C:\WINDOWS\system32\drivers\downld\43729319.exe
C:\WINDOWS\system32\drivers\downld\43748847.exe
C:\WINDOWS\system32\drivers\downld\43765661.exe
C:\WINDOWS\system32\drivers\downld\447162.exe
C:\WINDOWS\system32\drivers\downld\449105.exe
C:\WINDOWS\system32\drivers\downld\452460.exe
C:\WINDOWS\system32\drivers\downld\454283.exe
C:\WINDOWS\system32\drivers\downld\460071.exe
C:\WINDOWS\system32\drivers\downld\468984.exe
C:\WINDOWS\system32\drivers\downld\469114.exe
C:\WINDOWS\system32\drivers\downld\472559.exe
C:\WINDOWS\system32\drivers\downld\473420.exe
C:\WINDOWS\system32\drivers\downld\480731.exe
C:\WINDOWS\system32\drivers\downld\4903430.exe
C:\WINDOWS\system32\drivers\downld\49569747.exe
C:\WINDOWS\system32\drivers\downld\49580162.exe
C:\WINDOWS\system32\drivers\downld\49651134.exe
C:\WINDOWS\system32\drivers\downld\49659837.exe
C:\WINDOWS\system32\drivers\downld\49682499.exe
C:\WINDOWS\system32\drivers\downld\496954.exe
C:\WINDOWS\system32\drivers\downld\49736246.exe
C:\WINDOWS\system32\drivers\downld\49744849.exe
C:\WINDOWS\system32\drivers\downld\49769264.exe
C:\WINDOWS\system32\drivers\downld\49837582.exe
C:\WINDOWS\system32\drivers\downld\49856289.exe
C:\WINDOWS\system32\drivers\downld\49874605.exe
C:\WINDOWS\system32\drivers\downld\498847.exe
C:\WINDOWS\system32\drivers\downld\506077.exe
C:\WINDOWS\system32\drivers\downld\515731.exe
C:\WINDOWS\system32\drivers\downld\526346.exe
C:\WINDOWS\system32\drivers\downld\5327180.exe
C:\WINDOWS\system32\drivers\downld\5368870.exe
C:\WINDOWS\system32\drivers\downld\5424560.exe
C:\WINDOWS\system32\drivers\downld\543421.exe
C:\WINDOWS\system32\drivers\downld\545494.exe
C:\WINDOWS\system32\drivers\downld\5462945.exe
C:\WINDOWS\system32\drivers\downld\55366242.exe
C:\WINDOWS\system32\drivers\downld\55403536.exe
C:\WINDOWS\system32\drivers\downld\5552243.exe
C:\WINDOWS\system32\drivers\downld\55553461.exe
C:\WINDOWS\system32\drivers\downld\55577366.exe
C:\WINDOWS\system32\drivers\downld\55604064.exe
C:\WINDOWS\system32\drivers\downld\5604558.exe
C:\WINDOWS\system32\drivers\downld\560616.exe
C:\WINDOWS\system32\drivers\downld\5766882.exe
C:\WINDOWS\system32\drivers\downld\5789084.exe
C:\WINDOWS\system32\drivers\downld\582667.exe
C:\WINDOWS\system32\drivers\downld\5900895.exe
C:\WINDOWS\system32\drivers\downld\5925620.exe
C:\WINDOWS\system32\drivers\downld\5983664.exe
C:\WINDOWS\system32\drivers\downld\598500.exe
C:\WINDOWS\system32\drivers\downld\6023331.exe
C:\WINDOWS\system32\drivers\downld\6047025.exe
C:\WINDOWS\system32\drivers\downld\605580.exe
C:\WINDOWS\system32\drivers\downld\6066873.exe
C:\WINDOWS\system32\drivers\downld\6084729.exe
C:\WINDOWS\system32\drivers\downld\638117.exe
C:\WINDOWS\system32\drivers\downld\64292287.exe
C:\WINDOWS\system32\drivers\downld\64299778.exe
C:\WINDOWS\system32\drivers\downld\64325665.exe
C:\WINDOWS\system32\drivers\downld\64521056.exe
C:\WINDOWS\system32\drivers\downld\64555616.exe
C:\WINDOWS\system32\drivers\downld\64585579.exe
C:\WINDOWS\system32\drivers\downld\648121.exe
C:\WINDOWS\system32\drivers\downld\663494.exe
C:\WINDOWS\system32\drivers\downld\679396.exe
C:\WINDOWS\system32\drivers\downld\685075.exe
C:\WINDOWS\system32\drivers\downld\691304.exe
C:\WINDOWS\system32\drivers\downld\700397.exe
C:\WINDOWS\system32\drivers\downld\701618.exe
C:\WINDOWS\system32\drivers\downld\707377.exe
C:\WINDOWS\system32\drivers\downld\714467.exe
C:\WINDOWS\system32\drivers\downld\7255212.exe
C:\WINDOWS\system32\drivers\downld\727806.exe
C:\WINDOWS\system32\drivers\downld\743489.exe
C:\WINDOWS\system32\drivers\downld\762055.exe
C:\WINDOWS\system32\drivers\downld\774073.exe
C:\WINDOWS\system32\drivers\downld\78991083.exe
C:\WINDOWS\system32\drivers\downld\79003430.exe
C:\WINDOWS\system32\drivers\downld\79030499.exe
C:\WINDOWS\system32\drivers\downld\79103.exe
C:\WINDOWS\system32\drivers\downld\79226762.exe
C:\WINDOWS\system32\drivers\downld\79249765.exe
C:\WINDOWS\system32\drivers\downld\79267390.exe
C:\WINDOWS\system32\drivers\downld\803134.exe
C:\WINDOWS\system32\drivers\downld\8067840.exe
C:\WINDOWS\system32\drivers\downld\8091174.exe
C:\WINDOWS\system32\drivers\downld\81311599.exe
C:\WINDOWS\system32\drivers\downld\8162947.exe
C:\WINDOWS\system32\drivers\downld\81907907.exe
C:\WINDOWS\system32\drivers\downld\81949016.exe
C:\WINDOWS\system32\drivers\downld\8204507.exe
C:\WINDOWS\system32\drivers\downld\82073215.exe
C:\WINDOWS\system32\drivers\downld\82088316.exe
C:\WINDOWS\system32\drivers\downld\8223184.exe
C:\WINDOWS\system32\drivers\downld\82280513.exe
C:\WINDOWS\system32\drivers\downld\82302214.exe
C:\WINDOWS\system32\drivers\downld\8237564.exe
C:\WINDOWS\system32\drivers\downld\8278914.exe
C:\WINDOWS\system32\drivers\downld\84621.exe
C:\WINDOWS\system32\drivers\downld\877131.exe
C:\WINDOWS\system32\drivers\downld\904059.exe
C:\WINDOWS\system32\drivers\downld\91000.exe
C:\WINDOWS\system32\drivers\downld\91621.exe
C:\WINDOWS\system32\drivers\downld\92342.exe
C:\WINDOWS\system32\drivers\downld\93711449.exe
C:\WINDOWS\system32\drivers\downld\93719030.exe
C:\WINDOWS\system32\drivers\downld\93746510.exe
C:\WINDOWS\system32\drivers\downld\93914822.exe
C:\WINDOWS\system32\drivers\downld\93932708.exe
C:\WINDOWS\system32\drivers\downld\94405.exe
C:\WINDOWS\system32\drivers\downld\957046.exe
C:\WINDOWS\system32\drivers\downld\97750.exe
C:\WINDOWS\system32\drivers\downld\98241.exe
C:\WINDOWS\system32\drivers\downld\995651.exe
C:\WINDOWS\system32\drivers\downld\99793.exe
C:\WINDOWS\system32\drivers\downld\99963.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-11 11:57 . 2006-08-07 02:04 688,128 --a------ C:\WINDOWS\system32\drivers\mdelk.exe
2008-04-11 10:20 . 2008-04-11 11:52 <DIR> d-------- C:\Geeks_New
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-10 20:31 . 2008-04-10 21:49 <DIR> d-------- C:\paretologic
2008-04-09 21:51 . 2008-04-09 21:51 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Thinstall
2008-04-09 21:51 . 2008-04-09 21:21 12,828,619 --a------ C:\RegCure 1.5.exe
2008-04-09 20:11 . 2008-04-09 21:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 20:11 . 2008-04-09 21:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-09 19:53 . 2008-04-09 19:53 <DIR> d-------- C:\Program Files\CCleaner
2008-04-09 07:42 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-09 07:42 . 2008-04-09 07:42 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\SUPERAntiSpyware.com
2008-04-09 07:38 . 2008-04-09 07:38 1,239,357 --a------ C:\MGtools.exe
2008-04-08 21:05 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-08 21:05 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-08 21:05 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-08 21:05 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-08 21:05 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-08 21:05 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-08 21:05 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-08 21:05 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-08 21:05 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-08 21:05 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-05 17:10 . 2008-04-05 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-04-05 17:04 . 2008-04-05 18:12 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\U3
2008-04-05 17:03 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-05 10:09 . 2008-04-05 15:21 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-04-04 22:40 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-04 22:36 . 2008-04-04 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 14:18 . 2008-03-21 14:18 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-21 14:17 . 2007-10-22 19:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll
2008-03-16 19:58 . 2008-03-16 19:58 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 16:55 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\ComcastToolbar
2008-04-10 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 19:21 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\Intuit
2008-03-21 19:17 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-20 12:03 --------- d-----w C:\Program Files\CrossTrainerII
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( [email protected]_23.07.47.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-10 00:09:44 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-11 04:08:54 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-10 00:09:44 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-11 04:08:54 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ParetoLogic Anti-Spyware"="C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2007-08-01 13:56 2643312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll [2007-04-11 17:47 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=C:\WINDOWS\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series (Copy 1) on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-04-10 22:21 79224 E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 15:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-03-10 16:16 204800 E:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-11-15 22:01 244512 C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-06 18:33 282624 E:\Program Files\QuickTime_4\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 E:\Program Files\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2006-08-07 02:04 688128 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\dnloads\\eMule\\eMule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\EMule Extracts\\EMule.46c\\emule.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"D:\\dnloads\\eMule\\eMule_II\\eMule.exe"=
"D:\\Program Files\\EMule\\emule.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 04:10]
R0 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 10:12]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 12:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S1 srosa;Megadrv3;C:\WINDOWS\system32\drivers\srosa.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282e89-0346-11dd-a3b2-000103c623f3}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 01:37:31 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-04-11 12:03:04 C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job"
- C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
"2008-04-11 05:33:00 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 13:37:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-04-11 13:40:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-11 18:40:24
ComboFix2.txt 2008-04-11 16:48:36
ComboFix3.txt 2008-04-11 15:36:42
ComboFix4.txt 2008-04-11 12:01:22
Pre-Run: 1,106,370,560 bytes free
Post-Run: 1,038,004,224 bytes free



MBAM Log
Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{43e7b8b8-0c4a-45a9-b94c-5f5b078d68d8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\vnbptxlf.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files


  • 0

#8
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
Hi, Linda68 :)

The trojan is being re-written at startup.

Download GMER's MBR.exe to your desktop.

Double click on the MBR.exe file to run it. A log will be produced, MBR.log. Please open this log in Notepad and post its contents in your next reply.

Please download gmer rootkit detector from the following link:

Link 1
  • Unzip it and double click the gmer.exe file
  • Select rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Press scan
  • When it has finished press save & post back the log it makes
  • Repeat the proces with the Autostarts tab and do the same there
Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Download the enclosed folder. It containd a batch file, Filelist.bat. Once extracted, double click on this file and post the report it will produce.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
srosa

[Exclude]

[Options]
Filter=KVDLUI



2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.

These reports will be huge. Rather than copying and paste, scroll down to attachments and attach all these reports.
  • 0

#9
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hi :)
Sorry for the long return time, had to step out. I ran the mbr.log. It is attached. I received an error trying to run gmer.exe. I have attached it. I didn't do the other steps because I didn't know if gmer had to execute.

Linda

Attached Files


  • 0

#10
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Sorry, looks like mbr.log didn't upload.
This is the file ...

------------------------------------------------------------------------
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
  • 0

Advertisements


#11
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts

Sorry, looks like mbr.log didn't upload.
This is the file ...

------------------------------------------------------------------------
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

This is the information I expected. Means the Boot Record haven't been infected.. How about Silent Runners, FileList and Regsearch?

================================================


  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys

Driver::
srosa

Suspect::
C:\QooBox\Quarantine\CWINDOWS\system32\drivers\hldrrr.exe.vir
C:\QooBox\Quarantine\CWINDOWS\system32\drivers\srosa.sys.vir
C:\QooBox\Quarantine\CWINDOWS\system32\mdelk.exe.vir
C:\QooBox\Quarantine\CWINDOWS\system32\wintems.exe.vir


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingc...e.php?channel=4

Please include a link to this topic in the message.
  • 0

#12
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
I'll get the last report to you in a few minutes.
Here are the previous logs.

Attached Files


  • 0

#13
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Here is the combofix file

Attached Files


  • 0

#14
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
For better reading:

ComboFix 08-04-10.7 - Linda Kristina 2008-04-11 18:13:28.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.69 [GMT -5:00]
Running from: C:\Documents and Settings\Linda Kristina\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Linda Kristina\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-11 13:54 . 2008-04-11 17:18 <DIR> d-------- C:\WINDOWS\system32\drivers\downld
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Malwarebytes
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 10:20 . 2008-04-11 11:52 <DIR> d-------- C:\Geeks_New
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-10 20:31 . 2008-04-10 21:49 <DIR> d-------- C:\paretologic
2008-04-09 21:51 . 2008-04-09 21:51 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Thinstall
2008-04-09 21:51 . 2008-04-09 21:21 12,828,619 --a------ C:\RegCure 1.5.exe
2008-04-09 20:11 . 2008-04-09 21:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 20:11 . 2008-04-09 21:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-09 19:53 . 2008-04-09 19:53 <DIR> d-------- C:\Program Files\CCleaner
2008-04-09 07:42 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-09 07:42 . 2008-04-09 07:42 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\SUPERAntiSpyware.com
2008-04-09 07:38 . 2008-04-09 07:38 1,239,357 --a------ C:\MGtools.exe
2008-04-08 21:05 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-08 21:05 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-08 21:05 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-08 21:05 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-08 21:05 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-08 21:05 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-08 21:05 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-08 21:05 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-08 21:05 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-08 21:05 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-05 17:10 . 2008-04-05 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-04-05 17:04 . 2008-04-05 18:12 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\U3
2008-04-05 17:03 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-05 10:09 . 2008-04-05 15:21 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-04-04 22:40 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-04 22:36 . 2008-04-04 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 14:18 . 2008-03-21 14:18 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-21 14:17 . 2007-10-22 19:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll
2008-03-16 19:58 . 2008-03-16 19:58 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 21:46 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\ComcastToolbar
2008-04-10 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 19:21 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\Intuit
2008-03-21 19:17 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-20 12:03 --------- d-----w C:\Program Files\CrossTrainerII
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( [email protected]_23.07.47.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-04 01:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
+ 2008-04-11 22:16:31 68,512 ----a-w C:\WINDOWS\system32\drivers\downld\13204887.exe
+ 2008-04-11 22:16:50 715,780 ----a-w C:\WINDOWS\system32\drivers\downld\13219648.exe
+ 2008-04-11 19:12:06 68,512 ----a-w C:\WINDOWS\system32\drivers\downld\2142560.exe
+ 2008-04-11 19:50:01 68,512 ----a-w C:\WINDOWS\system32\drivers\downld\4414728.exe
+ 2008-04-11 19:50:22 715,780 ----a-w C:\WINDOWS\system32\drivers\downld\4432483.exe
+ 2008-04-11 19:52:43 68,512 ----a-w C:\WINDOWS\system32\drivers\downld\4574778.exe
+ 2008-04-11 19:53:01 715,780 ----a-w C:\WINDOWS\system32\drivers\downld\4592744.exe
+ 2008-04-11 20:24:34 68,512 ----a-w C:\WINDOWS\system32\drivers\downld\6490623.exe
+ 2008-04-11 20:24:47 715,780 ----a-w C:\WINDOWS\system32\drivers\downld\6498003.exe
+ 2008-04-11 20:28:31 68,512 ----a-w C:\WINDOWS\system32\drivers\downld\6724749.exe
- 2008-04-10 00:09:44 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-11 04:08:54 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-10 00:09:44 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-11 04:08:54 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ParetoLogic Anti-Spyware"="C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2007-08-01 13:56 2643312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll [2007-04-11 17:47 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=C:\WINDOWS\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series (Copy 1) on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-04-10 22:21 79224 E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 15:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-03-10 16:16 204800 E:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-11-15 22:01 244512 C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-06 18:33 282624 E:\Program Files\QuickTime_4\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 E:\Program Files\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2006-08-07 02:04 688128 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\dnloads\\eMule\\eMule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\EMule Extracts\\EMule.46c\\emule.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"D:\\dnloads\\eMule\\eMule_II\\eMule.exe"=
"D:\\Program Files\\EMule\\emule.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 04:10]
R0 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 10:12]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 12:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S1 srosa;Megadrv3;C:\WINDOWS\system32\drivers\srosa.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282e89-0346-11dd-a3b2-000103c623f3}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 01:37:31 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-04-11 12:03:04 C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job"
- C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
"2008-04-11 05:33:00 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 18:17:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-04-11 18:21:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-11 23:21:41
ComboFix2.txt 2008-04-11 18:40:35
ComboFix3.txt 2008-04-11 16:48:36
ComboFix4.txt 2008-04-11 15:36:42
ComboFix5.txt 2008-04-11 12:01:22
Pre-Run: 1,013,223,424 bytes free
Post-Run: 998,600,704 bytes free
  • 0

#15
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hello :)
Honestly, that entire file is foreign to me ...

Linda
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP