Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

WIN HUER 32 / WIN 32. JUNKPOLY [CRYP]

Started by mmindz , Feb 17 2009 09:26 PM

Please log in to reply

#1
mmindz

Posted 17 February 2009 - 09:26 PM

Member

Member
22 posts

Hi,

I had downloaded Malware, unfortunately since system restore point was not turned off, I believe that the virus restored itself. I am stuck with this on my system downloaded Smitfrawud, SDFix, SmitfraudFix and Avast. Please advise on what I can do other than reformat....

#2
kahdah

Posted 18 February 2009 - 07:19 AM

GeekU Teacher

Retired Staff
15,822 posts

Hello mmindz

Welcome to G2Go.

=====================

Please download DDS and save it to your desktop.

Disable any script blocking protection
Double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

#3
mmindz

Posted 18 February 2009 - 06:08 PM

Member

Topic Starter
Member
22 posts

Hi Kahdah,

Thanks for taking this on, I have attached the three files, and I have posted the contents of them.

--- DDS.txt

DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 18:47:15.34 on 18/02/2009
Internet Explorer: 7.0.5730.13
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
AV: avast! antivirus 4.8.1335 [VPS 090205-1] *On-access scanning enabled* (Outdated)

============== Running Processes ===============

============== Pseudo HJT Report ===============

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: RefresherBand Class: {b24ba06e-fb7b-4757-95c2-dc01125f750e} - c:\progra~1\yrefre~1\YREFRE~1.DLL
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [l9qbhggku2jkg9x6r7cd9u97tl2nikb7nvoa1] c:\windows\temp\pjnh7yw90a.exe
dRun: [reader_s] c:\documents and settings\ask\reader_s.exe
dRun: [services] c:\windows\services.exe
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090131a.dll xccd16
dExplorerRun: [services] c:\windows\services.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &windows live search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: add to windows &live favorites - http://favorites.liv...m/quickadd.aspx
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
LSP: c:\docume~1\admini~1\locals~1\temp\ntdll64.dll
DPF: {5d86ddb5-bdf9-441b-9e9e-d4730f4ee499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: fcccaxwp - fcccaxWP.dll
AppInit_DLLs: kkfemp.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\fccywtut

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-02-17 21:36 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-02-17 21:20 <DIR> --d----- c:\docume~1\admini~1\applic~1\Bitdefender
2009-02-17 20:54 102,912 a------- c:\windows\system32\IEDFix.C.exe
2009-02-17 20:54 100,864 a------- c:\windows\system32\o4Patch.exe
2009-02-17 20:54 97,792 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2009-02-17 20:54 107,008 a------- c:\windows\system32\VACFix.exe
2009-02-17 20:54 102,912 a------- c:\windows\system32\IEDFix.exe
2009-02-17 20:54 46,080 a------- c:\windows\system32\WS2Fix.exe
2009-02-17 20:54 289,144 a------- c:\windows\system32\VCCLSID.exe
2009-02-17 20:54 98,304 a------- c:\windows\system32\swxcacls.exe
2009-02-17 20:54 288,417 a------- c:\windows\system32\SrchSTS.exe
2009-02-17 20:54 68,608 a------- c:\windows\system32\dumphive.exe
2009-02-17 20:54 73,728 a------- c:\windows\system32\Process.exe
2009-02-17 20:32 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-17 20:31 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-17 20:31 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-17 20:31 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-17 20:31 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-17 20:30 <DIR> --d----- c:\program files\AVG
2009-02-17 20:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-17 20:25 221,184 a------- c:\windows\system32\wmpns.dll
2009-02-17 20:16 <DIR> --d----- c:\windows\pss
2009-02-17 17:28 <DIR> --d----- c:\program files\Softwin
2009-02-17 17:26 <DIR> --d----- c:\program files\common files\Softwin
2009-02-17 16:57 172 a------- c:\windows\system32\1CC.tmp
2009-02-16 23:42 33,920 a------- c:\windows\system32\drivers\twinnlia.sys
2009-02-16 23:35 <DIR> --d----- c:\documents and settings\Administrator
2009-02-16 23:30 0 a------- c:\windows\system32\drivers\senekayvairxek.sys
2009-02-16 23:20 52 a------- c:\windows\system32\xcchit32.ini.ssyq
2009-02-16 23:06 137,760 a------- c:\windows\system32\drivers\ethbqkee.sys
2009-02-16 23:04 61 a------- c:\windows\system32\xcchit32.ini.tmp
2009-02-16 23:04 <DIR> --d----- c:\windows\system32\3361
2009-02-16 23:04 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-02-16 23:03 405,504 a------- c:\windows\system32\tmpxccacj0.exe
2009-02-16 23:03 172 a------- c:\windows\system32\1C1.tmp
2009-02-16 22:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-16 22:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-16 22:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-16 22:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-16 22:02 <DIR> --d----- c:\program files\Enigma Software Group
2009-02-16 18:52 172 a------- c:\windows\system32\1BB.tmp
2009-02-16 18:50 4 a------- c:\windows\xczuokls
2009-02-16 18:43 172 a------- c:\windows\system32\1C2.tmp
2009-02-16 18:32 172 a------- c:\windows\system32\1B6.tmp
2009-02-16 18:25 172 a------- c:\windows\system32\1D0.tmp
2009-02-16 18:15 172 a------- c:\windows\system32\1CA.tmp
2009-02-16 18:04 172 a------- c:\windows\system32\1C3.tmp
2009-02-16 17:53 172 a------- c:\windows\system32\1BD.tmp
2009-02-16 17:42 172 a------- c:\windows\system32\1B7.tmp
2009-02-16 17:27 6 a------- c:\windows\_id.dat
2009-02-16 17:27 130 a------- c:\windows\adobe.bat
2009-02-16 17:27 172 a------- c:\windows\system32\1B0.tmp
2009-02-16 17:00 122,880 a------- c:\windows\system32\_kkfemp.dll
2009-02-16 17:00 122,880 a------- c:\windows\system32\hhepqqey.dll
2009-02-16 17:00 31,830 a--sh--- c:\windows\system32\tutwyccf.ini2
2009-02-16 17:00 31,830 a--sh--- c:\windows\system32\tutwyccf.ini
2009-02-16 16:59 297,984 a------- c:\windows\system32\_fccywtut.dll
2009-02-16 15:57 172 a------- c:\windows\system32\1EA.tmp
2009-02-16 15:56 0 a------- c:\windows\system32\1C7.tmp
2009-02-16 15:56 676,352 a------- c:\windows\system32\rtl60.bpl
2009-02-16 15:56 260,096 a------- c:\windows\system32\tpszxyd.sys
2009-02-16 15:56 159,232 a------- c:\windows\system32\w.exe
2009-02-16 15:56 198 a------- c:\windows\system32\xcchit32.ini
2009-02-16 15:55 67,072 ----h--- c:\windows\system32\secupdat.dat
2009-02-16 15:55 53,248 a------- c:\windows\system32\drivers\ndisio.sys
2009-02-16 15:55 609 a------- c:\windows\xccwinsys.ini
2009-02-16 15:55 <DIR> --d----- c:\windows\system32\inf
2009-02-16 15:55 172 a------- c:\windows\system32\1AD.tmp
2009-02-16 15:52 47,616 a------- c:\windows\system32\ljJDWQJB.dll
2009-02-16 15:45 89,388 a------- c:\windows\system32\drivers\f706ec8b.sys
2009-02-16 15:45 509 a------- c:\windows\system32\win32hlp.cnf
2009-02-16 15:44 1 a------- c:\windows\system32\uniq.tll
2009-02-16 15:44 44,032 a------- C:\xyephkl.exe
2009-02-16 15:44 102,912 a------- C:\dykhyp.exe
2009-02-16 15:44 2 a------- C:\-195762547
2009-02-16 15:44 15,000 a------- c:\windows\system32\_hs78344kjkfd.dll
2009-02-16 15:43 30,332 a--sh--- c:\windows\system32\tAyJPXyb.ini
2009-02-16 15:43 372 a--sh--- c:\windows\system32\tAyJPXyb.ini2
2009-02-16 15:43 1,312 a------- c:\windows\mwgorzqr
2009-02-16 15:43 297,984 a------- c:\windows\system32\byXPJyAt.dll.vir
2009-02-16 15:38 47,616 a------- c:\windows\system32\byXPFUKa.dll
2009-02-13 15:30 244 a---h--- C:\sqmnoopt17.sqm
2009-02-13 15:30 232 a---h--- C:\sqmdata17.sqm
2009-01-21 18:32 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0
2009-01-21 18:32 3,523,872 a------- c:\windows\system32\cdintf300.dll
2009-01-21 18:32 1,848,608 a------- c:\windows\system32\acXMLParser.dll
2009-01-21 18:32 <DIR> --d----- c:\program files\common files\Intuit
2009-01-21 18:31 <DIR> --d----- c:\program files\Quicken
2009-01-21 18:31 165 a------- c:\windows\QUICKEN.INI
2009-01-21 18:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit

==================== Find3M ====================

2009-02-17 21:04 90,112 a------- c:\windows\DUMP82fb.tmp
2009-02-17 20:05 90,112 a------- c:\windows\DUMPe5c7.tmp
2009-02-17 19:58 81,984 a------- c:\windows\system32\bdod.bin
2009-02-16 18:32 65,536 a------- c:\windows\DUMP86f2.tmp
2009-02-16 17:30 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-02-16 15:45 121,856 a------- c:\windows\system32\userinit.exe
2009-01-15 16:45 132 a------- C:\httpdwl.dat
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 18:47:41.39 ===============

Attached Files

DDS.txt 10.11KB 352 downloads
Attach.txt 9.27KB 274 downloads

#4
mmindz

Posted 18 February 2009 - 06:10 PM

Member

Topic Starter
Member
22 posts

Second file ATTACH.txt----

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

==== Disk Partitions =========================

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

6300
6300_Help
6300Trb
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe Acrobat 8.1.2 Professional
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe After Effects CS3 Template Projects & Footage
Adobe After Effects CS3 Third Party Content
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Library
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Soundbooth CS3 Scores
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AiO_Scan_CDA
AiOSoftwareNPI
ANIO Service
ANIWZCS2 Service
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Autodesk Backburner 2008.0.0
AutoUpdate
avast! Antivirus
AVG Free 8.0
BitDefender Free Edition v10
Bonjour
BufferChm
Combustion 2008
Compatibility Pack for the 2007 Office system
Core FTP Pro 2.1
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
CueTour
CustomerResearchQFolder
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DocProc
DocumentViewer
DocumentViewerQFolder
Driver Updater Pro
eSupportQFolder
Fax_CDA
FullDPAppQFolder
Highlight Viewer (Windows Live Toolbar)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
HP Document Viewer 6.1
HP Extended Capabilities 6.1
HP Imaging Device Functions 6.1
HP Photosmart Premier Software 6.1
HP PSC & OfficeJet 6.1.A
HP Software Update
HP Solution Center and Imaging Support Tools 6.1
HPProductAssistant
InstantShareDevices
iTunes
Java™ 6 Update 5
Java™ 6 Update 7
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
MySQL Connector/ODBC 3.51
MySQL Server 5.0
NewCopy_CDA
NVIDIA Drivers
Opera 9.27
PanoStandAlone
particleIllusion 3.0
particleIllusion 3.0.2
PDF Settings
PE Explorer 1.99 R2
PhotoGallery
ProductContextNPI
Quicken 2009
QuickTime
RandMap
Readme
Realtek AC'97 Audio
Resource Tuner 1.99 R3
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio Update Manager
Scan
ScannerCopy
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
SkinsHP1
Smart Menus (Windows Live Toolbar)
Software Update for Web Folders
SolutionCenter
Sonic Activation Module
Sonic_PrimoSDK
SpyHunter
Status
Swift 3D Version 1.00
SWiSH Max2
Toolbox
TrayApp
Unload
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
VC8MSI
WebReg
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows XP Hotfix - KB885884
WinRAR archiver
Wireless G WUA-1340
Workspace Macro Pro 6.5
Yrefresher 1.00

==== End Of File ===========================

#5
mmindz

Posted 18 February 2009 - 06:13 PM

Member

Topic Starter
Member
22 posts

And the last - gmer.txt ----

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-18 19:12:01
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

Code 864FC480 pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\drivers\twinnlia.sys section is writeable [0xF74D8000, 0x2B80, 0xEC000040]
.reloc C:\WINDOWS\system32\drivers\twinnlia.sys section is executable [0xF74DEE40, 0x640, 0xEE000040]
? C:\WINDOWS\system32\drivers\twinnlia.sys Access is denied.
.text C:\WINDOWS\system32\DRIVERS\ndisio.sys section is writeable [0xF69C2000, 0x2800, 0xEC000040]
.reloc C:\WINDOWS\system32\DRIVERS\ndisio.sys section is executable [0xF69CCFA0, 0x1060, 0xEE000040]
? C:\WINDOWS\system32\DRIVERS\ndisio.sys Access is denied.

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\spoolsv.exe[156] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF93E1B
.text C:\WINDOWS\system32\spoolsv.exe[156] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF93EAA
.text C:\WINDOWS\system32\spoolsv.exe[156] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF93EB7
.text C:\WINDOWS\system32\spoolsv.exe[156] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF93EA0
.text C:\WINDOWS\system32\spoolsv.exe[156] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF93EF8
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[296] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF93E1B
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[296] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF93EAA
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[296] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF93EB7
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[296] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF93EA0
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[296] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF93EF8
.text C:\WINDOWS\system32\nvsvc32.exe[412] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\nvsvc32.exe[412] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\nvsvc32.exe[412] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\nvsvc32.exe[412] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\nvsvc32.exe[412] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\HPZipm12.exe[444] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\HPZipm12.exe[444] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\HPZipm12.exe[444] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\HPZipm12.exe[444] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\HPZipm12.exe[444] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\svchost.exe[520] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\svchost.exe[520] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[520] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\svchost.exe[520] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\svchost.exe[520] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[740] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF93E1B
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[740] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF93EAA
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[740] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF93EB7
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[740] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF93EA0
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[740] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF93EF8
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[820] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[820] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[820] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[820] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[820] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\winlogon.exe[1156] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF93E1B
.text C:\WINDOWS\system32\winlogon.exe[1156] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF93EAA
.text C:\WINDOWS\system32\winlogon.exe[1156] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF93EB7
.text C:\WINDOWS\system32\winlogon.exe[1156] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF93EA0
.text C:\WINDOWS\system32\winlogon.exe[1156] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF93EF8
.text C:\WINDOWS\system32\services.exe[1200] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF93E1B
.text C:\WINDOWS\system32\services.exe[1200] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF93EAA
.text C:\WINDOWS\system32\services.exe[1200] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF93EB7
.text C:\WINDOWS\system32\services.exe[1200] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF93EA0
.text C:\WINDOWS\system32\services.exe[1200] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF93EF8
.text C:\WINDOWS\system32\lsass.exe[1216] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF93E1B
.text C:\WINDOWS\system32\lsass.exe[1216] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF93EAA
.text C:\WINDOWS\system32\lsass.exe[1216] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF93EB7
.text C:\WINDOWS\system32\lsass.exe[1216] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF93EA0
.text C:\WINDOWS\system32\lsass.exe[1216] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF93EF8
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\System32\svchost.exe[1480] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF83E1B
.text C:\WINDOWS\System32\svchost.exe[1480] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF83EAA
.text C:\WINDOWS\System32\svchost.exe[1480] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF83EB7
.text C:\WINDOWS\System32\svchost.exe[1480] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF83EA0
.text C:\WINDOWS\System32\svchost.exe[1480] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF83EF8
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\svchost.exe[1688] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\svchost.exe[1688] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[1688] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\svchost.exe[1688] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\svchost.exe[1688] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2120] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2120] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2120] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2120] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2120] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\Explorer.EXE[2408] Explorer.EXE 0101A57C 4 Bytes [ FF, 15, 1C, 11 ]
.text C:\WINDOWS\Explorer.EXE[2408] C:\WINDOWS\Explorer.EXE section is writeable [0x01001000, 0x44B99, 0xE0000060]
.reloc C:\WINDOWS\Explorer.EXE[2408] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE2000060]
.text C:\WINDOWS\Explorer.EXE[2408] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\Explorer.EXE[2408] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\Explorer.EXE[2408] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\Explorer.EXE[2408] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\Explorer.EXE[2408] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2436] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2436] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2436] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2436] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2436] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2540] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2540] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2540] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2540] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2540] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
? C:\WINDOWS\system32\svchost.exe[2564] image checksum mismatch; time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[2564] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\svchost.exe[2564] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[2564] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\svchost.exe[2564] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\svchost.exe[2564] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe[2848] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe[2848] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe[2848] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe[2848] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe[2848] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2860] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2860] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2860] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2860] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2860] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\ctfmon.exe[2908] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\ctfmon.exe[2908] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\ctfmon.exe[2908] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\ctfmon.exe[2908] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\ctfmon.exe[2908] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\dumprep.exe[2964] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\dumprep.exe[2964] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\dumprep.exe[2964] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\dumprep.exe[2964] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\dumprep.exe[2964] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\rundll32.exe[3100] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\rundll32.exe[3100] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\rundll32.exe[3100] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\rundll32.exe[3100] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\rundll32.exe[3100] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[3692] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3EA0
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[3692] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EF8

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[1200] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[1200] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 244C8D51
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 1BC82B04
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 23D0F7C0
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 25C48BC8
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] FFFFF000
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 0A72C83B
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 9459C18B
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 0489008B
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 002DC324
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 85000010
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 0FE9EB00
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegCloseKey] 082444B7
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] 74FF5056
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] F6330C24
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 0948E846
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrlenW] C68B0000
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalFree] 8B55C35E
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 18EC83EC
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThread] DB335753
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcAddress] 9101FC68
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] F05D8909
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LCMapStringW] 45890991
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!FreeLibrary] 6C15FFEC
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcpyW] 8B099100
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 89FB3BF8
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpiW] 0775F47D
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExitProcess] EAE9C033
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCommandLineW] 56000000
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 0068358B
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcessHeap] DC680991
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetErrorMode] 57099101
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] D068D6FF
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 57099101
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] FFF84589
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] 01BC68D6
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 75FF0991
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetTickCount] FFF88BF4
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] F85D39D6
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 00AF840F
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] FB3B0000
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!TerminateProcess] 00A7840F
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] C33B0000
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalAlloc] 009F840F
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpW] 4D8D0000
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 75FF51F0
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 91006415
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlFreeHeap] 89C33B09
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] 840FEC45
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscat] 0000008E
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscpy] 000288BE
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlAllocateHeap] 50535600
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] 006015FF
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitUnicodeString] F88B0991
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitializeSid] 7A74FB3B
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 50FC458D
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] FC758957
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] 83F855FF
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 10756FF8
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 57FC75FF
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] EC75FF53
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetAce] 005C15FF
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlImageNtHeader] F88B0991
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcslen] 3B46F633
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 8D3874FB
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCopySid] 5750FC45
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 8B2C75C0
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 9C888BC7
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 3B000001
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 0874F04D
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerListen] C33B008B
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 0CEBEF75
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 01A0B883
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 74060000
IAT C:\WINDOWS\system32\svchost.exe[2564] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] E8758903

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs twinnlia.sys

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom twinnlia.sys
Device \FileSystem\Mup \Dfs twinnlia.sys
Device \FileSystem\DLAIFS_M \TfsCd twinnlia.sys
Device \Driver\NDIS \Device\Ndis [864AD982] NDIS.sys[.reloc]
Device \FileSystem\NetBIOS \Device\Netbios twinnlia.sys
Device \Driver\Tcpip \Device\Ip 85998626

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \FileSystem\aswMon2 \Device\aswMon twinnlia.sys
Device \FileSystem\RAW \Device\RawTape twinnlia.sys
Device \FileSystem\MRxDAV \Device\WebDavRedirector twinnlia.sys
Device \FileSystem\DLACDBHM \Device\sscdbhook1 twinnlia.sys
Device \Driver\Tcpip \Device\Tcp 85998626

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

Device \Driver\avgtdix \Device\AvgTdi f706ec8b.sys
Device \FileSystem\avgmfx86 \Device\Avg7Rs twinnlia.sys
Device \FileSystem\Rdbss \Device\FsWrap twinnlia.sys
Device \FileSystem\DRVNDDM \Device\drvnddm twinnlia.sys
Device \FileSystem\Srv \Device\LanmanServer twinnlia.sys
Device \Driver\Tcpip \Device\Udp 85998626

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp 85998626

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp f706ec8b.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

Device \FileSystem\RAW \Device\RawDisk twinnlia.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver twinnlia.sys
Device \Driver\Tcpip \Device\IPMULTICAST 85998626
Device \FileSystem\MRxSmb \Device\LanmanRedirector twinnlia.sys
Device \FileSystem\Npfs \Device\NamedPipe twinnlia.sys
Device \FileSystem\Msfs \Device\Mailslot twinnlia.sys
Device \FileSystem\RAW \Device\RawCdRom twinnlia.sys
Device \FileSystem\Mup \Device\WinDfs\Root twinnlia.sys
Device \FileSystem\Fastfat \Fat twinnlia.sys

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\DLAIFS_M \GLOBAL??\DLAIFS twinnlia.sys
Device \FileSystem\Cdfs \Cdfs twinnlia.sys
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Threads - GMER 1.0.14 ----

Thread 4:792 85990FEB
Thread 4:796 85990FEB
Thread 4:800 85990FEB
Thread 4:804 85990FEB
Thread 4:812 85990FEB
Thread 4:816 85990FEB
Thread 4:824 85990FEB
Thread 4:828 85990FEB
Thread 4:832 85990FEB
Thread 4:836 85990FEB
Thread 4:840 85990FEB
Thread 4:844 85990FEB
Thread 4:848 85990FEB
Thread 4:852 85990FEB
Thread 4:856 85990FEB
Thread 4:860 85990FEB
Thread 4:864 85990FEB
Thread 4:868 85990FEB
Thread 4:872 85990FEB
Thread 4:876 85990FEB
Thread 4:880 85990FEB
Thread 4:884 85990FEB
Thread 4:888 85990FEB
Thread 4:892 85990FEB
Thread 4:896 85990FEB
Thread 4:900 85990FEB
Thread 4:904 85990FEB
Thread 4:908 85990FEB
Thread 4:912 85990FEB
Thread 4:916 85990FEB
Thread 4:920 85990FEB
Thread 4:924 85990FEB
Thread 4:928 85990FEB
Thread 4:932 85990FEB
Thread 4:936 85990FEB
Thread 4:940 85990FEB
Thread 4:944 85990FEB
Thread 4:948 85990FEB
Thread 4:952 85990FEB
Thread 4:956 85990FEB
Thread 4:960 85990FEB
Thread 4:964 85990FEB
Thread 4:968 85990FEB
Thread 4:972 85990FEB
Thread 4:976 85990FEB
Thread 4:980 85990FEB
Thread 4:984 85990FEB
Thread 4:988 85990FEB
Thread 4:992 85990FEB
Thread 4:996 85990FEB
Thread 4:1000 85990FEB
Thread 4:1004 85990FEB
Thread 4:1008 85990FEB
Thread 4:1012 85990FEB
Thread 4:1016 85990FEB
Thread 4:1020 85990FEB

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\System32\drivers\f706ec8b.sys (*** hidden *** ) [SYSTEM] f706ec8b <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\f706ec8b@ImagePath \SystemRoot\System32\drivers\f706ec8b.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\f706ec8b@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\f706ec8b@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\f706ec8b@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\f706ec8b@ImagePath \SystemRoot\System32\drivers\f706ec8b.sys
Reg HKLM\SYSTEM\ControlSet002\Services\f706ec8b@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\f706ec8b@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\f706ec8b@ErrorControl 1
Reg HKLM\SOFTWARE\Classes\CLSID\{E288CD8D-7F05-0924-CC8E-7AB5B7390155}\Implemented Categories\{C501EDBE-9E70-11D1-9053-00C04FD9189D}
Reg HKLM\SOFTWARE\Classes\CLSID\{E288CD8D-7F05-0924-CC8E-7AB5B7390155}\InprocServer32@ C:\WINDOWS\system32\Dxtmsft.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{E288CD8D-7F05-0924-CC8E-7AB5B7390155}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{E288CD8D-7F05-0924-CC8E-7AB5B7390155}\ProgID@ DXImageTransform.Microsoft.Iris.1
Reg HKLM\SOFTWARE\Classes\CLSID\{E288CD8D-7F05-0924-CC8E-7AB5B7390155}\ToolBoxBitmap32@ C:\WINDOWS\system32\Dxtmsft.dll,235
Reg HKLM\SOFTWARE\Classes\CLSID\{E288CD8D-7F05-0924-CC8E-7AB5B7390155}\Ve

#6
kahdah

Posted 18 February 2009 - 06:42 PM

GeekU Teacher

Retired Staff
15,822 posts

First:

You have a combination of rootkits on your system.
This type of infection can allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions
to apprise them of your situation.
=======================
Second:

After that you have 3 antivirus programs running.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Bit Defender or Avast.
============================================================
Third:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished,please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

#7
mmindz

Posted 18 February 2009 - 07:44 PM

Member

Topic Starter
Member
22 posts

Hi Kahdah,

Unfortunately, combo-fix is requiring me to download windows recovery console which requires an internet connection, I said 'no" since I cannot access the net with the computer, and it is still continuing to work...

#8
kahdah

Posted 18 February 2009 - 07:47 PM

GeekU Teacher

Retired Staff
15,822 posts

That is ok need to remove what we can then work on the connection issue.
Don't worry about the recovery console for now.
Please let it continue.

#9
mmindz

Posted 18 February 2009 - 08:05 PM

Member

Topic Starter
Member
22 posts

HI Kahdah,

I believe Combo program might have restarted my comp, now its a blue screen with the mouse cusor.

#10
mmindz

Posted 18 February 2009 - 08:49 PM

Member

Topic Starter
Member
22 posts

Hi Kahdah,

Unfortunately, after I click on the windows user to log into, the screen remains blue, this is after como fix ran. Please advise.

Thanks

#11
kahdah

Posted 18 February 2009 - 09:20 PM

GeekU Teacher

Retired Staff
15,822 posts

Combofix creates a blue screen in a command prompt window.
Is this what you are seeing?
If this is what you are referring to then let it finish.
It will say

Please do not run any programs until it is finished.
A log will be created at C:\Combofix.txt

If this is not and you are referring to no icons justa desktop background then do the following:

Hit Cntrl>Alt>delete on your keyboard to bring up the task manager.
The go to the top where it says File then choose New Task Run.
In that box type in this Explorer then hit ok.

this will bring back your icons.

IF it does not then reboot the computer once more and they will return.

#12
mmindz

Posted 19 February 2009 - 05:55 PM

Member

Topic Starter
Member
22 posts

Hi Kahdah,

I have typed in Explorer within the processes task pane, now Combo Fix is running to generate a report..further, my icons have returned. also getting registry edit error pop and suspicious file found pop up related to avant.

Apparently it is taking a long time to prepare this report.

Edited by mmindz, 19 February 2009 - 06:01 PM.

#13
mmindz

Posted 19 February 2009 - 06:21 PM

Member

Topic Starter
Member
22 posts

Combo Fix Log Report

ComboFix 09-02-17.02 - ASK 2009-02-18 20:44:00.1 - NTFSx86
Running from: c:\documents and settings\ASK\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090205-1] *On-access scanning disabled* (Outdated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\_hs78344kjkfd.dll
c:\windows\system32\_kkfemp.dll
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\drivers\senekayvairxek.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\hhepqqey.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\init32.exe
c:\windows\system32\Install.txt
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tAyJPXyb.ini
c:\windows\system32\tAyJPXyb.ini2
c:\windows\system32\tmpxccacj0.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\tutwyccf.ini
c:\windows\system32\tutwyccf.ini2
c:\windows\system32\udxfytw.sys
c:\windows\system32\uniq.tll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\w.exe
c:\windows\system32\win32hlp.cnf
c:\windows\system32\WS2Fix.exe
c:\windows\system32\xcchit32.ini
c:\windows\system32\xcchit32.ini.tmp
c:\windows\Tasks\epoiioqk.job
c:\windows\xccwinsys.ini
E:\AutoRun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_afisicx
-------\Legacy_noytcyr
-------\Legacy_roytctm
-------\Legacy_tdydowkc
-------\Legacy_wsldoekd
-------\Service_passthru

((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-18 18:53 . 2009-02-18 18:53 250 --a------ c:\windows\gmer.ini
2009-02-17 21:53 . 2009-02-17 21:53 <DIR> d-------- c:\program files\Alwil Software
2009-02-17 21:36 . 2009-02-17 21:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-17 20:32 . 2009-02-17 21:28 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-17 20:30 . 2009-02-18 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-17 20:26 . 2009-02-17 20:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\HP
2009-02-17 20:25 . 2004-08-03 17:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-17 17:26 . 2009-02-18 20:29 <DIR> d-------- c:\program files\Common Files\Softwin
2009-02-17 16:57 . 2009-02-17 16:57 172 --a------ c:\windows\system32\1CC.tmp
2009-02-16 23:42 . 2009-02-16 23:42 33,920 --a------ c:\windows\system32\drivers\twinnlia.sys
2009-02-16 23:35 . 2009-02-16 23:40 <DIR> d-------- c:\documents and settings\Administrator
2009-02-16 23:20 . 2009-02-16 23:20 52 --a------ c:\windows\system32\xcchit32.ini.ssyq
2009-02-16 23:06 . 2009-02-16 23:06 137,760 --a------ c:\windows\system32\drivers\ethbqkee.sys
2009-02-16 23:04 . 2009-02-16 23:40 <DIR> d-------- c:\windows\system32\3361
2009-02-16 23:04 . 2009-02-16 23:04 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-02-16 23:03 . 2009-02-16 23:03 172 --a------ c:\windows\system32\1C1.tmp
2009-02-16 22:16 . 2009-02-16 22:16 <DIR> d-------- c:\documents and settings\ASK\Application Data\Malwarebytes
2009-02-16 22:15 . 2009-02-16 22:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-16 22:15 . 2009-02-16 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-16 22:15 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-16 22:15 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-16 22:02 . 2009-02-16 22:02 <DIR> d-------- c:\program files\Enigma Software Group
2009-02-16 18:52 . 2009-02-16 18:52 172 --a------ c:\windows\system32\1BB.tmp
2009-02-16 18:50 . 2009-02-16 23:31 4 --a------ c:\windows\xczuokls
2009-02-16 18:43 . 2009-02-16 18:43 172 --a------ c:\windows\system32\1C2.tmp
2009-02-16 18:32 . 2009-02-16 18:32 172 --a------ c:\windows\system32\1B6.tmp
2009-02-16 18:25 . 2009-02-16 18:25 172 --a------ c:\windows\system32\1D0.tmp
2009-02-16 18:15 . 2009-02-16 18:15 172 --a------ c:\windows\system32\1CA.tmp
2009-02-16 18:04 . 2009-02-16 18:04 172 --a------ c:\windows\system32\1C3.tmp
2009-02-16 17:53 . 2009-02-16 17:53 172 --a------ c:\windows\system32\1BD.tmp
2009-02-16 17:42 . 2009-02-16 17:42 172 --a------ c:\windows\system32\1B7.tmp
2009-02-16 17:27 . 2009-02-16 17:27 172 --a------ c:\windows\system32\1B0.tmp
2009-02-16 17:27 . 2009-02-17 17:00 130 --a------ c:\windows\adobe.bat
2009-02-16 17:27 . 2009-02-16 17:32 6 --a------ c:\windows\_id.dat
2009-02-16 16:59 . 2009-02-16 16:59 297,984 --a------ c:\windows\system32\_fccywtut.dll
2009-02-16 15:59 . 2009-02-17 17:01 <DIR> d-------- c:\windows\BDOSCAN8
2009-02-16 15:57 . 2009-02-16 15:57 172 --a------ c:\windows\system32\1EA.tmp
2009-02-16 15:56 . 2002-02-15 14:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-16 15:56 . 2009-02-16 15:56 0 --a------ c:\windows\system32\1C7.tmp
2009-02-16 15:55 . 2009-02-18 20:44 <DIR> d-------- c:\windows\system32\inf
2009-02-16 15:55 . 2009-02-16 15:57 67,072 ---h----- c:\windows\system32\secupdat.dat
2009-02-16 15:55 . 2009-02-16 18:33 53,248 --a------ c:\windows\system32\drivers\ndisio.sys
2009-02-16 15:55 . 2009-02-16 15:55 172 --a------ c:\windows\system32\1AD.tmp
2009-02-16 15:52 . 2009-02-16 15:52 47,616 --a------ c:\windows\system32\ljJDWQJB.dll
2009-02-16 15:45 . 2009-02-19 18:49 89,388 --a------ c:\windows\system32\drivers\f706ec8b.sys
2009-02-16 15:44 . 2009-02-16 15:44 102,912 --a------ C:\dykhyp.exe
2009-02-16 15:44 . 2009-02-16 15:44 44,032 --a------ C:\xyephkl.exe
2009-02-16 15:44 . 2009-02-16 15:44 2 --a------ C:\-195762547
2009-02-16 15:43 . 2009-02-16 15:43 297,984 --a------ c:\windows\system32\byXPJyAt.dll.vir
2009-02-16 15:43 . 2009-02-16 17:00 1,312 --a------ c:\windows\mwgorzqr
2009-02-16 15:38 . 2009-02-16 15:38 47,616 --a------ c:\windows\system32\byXPFUKa.dll
2009-02-13 15:30 . 2009-02-13 15:30 244 --ah----- C:\sqmnoopt17.sqm
2009-02-13 15:30 . 2009-02-13 15:30 232 --ah----- C:\sqmdata17.sqm
2009-01-21 18:32 . 2009-01-21 18:32 <DIR> d-------- c:\program files\Common Files\Intuit
2009-01-21 18:32 . 2009-01-21 18:32 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2009-01-21 18:32 . 2009-01-21 18:32 <DIR> d-------- c:\documents and settings\ASK\Application Data\Intuit
2009-01-21 18:32 . 2008-08-19 09:46 3,523,872 --a------ c:\windows\system32\cdintf300.dll
2009-01-21 18:32 . 2008-08-19 09:46 1,848,608 --a------ c:\windows\system32\acXMLParser.dll
2009-01-21 18:31 . 2009-01-21 18:36 <DIR> d-------- c:\program files\Quicken
2009-01-21 18:31 . 2009-01-21 18:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intuit
2009-01-21 18:31 . 2009-01-21 18:40 165 --a------ c:\windows\QUICKEN.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 01:39 90,112 ----a-w c:\windows\DUMP7261.tmp
2009-02-19 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-02-18 02:04 90,112 ----a-w c:\windows\DUMP82fb.tmp
2009-02-18 01:22 --------- d-----w c:\documents and settings\ASK\Application Data\DNA
2009-02-18 01:05 90,112 ----a-w c:\windows\DUMPe5c7.tmp
2009-02-18 01:05 --------- d-----w c:\program files\DNA
2009-02-17 02:52 --------- d-----w c:\documents and settings\ASK\Application Data\StumbleUpon
2009-02-17 02:51 --------- d-----w c:\program files\Yahoo!
2009-02-17 02:50 --------- d-----w c:\program files\ABF software
2009-02-17 00:15 --------- d-----w c:\program files\Common Files\BitDefender
2009-02-17 00:13 --------- d-----w c:\program files\BearShare
2009-02-16 23:32 65,536 ----a-w c:\windows\DUMP86f2.tmp
2009-02-16 22:30 182,912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-14 01:03 --------- d-----w c:\documents and settings\ASK\Application Data\BitTorrent
2009-02-13 20:31 --------- d-----w c:\documents and settings\TKK\Application Data\StumbleUpon
2009-01-21 23:32 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-15 21:45 132 ----a-w C:\httpdwl.dat
2008-12-24 20:00 --------- d-----w c:\program files\BitDefender
2008-10-14 13:50 30,672 ----a-w c:\documents and settings\TKK\Application Data\GDIPFONTCACHEV1.DAT
2008-06-16 23:15 30,672 ----a-w c:\documents and settings\ASK\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2004-08-03 17:56 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\svchost.exe
2004-08-03 17:56 31232 e332f52d78660e691169b906f0d661a0 c:\windows\system32\dllcache\svchost.exe

2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
2004-08-03 17:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\ws2_32.dll
2004-08-03 17:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\dllcache\ws2_32.dll

2008-04-13 19:12 525312 f68129dbb9a9782796165038c2685348 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-08-03 17:56 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\winlogon.exe
2004-08-03 17:56 519680 8f485b68669bfdc1f51551b0e2bc9479 c:\windows\system32\dllcache\winlogon.exe

2008-04-13 14:20 182656 558635d3af1c7546d26067d5d9b6959e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
2009-02-16 17:30 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys
2009-02-16 17:30 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2004-08-03 16:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\dllcache\ip6fw.sys
2004-08-03 16:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\drivers\ip6fw.sys

2007-06-13 06:26 1050624 a344a37bfaf8ec68bda2e3815a7df209 c:\windows\explorer.exe
2005-10-15 03:07 1049600 5e039d348db8dbb6804b09be8d7ecf48 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1050624 d48b96593e70f97bdb205c821f495e15 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2007-06-13 06:26 1050112 7b85073dab6a71bce19bd2cd6838ee57 c:\windows\system32\dllcache\explorer.exe

2008-04-13 19:12 125440 6e50d1ba734525971b3debec479fb96a c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-03 17:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\services.exe
2004-08-03 17:56 124928 3c02e1941837b9099a540967695d71b5 c:\windows\system32\dllcache\services.exe

2008-04-13 19:12 30720 7664a714822c74a2f6dbce3042e1f1b8 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-03 17:56 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\lsass.exe
2004-08-03 17:56 30208 85b92263d95b6698ce1fa19517369d3c c:\windows\system32\dllcache\lsass.exe

2008-04-13 19:12 32256 518addf355de4233b3c83e3aea0f474a c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2004-08-03 17:56 32256 950c303f0c52cf5495cf48e19ab86830 c:\windows\system32\ctfmon.exe
2004-08-03 17:56 32256 a1053e5a8d5d92565e58110ecd9ab95f c:\windows\system32\dllcache\ctfmon.exe

2008-04-13 19:12 74752 5f29d5451b06a6371803ac69154fc041 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2005-10-13 15:36 74752 e4af28a544dadddeecc90edd97c129bc c:\windows\system32\spoolsv.exe
2005-10-13 15:36 75264 c651914c4d217b1315cf99d80494b330 c:\windows\system32\dllcache\spoolsv.exe

2008-04-13 19:12 43008 9f08f923f87a2043c6d94dfee9a733f4 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2009-02-16 15:45 121856 c685101e401617d55b15524e0691204f c:\windows\system32\userinit.exe
2009-02-16 15:45 121856 c685101e401617d55b15524e0691204f c:\windows\system32\dllcache\userinit.exe

2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll
2004-08-03 17:56 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\system32\powrprof.dll
2004-08-03 17:56 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\system32\dllcache\powrprof.dll

2008-04-13 19:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imm32.dll
2004-08-03 17:56 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\system32\imm32.dll
2004-08-03 17:56 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\system32\dllcache\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1711104]
"DriverUpdaterPro"="c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe" [2008-09-19 2311204]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-10-15 186880]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 32256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kkfemp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^hp digital imaging monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^hp photosmart premier fast start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^workspace macro pro hotkeys.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Workspace Macro Pro Hotkeys.lnk
backup=c:\windows\pss\Workspace Macro Pro Hotkeys.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\userfaultcheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acrobat assistant 8.0]
--a------ 2007-03-29 22:14 624248 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobeupdater]
--a------ 2007-02-28 23:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aniwzcs2service]
--a------ 2005-11-30 10:35 69632 c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bittorrent dna]
--a------ 2008-12-17 12:54 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 17:56 32256 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d-link wireless g wua-1340]
--a------ 2005-12-15 12:19 2736128 c:\program files\D-Link\Wireless G WUA-1340\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\driverupdaterpro]
--a------ 2008-09-19 00:31 2311204 c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp software update]
--a------ 2005-12-15 11:18 69632 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isuspm startup]
--a------ 2004-07-27 15:50 241664 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isusscheduler]
--a------ 2004-07-27 15:50 102400 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
--a------ 2008-02-04 14:18 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcpldaemon]
--a------ 2006-10-22 12:22 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvmediacenter]
--a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
--a------ 2008-01-31 23:13 405504 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\roxiodragtodisc]
--a------ 2006-08-17 08:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spyhunter security suite]
--a------ 2009-01-13 13:52 884736 c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1642496 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\soundman]
--a------ 2006-11-17 04:42 598016 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Autodesk\\Combustion 2008\\combustion.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 lxdtd;lxdtd; [x]
R1 ethbqkee;ethbqkee;c:\windows\system32\drivers\ethbqkee.sys [2009-02-16 137760]
S0 twinnlia;twinnlia;c:\windows\System32\Drivers\twinnlia.sys [2009-02-16 33920]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]

--- Other Services/Drivers In Memory ---

*Deregistered* - Aavmker4
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - ANIO
*Deregistered* - Apple Mobile Device
*Deregistered* - aswFsBlk
*Deregistered* - aswMon2
*Deregistered* - aswRdr
*Deregistered* - aswSP
*Deregistered* - aswTdi
*Deregistered* - aswUpdSv
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avast! Antivirus
*Deregistered* - avast! Mail Scanner
*Deregistered* - avast! Web Scanner
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - DLABMFSM
*Deregistered* - DLABOIOM
*Deregistered* - DLADResM
*Deregistered* - DLAIFS_M
*Deregistered* - DLAOPIOM
*Deregistered* - DLAPoolM
*Deregistered* - DLARTL_M
*Deregistered* - DLAUDF_M
*Deregistered* - DLAUDFAM
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - DRVNDDM
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - MySQL
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - StillCam
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - twinnlia
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72d906f8-e270-11dc-982a-e3821693e49c}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2009-02-19 c:\windows\Tasks\login.job
- c:\windows\system32\cmd.exe [2004-08-03 17:56]

2009-02-18 c:\windows\Tasks\schnappzmedia.job
- c:\windows\system32\cmd.exe [2004-08-03 17:56]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-l9qbhggku2jkg9x6r7cd9u97tl2nikb7nvoa1 - c:\windows\TEMP\pjnh7yw90a.exe
HKU-Default-Run-reader_s - c:\documents and settings\ASK\reader_s.exe
HKU-Default-Run-services - c:\windows\services.exe
HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe
HKU-Default-Explorer_Run-services - c:\windows\services.exe
Notify-fcccaxwp - fcccaxWP.dll
Notify-WgaLogon - (no file)
SafeBoot-twinnlia.sys
SafeBoot-zqrwduwo.sys
MSConfigStartUp-a0690gm812m5ful9gl - c:\docume~1\ASK\LOCALS~1\Temp\xzqerqj.exe
MSConfigStartUp-a06p9piv7es2pwi2h29 - c:\docume~1\ASK\LOCALS~1\Temp\d8ozr2nkhh2.exe
MSConfigStartUp-a0iluif0w148gzv - c:\docume~1\ASK\LOCALS~1\Temp\wiu2qtql.exe
MSConfigStartUp-a0lmzo64wumfqtohxkvn1bf7zqygl5 - c:\docume~1\ASK\LOCALS~1\Temp\uzhjjfa65gpv5.exe
MSConfigStartUp-a16q789k6gouotytbuzm57t6co2g4ji6k05evscqrbi - c:\docume~1\ASK\LOCALS~1\Temp\qd4l7cg4z.exe
MSConfigStartUp-a1e6qhfey4bzp1k773q4ezi15ynnisrflhibw3fbzb8tc7di2 - c:\docume~1\ASK\LOCALS~1\Temp\kk9uwtki9k.exe
MSConfigStartUp-a20l3pvlqkhzp - c:\docume~1\ASK\LOCALS~1\Temp\qv98x0.exe
MSConfigStartUp-a22zjzkvg4ozsg4w6jsc - c:\docume~1\ASK\LOCALS~1\Temp\tuporftt90c2o.exe
MSConfigStartUp-a276jbm74bam95kxbxy41zq - c:\docume~1\ASK\LOCALS~1\Temp\p4ipjv09z.exe
MSConfigStartUp-a2bu29iicsrr258o6rfhz4nqa09vc1qfi - c:\docume~1\ASK\LOCALS~1\Temp\ss0n4e5je.exe
MSConfigStartUp-a30y7vuegwbrbq2cgh44ev7wpzxu7d8flv5zjo67rr - c:\docume~1\ASK\LOCALS~1\Temp\mhg12soyj.exe
MSConfigStartUp-a31r6ebckgb7r115lntem5ivw3rfvau4h8n4pqtpbhybje3eap - c:\docume~1\ASK\LOCALS~1\Temp\j1793o99dgi.exe
MSConfigStartUp-a393hnpxwxb8loynnzi487ylilz4wd6ns0c9h33ldpax - c:\docume~1\ASK\LOCALS~1\Temp\txxo2pa.exe
MSConfigStartUp-a3gasqwmr96r95 - c:\docume~1\ASK\LOCALS~1\Temp\kxa50d.exe
MSConfigStartUp-a3rui918uecbx16ua7ihwr9090ctkgvj61ev0a - c:\docume~1\ASK\LOCALS~1\Temp\t5kb91jxbfz.exe
MSConfigStartUp-a4b57pxawtuzu1aikb5ognetevjwi - c:\docume~1\ASK\LOCALS~1\Temp\dzyeuevwwf7h.exe
MSConfigStartUp-a4dl3vra18n4lxdv6xsr23794or1 - c:\docume~1\ASK\LOCALS~1\Temp\lmx90ty1il.exe
MSConfigStartUp-a4nh54o2nb2bowahftb66bc676wxnv3jbe6tc5wfhvoqqgexmi - c:\docume~1\ASK\LOCALS~1\Temp\hxa22jsl57pvh.exe
MSConfigStartUp-a4r8w1zcw5wcjyir20krr1qarpt8ceyqyxisqxo - c:\docume~1\ASK\LOCALS~1\Temp\zu1ljhbh.exe
MSConfigStartUp-a4rjgyouillk2ba - c:\docume~1\ASK\LOCALS~1\Temp\usmdzh9g.exe
MSConfigStartUp-a4utvduvw3gia5imzbiwh09hfvwfh8xi5d6zhqonoc59 - c:\docume~1\ASK\LOCALS~1\Temp\hpxkb2d.exe
MSConfigStartUp-a4w37ns4nth609rzi97gtp1oe3k6av6wdivb7pkiq8j458xbq8 - c:\docume~1\ASK\LOCALS~1\Temp\fy3sq7.exe
MSConfigStartUp-a57qtddbo0256hfxzaibsyvx31pl3n7x - c:\docume~1\ASK\LOCALS~1\Temp\ku9kr1p0bax6.exe
MSConfigStartUp-a5pcoe1l6x9vq - c:\docume~1\ASK\LOCALS~1\Temp\mhstkxupu3m.exe
MSConfigStartUp-a5ppuh1zu0uznj3sjy4dndmf28 - c:\docume~1\ASK\LOCALS~1\Temp\c9do4f0mua6u0.exe
MSConfigStartUp-a5xtx18c4ytoquunumh7tsykqmsai3q0vcy3cuijbfnniz72 - c:\docume~1\ASK\LOCALS~1\Temp\qs9ucy.exe
MSConfigStartUp-a6cclkk5tvnsvewg - c:\docume~1\ASK\LOCALS~1\Temp\e33uwcxr7wb5.exe
MSConfigStartUp-a6tfhrp5aoca59z4av1ud3f4cp59l0sjw777twdaznzszuk - c:\docume~1\ASK\LOCALS~1\Temp\bpva5dl3b.exe
MSConfigStartUp-a6ybnmo4wyh2 - c:\docume~1\ASK\LOCALS~1\Temp\moaugkhh5.exe
MSConfigStartUp-a7gmc2yw2s2dtfg24f1as7pcu30qch2 - c:\docume~1\ASK\LOCALS~1\Temp\gas8na5v.exe
MSConfigStartUp-a7hw1qehsqhcnhaj3u - c:\docume~1\ASK\LOCALS~1\Temp\icdo7rmjejwd6.exe
MSConfigStartUp-a7q9e93f2a5o5mukeo65v0aylq5hk0bs2 - c:\docume~1\ASK\LOCALS~1\Temp\bbmx4wb6kpmd.exe
MSConfigStartUp-a7xnckgkrymlxzv06pnvy3n1hbfy - c:\docume~1\ASK\LOCALS~1\Temp\g6nu3i4.exe
MSConfigStartUp-a7xsbisghe0e44c9u3ud - c:\docume~1\ASK\LOCALS~1\Temp\i5ubkx8b.exe
MSConfigStartUp-a806jt2qz9zkm2ayxre49 - c:\docume~1\ASK\LOCALS~1\Temp\bq1dabvaa.exe
MSConfigStartUp-a813qhok4s8iunxe6wp6162ohl6234bxs6g1wu69ujggjvne4g - c:\docume~1\ASK\LOCALS~1\Temp\h8hma9srl7c.exe
MSConfigStartUp-a86omvxmk3odeiluskqrpf0vm5t2jy4zfriu - c:\docume~1\ASK\LOCALS~1\Temp\fs41cvols7xz2.exe
MSConfigStartUp-a8q10mddntdk4448wrjrii1mqyiznq0ovtxyv4 - c:\docume~1\ASK\LOCALS~1\Temp\a93565l9r3.exe
MSConfigStartUp-a8vdkqomi0bfhgkltrcngh9xzu2w - c:\docume~1\ASK\LOCALS~1\Temp\izta4m818xw.exe
MSConfigStartUp-a8vk3y4fbvtmk8vxoj4eelw72y6e2wsk7h17st063 - c:\docume~1\ASK\LOCALS~1\Temp\jmhtoqrl1tg7.exe
MSConfigStartUp-a8xlb0asv - c:\docume~1\ASK\LOCALS~1\Temp\qx2pr0mt8c.exe
MSConfigStartUp-a94bimrcn1wsxnlqew4ry3ffj9jlyfoue09 - c:\docume~1\ASK\LOCALS~1\Temp\fthqc6zit.exe
MSConfigStartUp-a9d2dzma1cn3mzfjjpwyniwhwssxa6pru416eq4 - c:\docume~1\ASK\LOCALS~1\Temp\w10lpv.exe
MSConfigStartUp-a9ou1hvxae8hh6qoqny4reml0 - c:\docume~1\ASK\LOCALS~1\Temp\hjq6bj.exe
MSConfigStartUp-a9rqbd6cf2 - c:\docume~1\ASK\LOCALS~1\Temp\d3h4uh.exe
MSConfigStartUp-a9z1z79v8mh8fn1gencw - c:\docume~1\ASK\LOCALS~1\Temp\gh9xbryktx1.exe
MSConfigStartUp-aad7ma306 - c:\docume~1\ASK\LOCALS~1\Temp\cara007g.exe
MSConfigStartUp-aaic0rm63uozfhl1hh1ghs2rnllk86d - c:\docume~1\ASK\LOCALS~1\Temp\t3xvyrb9x.exe
MSConfigStartUp-aanvsd6vwzzb43n5m4dhe50xafph8mf0pgb7 - c:\docume~1\ASK\LOCALS~1\Temp\s9fw7pyhxev.exe
MSConfigStartUp-aayzerd4zrvtjepwio9914vbafjmxd1c2rkhpt - c:\docume~1\ASK\LOCALS~1\Temp\gcdhbqx7ln.exe
MSConfigStartUp-ab0u6cboid2fn9gnkgmmladb6nrw2h9vwep2n2aib1x3ff - c:\docume~1\ASK\LOCALS~1\Temp\c5o5bc48abj59.exe
MSConfigStartUp-abbb2z1gwt6e47nrbuefjorqb8vexmaaagu0 - c:\docume~1\ASK\LOCALS~1\Temp\hg54ocf7.exe
MSConfigStartUp-abl2rz7o8d1swr9qcpn4f8rso2xaxkmg6v14i4l - c:\docume~1\ASK\LOCALS~1\Temp\e5scj288lxp.exe
MSConfigStartUp-abmpz17grsbr2sl6ziyi84caimg - c:\docume~1\ASK\LOCALS~1\Temp\amdhs874f59.exe
MSConfigStartUp-abogm82119yoia36w3172g3mp - c:\docume~1\ASK\LOCALS~1\Temp\cfovn39.exe
MSConfigStartUp-abt4bj8mtnnm8ruvqsacd189tqdtwglak0twnx4iyxlebqvxe8 - c:\docume~1\ASK\LOCALS~1\Temp\aadoa4hp5r.exe
MSConfigStartUp-abtcrbbihgupbvsf472jjktlqo3a0lud67e8nfqy0yim - c:\docume~1\ASK\LOCALS~1\Temp\y3mj8i9rrf2sh.exe
MSConfigStartUp-abtegweqyzud923q19og61uxwfhge8wl8440b7kkek - c:\docume~1\ASK\LOCALS~1\Temp\o7bkpvved0r8e.exe
MSConfigStartUp-abwwr0wtua42cb4r63k0eo98x99i - c:\docume~1\ASK\LOCALS~1\Temp\ygcoul1.exe
MSConfigStartUp-acqe7ohl2 - c:\docume~1\ASK\LOCALS~1\Temp\qpfhwa.exe
MSConfigStartUp-add1zfb0q4o5w5qj5eimeqai86 - c:\docume~1\ASK\LOCALS~1\Temp\olfert.exe
MSConfigStartUp-adobe_id0eythm - c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
MSConfigStartUp-adwzeyovq31mqclq4ixuz09jn3p7dvpv - c:\docume~1\ASK\LOCALS~1\Temp\o3zsoaiov3u.exe
MSConfigStartUp-ae2kz5txnutudcxabc8 - c:\docume~1\ASK\LOCALS~1\Temp\tp7fmn.exe
MSConfigStartUp-aeujjukk13kd96g - c:\docume~1\ASK\LOCALS~1\Temp\po24rkvdcj.exe
MSConfigStartUp-aeygqoxh6p9sr08fjekq6asmvz4q429fa4w5rtk43 - c:\docume~1\ASK\LOCALS~1\Temp\vcujqsel.exe
MSConfigStartUp-af5qd2n7jrxhk065jqvmhexxni9uw058puezv - c:\docume~1\ASK\LOCALS~1\Temp\njfruiryai4u.exe
MSConfigStartUp-afatjvd8hpf - c:\docume~1\ASK\LOCALS~1\Temp\otlic0q.exe
MSConfigStartUp-afbiv5n3zrwp - c:\docume~1\ASK\LOCALS~1\Temp\jtkjy7.exe
MSConfigStartUp-affn8b2o24xrewl5tmaeaue6i7900 - c:\docume~1\ASK\LOCALS~1\Temp\gnceckpiw2t.exe
MSConfigStartUp-afu2vg3xx44mp13 - c:\docume~1\ASK\LOCALS~1\Temp\jswb8w42.exe
MSConfigStartUp-afvyy1vrip6deuiq76nykwmsk - c:\docume~1\ASK\LOCALS~1\Temp\m6zrvkmhvw.exe
MSConfigStartUp-afzrgu66irsy09bhkq - c:\docume~1\ASK\LOCALS~1\Temp\z4x247ov7au.exe
MSConfigStartUp-agok6hoby2gk575 - c:\docume~1\ASK\LOCALS~1\Temp\zq171sjgur96.exe
MSConfigStartUp-agrl80vy3lf8554w83cw1w - c:\docume~1\ASK\LOCALS~1\Temp\pi2ph4h69.exe
MSConfigStartUp-agrunrfp60c3l82 - c:\docume~1\ASK\LOCALS~1\Temp\gdv8dhdy1889g.exe
MSConfigStartUp-agvj5geonrjy2yisg - c:\docume~1\ASK\LOCALS~1\Temp\s657dm2.exe
MSConfigStartUp-ah4jvpxv10bhz - c:\docume~1\ASK\LOCALS~1\Temp\qlqhp44nc.exe
MSConfigStartUp-ah4lmcflwk3yn0m11fijvcyn4lzykugc7p01ruq82cgkk - c:\docume~1\ASK\LOCALS~1\Temp\fvwqqe.exe
MSConfigStartUp-ahl8n1ockl8sx9s1m99tnuz8w2hou - c:\docume~1\ASK\LOCALS~1\Temp\uhlcpueb.exe
MSConfigStartUp-ahulnsq0myq5vco0s05 - c:\docume~1\ASK\LOCALS~1\Temp\ytw2eqyt.exe
MSConfigStartUp-ai2yt7k1ow1stwrdly1tliv5dmwlgy0gyj1hp8y8 - c:\docume~1\ASK\LOCALS~1\Temp\hp8joxi0xm867.exe
MSConfigStartUp-ai8oui3hp98pr16r4b2d6benpr - c:\docume~1\ASK\LOCALS~1\Temp\ro6u8z8vv.exe
MSConfigStartUp-aidysyipj1uwokl00sy3egihrs6j5obl1os8pm - c:\docume~1\ASK\LOCALS~1\Temp\vz9u2y.exe
MSConfigStartUp-aj3zh7jlybi6pl0kq - c:\docume~1\ASK\LOCALS~1\Temp\snh1w11.exe
MSConfigStartUp-ajl7zpig6rfwi3j1z4 - c:\docume~1\ASK\LOCALS~1\Temp\twol9ws9g.exe
MSConfigStartUp-ajoxm4ci4sytcbcumf9lv - c:\docume~1\ASK\LOCALS~1\Temp\utx15t.exe
MSConfigStartUp-ajt4g2cloaq55 - c:\docume~1\ASK\LOCALS~1\Temp\ypxynlas.exe
MSConfigStartUp-ak2ym1pwzl8vduhfl9ux9f7lo5576vu09 - c:\docume~1\ASK\LOCALS~1\Temp\uguikrzhnbp2.exe
MSConfigStartUp-aldq1bci9zgbg1k0co2cackqeiszy41sdaoektrqorz - c:\docume~1\ASK\LOCALS~1\Temp\vqjjatkolunx4.exe
MSConfigStartUp-algld55ifg9juf - c:\docume~1\ASK\LOCALS~1\Temp\usetqfor8fr.exe
MSConfigStartUp-am9y9bypd18xmzklx8ejk13y2bc9xtubdgv2cudt10ohkif - c:\docume~1\ASK\LOCALS~1\Temp\gzmc9k.exe
MSConfigStartUp-amkz5d15aiho3m4c9n5k1ms3h1av0r0j5j8m4vdr8ozo - c:\docume~1\ASK\LOCALS~1\Temp\zy3of8nlz.exe
MSConfigStartUp-amlhoxf0dvsvviw2j6iachmm6b23n8yvt - c:\docume~1\ASK\LOCALS~1\Temp\leovxm4nw9xs.exe
MSConfigStartUp-amswunot85sc4x7dvaxcoogl9q7qucbhrjrnilpp7 - c:\docume~1\ASK\LOCALS~1\Temp\m75w2u43pibm.exe
MSConfigStartUp-an9z1hwly40 - c:\docume~1\ASK\LOCALS~1\Temp\tnjjdmnhn.exe
MSConfigStartUp-anjvo0lc5n8eb8xy0o44ab9djaadurdeufzgwliye2633ga3a - c:\docume~1\ASK\LOCALS~1\Temp\xssdbno8a44.exe
MSConfigStartUp-ao241btiy8068yjz - c:\docume~1\ASK\LOCALS~1\Temp\jzeazx.exe
MSConfigStartUp-ao2wpz9oetxtm - c:\docume~1\ASK\LOCALS~1\Temp\g6bpnvtga.exe
MSConfigStartUp-aofcwlmky9v9ptpdyqwe5h9rq23snuka4kg34scyyg1ng - c:\docume~1\ASK\LOCALS~1\Temp\sbmqb4au.exe
MSConfigStartUp-aoit5omllae0pbj7r0et94iaxou7ou8yb - c:\docume~1\ASK\LOCALS~1\Temp\n8qywnbdnx.exe
MSConfigStartUp-aow33xs4mflmjxz3crmse1xddym3qkg1 - c:\docume~1\ASK\LOCALS~1\Temp\acn3i7b4n9j.exe
MSConfigStartUp-aowc8ib4c5meyboxh0hc9j4skgx1a3bd68lta01 - c:\docume~1\ASK\LOCALS~1\Temp\pcqobtjcri.exe
MSConfigStartUp-ap3byhw6avhfzz9r5ziwsdxwunlwohjwrn82 - c:\docume~1\ASK\LOCALS~1\Temp\n3tx58j.exe
MSConfigStartUp-ap6s1nu7ntxnl - c:\docume~1\ASK\LOCALS~1\Temp\axygda.exe
MSConfigStartUp-ap8km1zfeug2qlwr8hjyfv2yh5ywf5y - c:\docume~1\ASK\LOCALS~1\Temp\mix02p.exe
MSConfigStartUp-ap8vo91dcamsrt - c:\docume~1\ASK\LOCALS~1\Temp\zxyllpuk.exe
MSConfigStartUp-apf2q0iznhx26wy - c:\docume~1\ASK\LOCALS~1\Temp\d0oj7ri43xbj.exe
MSConfigStartUp-apk79qiimvlevvykm6lkc34l45s1l6ssblncoy284oqby059os - c:\docume~1\ASK\LOCALS~1\Temp\jnq9gh.exe
MSConfigStartUp-apx3qwtn8unr1dja9k8tlv0se3f7bc9st8a8y2nqy5c0mfem4y - c:\docume~1\ASK\LOCALS~1\Temp\tz447vi.exe
MSConfigStartUp-aqfuc9s5ykldexcmxzj4f4xz52eys040f - c:\docume~1\ASK\LOCALS~1\Temp\z1sztxk.exe
MSConfigStartUp-aqgve7kv5evsb8arm9ase7tk8mn03uvsxqw5ml9ljf - c:\docume~1\ASK\LOCALS~1\Temp\wvq7olgc1y3bl.exe
MSConfigStartUp-ar9azut7wysj6xfafzdv1pwlawoa9yt2l95y5lzl0ojjakza - c:\docume~1\ASK\LOCALS~1\Temp\phdmcjvs67lw.exe
MSConfigStartUp-arlwbjfo0izbazjv7t60pgnzu - c:\docume~1\ASK\LOCALS~1\Temp\emwgt377.exe
MSConfigStartUp-arx18kggqzw75hopcz5l - c:\docume~1\ASK\LOCALS~1\Temp\da5hucn561e.exe
MSConfigStartUp-as97wjus82d380p777m4gf5t3l7sqiwtr - c:\docume~1\ASK\LOCALS~1\Temp\iwlvl5ucv.exe
MSConfigStartUp-asefm7uhxj7uczxlxxejo6pb3o2woytc7vjja - c:\docume~1\ASK\LOCALS~1\Temp\lrrsmore.exe
MSConfigStartUp-at51186rhoompgl6jlgig1r1429x44wlrv - c:\docume~1\ASK\LOCALS~1\Temp\m3f3nnuhrh.exe
MSConfigStartUp-atlzipo4ulcsqdl9v1kjax8 - c:\docume~1\ASK\LOCALS~1\Temp\ysueeaab.exe
MSConfigStartUp-atnize872l134p6cmisw2dwls0vzxv5k46wcbjwd7arm - c:\docume~1\ASK\LOCALS~1\Temp\h1wms86l4r2m.exe
MSConfigStartUp-atzl9h30k - c:\docume~1\ASK\LOCALS~1\Temp\dsev1r.exe
MSConfigStartUp-augmuly85a9qfp2hq5w7bsp6j90ohbvwuoteedg - c:\docume~1\ASK\LOCALS~1\Temp\o4njl7dme.exe
MSConfigStartUp-auocvr8ebx3p - c:\docume~1\ASK\LOCALS~1\Temp\j8nrbdtal.exe
MSConfigStartUp-avduxz5im2gnwsy6vw6f7kvoqp - c:\docume~1\ASK\LOCALS~1\Temp\cwor2rqj.exe
MSConfigStartUp-avg8_tray - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-avhzuz86wy2q8pgimsp8zyj1kcfyf1sty - c:\docume~1\ASK\LOCALS~1\Temp\vrg85z.exe
MSConfigStartUp-awdohd0es83x - c:\docume~1\ASK\LOCALS~1\Temp\csv2xbna3.exe
MSConfigStartUp-awjtty9eqhwr3pdertk90v - c:\docume~1\ASK\LOCALS~1\Temp\qa19f1qxkwad.exe
MSConfigStartUp-ax40f26pk6z4 - c:\docume~1\ASK\LOCALS~1\Temp\j3nmvehihc9q5.exe
MSConfigStartUp-axfifaf0nahx90dozwgvzn7tuvhnk3ci - c:\docume~1\ASK\LOCALS~1\Temp\y1nl2trdznmi8.exe
MSConfigStartUp-axicesqg5hw6j5g - c:\docume~1\ASK\LOCALS~1\Temp\trvy2g9641uhx.exe
MSConfigStartUp-axicua0imvk7op22toaodwf5hyq2wb19f8sel431hbi7vrc - c:\docume~1\ASK\LOCALS~1\Temp\s7oktxsoqg5.exe
MSConfigStartUp-axtc3gs992sp0jm7ha2fj1jicy851rig0 - c:\docume~1\ASK\LOCALS~1\Temp\bonrbdf7jf.exe
MSConfigStartUp-axtuxc7imozkn9kx41x - c:\docume~1\ASK\LOCALS~1\Temp\jm81h6.exe
MSConfigStartUp-ay2h4iov0mg61bomhi5a - c:\docume~1\ASK\LOCALS~1\Temp\pe1d7hjriq.exe
MSConfigStartUp-ay7fzrej2an3ntxz2imwbmakx1lbatlq857ojbl587jrkw - c:\docume~1\ASK\LOCALS~1\Temp\e3yg01rf.exe
MSConfigStartUp-ayjazrwli3p2c32iz62jg12odgh0l9aprd91ro9m4ird7 - c:\docume~1\ASK\LOCALS~1\Temp\wqok2zi0u2i.exe
MSConfigStartUp-az3bn4et9ix6w5ks66yfjob4jvcepdupibr7twac1zs7 - c:\docume~1\ASK\LOCALS~1\Temp\cgv808z29.exe
MSConfigStartUp-azoe8estvh7jm0kg7maxbpz8vifbzm - c:\docume~1\ASK\LOCALS~1\Temp\vhvxwhw.exe
MSConfigStartUp-azv3egegazkna8lo908nj7757dhuwxnyznhspa43 - c:\docume~1\ASK\LOCALS~1\Temp\aqcl2de5lxq.exe
MSConfigStartUp-azwh3xyxo5w0z18dkeus - c:\docume~1\ASK\LOCALS~1\Temp\v2pdqmc0b.exe
MSConfigStartUp-azwqis47mgzzzpbjhlpoxbp27wxh - c:\docume~1\ASK\LOCALS~1\Temp\t7xquju1w5r.exe
MSConfigStartUp-b03ddygea1j0a84fmibmk02jl99973w6 - c:\docume~1\ASK\LOCALS~1\Temp\mlmiq7n4mv.exe
MSConfigStartUp-b0ez1g4rap7h8620n6pj24sub - c:\docume~1\ASK\LOCALS~1\Temp\e7yuzqjx32p2c.exe
MSConfigStartUp-b0ie5rlwkotosas7pv81s2384ffhbb0t1 - c:\docume~1\ASK\LOCALS~1\Temp\lc0ysxdtyn9.exe
MSConfigStartUp-b0q1kscz90c3gxl3qg43rz6i - c:\docume~1\ASK\LOCALS~1\Temp\cjh4oomgq.exe
MSConfigStartUp-b0uhu19ysvsyjpys4hgjjrec2r612hcx76kad5lvibxtv - c:\docume~1\ASK\LOCALS~1\Temp\fviptse.exe
MSConfigStartUp-b0w7wuw6263h - c:\docume~1\ASK\LOCALS~1\Temp\x3orfz.exe
MSConfigStartUp-b17mg3rkbtwwt802w1f1a0clqchgh2dpa0b40e6utxbdhl - c:\docume~1\ASK\LOCALS~1\Temp\df4xon85x0g.exe
MSConfigStartUp-b1834555ouw8cxq7bnehmack0ojb2baz0x5sveuqon4h7o4qbh - c:\docume~1\ASK\LOCALS~1\Temp\tiyc9f6f.exe
MSConfigStartUp-b1b8q4unouue - c:\docume~1\ASK\LOCALS~1\Temp\uh928acpp.exe
MSConfigStartUp-b22my9xqnif8daf2dbgi9tadwa7 - c:\docume~1\ASK\LOCALS~1\Temp\ws4bh5thkija.exe
MSConfigStartUp-b29j794iuf4lq8omimh8 - c:\docume~1\ASK\LOCALS~1\Temp\ykz3sy41cerrl.exe
MSConfigStartUp-b2aih78z2e1zj - c:\docume~1\ASK\LOCALS~1\Temp\lcrma9.exe
MSConfigStartUp-b2h5nj1e3znxazmzz12rvbxshofg6qnhgmt - c:\docume~1\ASK\LOCALS~1\Temp\tdh6no.exe
MSConfigStartUp-b2qsvkufd03istzsdbyfy2y31qrsn95jwac3c - c:\docume~1\ASK\LOCALS~1\Temp\xgy2q6cbrsv0.exe
MSConfigStartUp-b2ye572cc8c45dysc6 - c:\docume~1\ASK\LOCALS~1\Temp\wc70loef.exe
MSConfigStartUp-b2yvu1pwudd4enibyfkd5mg0rdv9ksianfmq - c:\docume~1\ASK\LOCALS~1\Temp\o7ydfy.exe
MSConfigStartUp-b33jxb4975 - c:\docume~1\ASK\LOCALS~1\Temp\b9watds6sl6.exe
MSConfigStartUp-b3ekj29evl2fhnglov6gwd9fiy63km7jxjbgfz - c:\docume~1\ASK\LOCALS~1\Temp\i9zrib.exe
MSConfigStartUp-b3itld2vmfu9nhxsye2x - c:\docume~1\ASK\LOCALS~1\Temp\u0lxa6.exe
MSConfigStartUp-b447ryiaeonp8j7m12w - c:\docume~1\ASK\LOCALS~1\Temp\ztgtanfv.exe
MSConfigStartUp-b44sfmzzz4qui5vx5b5ffy3jqf2us1pfa2z55jv - c:\docume~1\ASK\LOCALS~1\Temp\zeu38ys49m.exe
MSConfigStartUp-b47ygml0gykiurv7lljbp8avf5iiosfti13e44t8no9kv413i - c:\docume~1\ASK\LOCALS~1\Temp\k2wq0uss20kx1.exe
MSConfigStartUp-b4bj99w5olsnh3qxdlhwzuqluyxvscekz80pa47o - c:\docume~1\ASK\LOCALS~1\Temp\ea2eugv.exe
MSConfigStartUp-b561re5mpam5q18pwssqltixs - c:\docume~1\ASK\LOCALS~1\Temp\dgy2sa9lrk5x.exe
MSConfigStartUp-b57bwuds1fvkssfnlmpyxj4q6ii0jrczxi47hr0n - c:\docume~1\ASK\LOCALS~1\Temp\bpc17p.exe
MSConfigStartUp-b5e8d4vpmflmmn802z8n3b2i11lv74u3pdw - c:\docume~1\ASK\LOCALS~1\Temp\jmgz31unw8lg.exe
MSConfigStartUp-b5focpm41thvz8vrgb8tqykvv73 - c:\docume~1\ASK\LOCALS~1\Temp\rvhlolp7umw30.exe
MSConfigStartUp-b5wq1rlm8br2ls6irbfec7yuq - c:\docume~1\ASK\LOCALS~1\Temp\hi6m5ybuxoljx.exe
MSConfigStartUp-b6r1njx11efjaf4q7wi4pqqljjord - c:\docume~1\ASK\LOCALS~1\Temp\wg9o5cr3.exe
MSConfigStartUp-b6w1lpp3k3e25h3lmbtmg60ork7dpo24fok50oijomhh - c:\docume~1\ASK\LOCALS~1\Temp\xhbnhkfn.exe
MSConfigStartUp-b6yds3ogiu257dqqlw1 - c:\docume~1\ASK\LOCALS~1\Temp\z76rzqssw7iu.exe
MSConfigStartUp-b70o2mbjg3eq5glj464hp3kus8uvkrswj2jhlyrbmtkz2zp - c:\docume~1\ASK\LOCALS~1\Temp\ha9vyo6awgql.exe
MSConfigStartUp-b7eiqkn51j1bwgn0os4qt0ofjgaji3c11kntz2k1xcq - c:\docume~1\ASK\LOCALS~1\Temp\dpzqsw2jxv.exe
MSConfigStartUp-b7go8uszyyy6rzk - c:\docume~1\ASK\LOCALS~1\Temp\fihitkj11j.exe
MSConfigStartUp-b7k52qcbm7wzbcr7zko9d3j5qxhxjnoo2bzgxj6v8ron5efqv - c:\docume~1\ASK\LOCALS~1\Temp\qyds9qe0.exe
MSConfigStartUp-b7sm1n953vodvb55uec8meffg5ueqqjblqob8n - c:\docume~1\ASK\LOCALS~1\Temp\rghi97qh3e1v.exe
MSConfigStartUp-b84elwqhg2s4z3pft5dyls0gs65hd2qyzsac0bm5j32cis35am - c:\docume~1\ASK\LOCALS~1\Temp\uk9979.exe
MSConfigStartUp-b8ht4eguqr6z5kp2kxwbp8l9xxjak - c:\docume~1\ASK\LOCALS~1\Temp\kvxpl75.exe
MSConfigStartUp-b8yixif94xdbioj4fh10ytttmfq0ci9xd6ndtwfqr - c:\docume~1\ASK\LOCALS~1\Temp\e6u1drud5.exe
MSConfigStartUp-b9220ni75ci4qnx3vx3p05ewv - c:\docume~1\ASK\LOCALS~1\Temp\gbldijch.exe
MSConfigStartUp-b9emt7b6cvlk - c:\docume~1\ASK\LOCALS~1\Temp\xpr6wnan1nx.exe
MSConfigStartUp-b9kz4rm152p7x76dkyxjmxzkba - c:\docume~1\ASK\LOCALS~1\Temp\t6u3stb.exe
MSConfigStartUp-b9rwdfoc4 - c:\docume~1\ASK\LOCALS~1\Temp\wnxkrp1dk.exe
MSConfigStartUp-b9uq0ogs3nfnmyno3t5f02yjr - c:\docume~1\ASK\LOCALS~1\Temp\l7tnrdmqp.exe
MSConfigStartUp-bbk5hqgz54qldb323r0pwxf1acpof73h - c:\docume~1\ASK\LOCALS~1\Temp\rfcb8f50r.exe
MSConfigStartUp-bbmommdcypjd32niifgoa1om9yjrm3fwe9 - c:\docume~1\ASK\LOCALS~1\Temp\cns1wwci.exe
MSConfigStartUp-bbnmwy8zv2yj938ezwac4edif55ulw - c:\docume~1\ASK\LOCALS~1\Temp\r2g0jhx.exe
MSConfigStartUp-bbnzalx0qc2s2 - c:\docume~1\ASK\LOCALS~1\Temp\u3p6ha4rt0.exe
MSConfigStartUp-bc4jjs2ivsqsmzwndyuqabl6esy5srzafg2i3xfzwak6fowoy - c:\docume~1\ASK\LOCALS~1\Temp\mbfc7lazug2o.exe
MSConfigStartUp-bc8nrsq309p93g9zpkzi90deti3ffdsl3hd - c:\docume~1\ASK\LOCALS~1\Temp\yx0aspgmc.exe
MSConfigStartUp-bcixzavacw2dxffg3gu8l0mdfuy6qjoe6l4mq6skb35c0w - c:\docume~1\ASK\LOCALS~1\Temp\eix8xn2zq4n.exe
MSConfigStartUp-bd9y3c8z3yqtdy74w7ueop8g7rlvaefgx - c:\docume~1\ASK\LOCALS~1\Temp\kz33udzh9.exe
MSConfigStartUp-bdagent - c:\program files\Softwin\BitDefender10\bdagent.exe
MSConfigStartUp-bdbpjpj25gapcmkkis805qyqxwm3i4w7dgvoka0pv6k7q7gqw - c:\docume~1\ASK\LOCALS~1\Temp\jnswb7xd.exe
MSConfigStartUp-bdmcon - c:\program files\Softwin\BitDefender10\bdmcon.exe
MSConfigStartUp-bdyaz2a3cvgfflha3kvlqirhcw6w - c:\docume~1\ASK\LOCALS~1\Temp\tfaumronmbhb.exe
MSConfigStartUp-be41ovfkhrurqcvoxmrtogpt - c:\docume~1\ASK\LOCALS~1\Temp\dkttnoo.exe
MSConfigStartUp-be4eremsubkalhl4whekwxiqrra - c:\docume~1\ASK\LOCALS~1\Temp\baugiyiw5kk.exe
MSConfigStartUp-bearshare - c:\program files\BearShare\BearShare.exe
MSConfigStartUp-bedsmp1fi3noczbhrok1h55q - c:\docume~1\ASK\LOCALS~1\Temp\zygeb2dbf67.exe
MSConfigStartUp-beg4prud0tsjfk40kc9lemi8y - c:\docume~1\ASK\LOCALS~1\Temp\cazvjacu1lu78.exe
MSConfigStartUp-bej3i7lwyj43nuk - c:\docume~1\ASK\LOCALS~1\Temp\kw4muuc.exe
MSConfigStartUp-bel1tc7de75i3s - c:\docume~1\ASK\LOCALS~1\Temp\gwg8168x.exe
MSConfigStartUp-bemv98h3175da8vjlvku - c:\docume~1\ASK\LOCALS~1\Temp\l0xnmq72dj7.exe
MSConfigStartUp-ben39mgzjo49guuls14iapkeagt0ysd89z070vksaxsxl5jq0r - c:\docume~1\ASK\LOCALS~1\Temp\pr3hm1rsymb9q.exe
MSConfigStartUp-beq553hrtuz1p - c:\docume~1\ASK\LOCALS~1\Temp\sl9d17ouzue5.exe
MSConfigStartUp-bfdc8zqaa5m6hxm0k03s8dtuy - c:\docume~1\ASK\LOCALS~1\Temp\sx32l2.exe
MSConfigStartUp-bfqfbpl2n3x1dolxq - c:\docume~1\ASK\LOCALS~1\Temp\vkalr9.exe
MSConfigStartUp-bfvaopsnvkc8840untztpkgm9vy4 - c:\docume~1\ASK\LOCALS~1\Temp\w35ca9o7qpnfp.exe
MSConfigStartUp-bg0iqp017dyixdgjtfuxinecd9mwl56ozxes - c:\docume~1\ASK\LOCALS~1\Temp\khoc37eo7h.exe
MSConfigStartUp-bg4auat16bq8d3snl - c:\docume~1\ASK\LOCALS~1\Temp\t1ez2tj8sswa4.exe
MSConfigStartUp-bg8zj4a2bq - c:\docume~1\ASK\LOCALS~1\Temp\v8mk8t.exe
MSConfigStartUp-bg9apw6izcjw4obbuqlncygkqxz6tgu3dzjvzmn4n - c:\docume~1\ASK\LOCALS~1\Temp\a9een777y.exe
MSConfigStartUp-bgnpopclxs - c:\docume~1\ASK\LOCALS~1\Temp\qq388is.exe
MSConfigStartUp-bh2fvl4x7l5yh7esx - c:\docume~1\ASK\LOCALS~1\Temp\hxqamghnwc8k.exe
MSConfigStartUp-bh4klhz7ezka095up - c:\docume~1\ASK\LOCALS~1\Temp\qm5e6epwfu3r.exe
MSConfigStartUp-bhf7mms2kband6k0u6s2o45zoymw26u6ct91z4d593mk - c:\docume~1\ASK\LOCALS~1\Temp\o3yesh58fouu.exe
MSConfigStartUp-bhucnav4f7vljzudqieaydtnebge - c:\docume~1\ASK\LOCALS~1\Temp\idfebosdh05.exe
MSConfigStartUp-bi05xytap0p - c:\docume~1\ASK\LOCALS~1\Temp\ms7bvit.exe
MSConfigStartUp-bibk5oj5m8tilll3cpyw7ea0nf577mya8bctqbpt692 - c:\docume~1\ASK\LOCALS~1\Temp\uo23h6s97.exe
MSConfigStartUp-bjlhg0ui2v8hzvtyc - c:\docume~1\ASK\LOCALS~1\Temp\yeknib3t5rgr.exe
MSConfigStartUp-bjpotp1qlegs898oxvh5rf8l6tqsew0yjaf2ygo1u3oftef9 - c:\docume~1\ASK\LOCALS~1\Temp\dty1833pp2p.exe
MSConfigStartUp-bjvisy9h799h0qb42cfqq725cbjbvapao95jwa7ujnon1v - c:\docume~1\ASK\LOCALS~1\Temp\ztddt62jbc.exe
MSConfigStartUp-bjww1e35h3nhdajg0j - c:\docume~1\ASK\LOCALS~1\Temp\i7k8nx3xssr.exe
MSConfigStartUp-bk5kuk06qsw0e1fzvg9g2ffk1fxt27r007ztke00disia8ymkc - c:\docume~1\ASK\LOCALS~1\Temp\jcl2bh2.exe
MSConfigStartUp-bk6g9a03n9y2v - c:\docume~1\ASK\LOCALS~1\Temp\lm8o234iyc0.exe
MSConfigStartUp-bkk6tf5jnhluyuowbwpbcjdoepmpk9m3no6h15pw7bu6n - c:\docume~1\ASK\LOCALS~1\Temp\co7y2w1n5.exe
MSConfigStartUp-bkmrk9du5eldh4h6yt94 - c:\docume~1\ASK\LOCALS~1\Temp\wr9cste3ldi.exe
MSConfigStartUp-bksfnt3jk0mk1c877yqz0xla52ehpxwuj1tpx - c:\docume~1\ASK\LOCALS~1\Temp\kqut4ngkh.exe
MSConfigStartUp-blb9dyogevcpqzdmw10 - c:\docume~1\ASK\LOCALS~1\Temp\nf6wt8wf3g.exe
MSConfigStartUp-blh2r00q3a6kf0k - c:\docume~1\ASK\LOCALS~1\Temp\aedg82d9nm.exe
MSConfigStartUp-blmiemb964tv8jpxa5zjupofuwg9obgwae0jl - c:\docume~1\ASK\LOCALS~1\Temp\i9elnyk.exe
MSConfigStartUp-bmdnjrcse2tdjzq69keqe947bzh5zeu8j2 - c:\docume~1\ASK\LOCALS~1\Temp\t4f3xlirp.exe
MSConfigStartUp-bmgvze0a2ogqhnz8np7wmr2p - c:\docume~1\ASK\LOCALS~1\Temp\w0u6kuqq.exe
MSConfigStartUp-bmjvntbkpvsxgr5tqsm75j2lco72xpovf70vqhfrfum4j6rt - c:\docume~1\ASK\LOCALS~1\Temp\bg47mt.exe
MSConfigStartUp-bnal9sndm8k2sv3skrdb4d7xr7o5ybpj7ik17w6 - c:\docume~1\ASK\LOCALS~1\Temp\a66y8201emw.exe
MSConfigStartUp-bnzqcsqpaqaf9suy882e5inq9juufrx7lthajb95n2lr5 - c:\docume~1\ASK\LOCALS~1\Temp\ysxuywru.exe
MSConfigStartUp-boc4kx8qvuarzbnqbissdk74hjwtcd00x5047 - c:\docume~1\ASK\LOCALS~1\Temp\nbe6tggovt.exe
MSConfigStartUp-boln0r6yb1nptyfr48sq3nh - c:\docume~1\ASK\LOCALS~1\Temp\n8wy64dt.exe
MSConfigStartUp-bop1dd4wy4ml70 - c:\docum

Attached Files

combolog.txt 357.68KB 248 downloads

#14
kahdah

Posted 20 February 2009 - 07:40 AM

GeekU Teacher

Retired Staff
15,822 posts

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
ethbqkee
twinnlia

File::
c:\windows\system32\drivers\ethbqkee.sys
c:\windows\system32\drivers\f706ec8b.sys
c:\windows\system32\1CC.tmp
c:\windows\System32\Drivers\twinnlia.sys
c:\windows\system32\xcchit32.ini.ssyq
c:\windows\system32\1BB.tmp
c:\windows\system32\1C2.tmp
c:\windows\system32\1B6.tmp
c:\windows\system32\1D0.tmp
c:\windows\system32\1CA.tmp
c:\windows\system32\1C3.tmp
c:\windows\system32\1BD.tmp
c:\windows\system32\1B7.tmp
c:\windows\system32\1B0.tmp
c:\windows\system32\_fccywtut.dll
c:\windows\system32\1EA.tmp
c:\windows\system32\1C7.tmp
c:\windows\system32\drivers\ndisio.sys
c:\windows\system32\1AD.tmp
c:\windows\system32\ljJDWQJB.dll
C:\dykhyp.exe
C:\xyephkl.exe
C:\-195762547
c:\windows\system32\byXPJyAt.dll.vir
c:\windows\system32\byXPFUKa.dll


Folder::
c:\windows\xczuokls
c:\windows\mwgorzqr

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new dds log.

#15
mmindz

Posted 20 February 2009 - 10:34 AM

Member

Topic Starter
Member
22 posts

Hi Kahdah

Combofix.txt-----

ComboFix 09-02-17.02 - ASK 2009-02-20 11:10:27.2 - NTFSx86
Running from: c:\documents and settings\ASK\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\ASK\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090205-1] *On-access scanning disabled* (Outdated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\-195762547
C:\dykhyp.exe
c:\windows\system32\_fccywtut.dll
c:\windows\system32\1AD.tmp
c:\windows\system32\1B0.tmp
c:\windows\system32\1B6.tmp
c:\windows\system32\1B7.tmp
c:\windows\system32\1BB.tmp
c:\windows\system32\1BD.tmp
c:\windows\system32\1C2.tmp
c:\windows\system32\1C3.tmp
c:\windows\system32\1C7.tmp
c:\windows\system32\1CA.tmp
c:\windows\system32\1CC.tmp
c:\windows\system32\1D0.tmp
c:\windows\system32\1EA.tmp
c:\windows\system32\byXPFUKa.dll
c:\windows\system32\byXPJyAt.dll.vir
c:\windows\system32\drivers\ethbqkee.sys
c:\windows\system32\drivers\f706ec8b.sys
c:\windows\system32\drivers\ndisio.sys
c:\windows\System32\Drivers\twinnlia.sys
c:\windows\system32\ljJDWQJB.dll
c:\windows\system32\xcchit32.ini.ssyq
C:\xyephkl.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-195762547
C:\dykhyp.exe
c:\windows\mwgorzqr\
c:\windows\system32\_fccywtut.dll
c:\windows\system32\1AD.tmp
c:\windows\system32\1B0.tmp
c:\windows\system32\1B6.tmp
c:\windows\system32\1B7.tmp
c:\windows\system32\1BB.tmp
c:\windows\system32\1BD.tmp
c:\windows\system32\1C2.tmp
c:\windows\system32\1C3.tmp
c:\windows\system32\1C7.tmp
c:\windows\system32\1CA.tmp
c:\windows\system32\1CC.tmp
c:\windows\system32\1D0.tmp
c:\windows\system32\1EA.tmp
c:\windows\system32\byXPFUKa.dll
c:\windows\system32\byXPJyAt.dll.vir
c:\windows\system32\drivers\ethbqkee.sys
c:\windows\system32\drivers\f706ec8b.sys
c:\windows\system32\drivers\ndisio.sys
c:\windows\system32\drivers\ntndis.sys
c:\windows\System32\Drivers\twinnlia.sys
c:\windows\system32\ljJDWQJB.dll
c:\windows\system32\xcchit32.ini.ssyq
c:\windows\xczuokls\
C:\xyephkl.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_twinnlia
-------\Service_ethbqkee
-------\Service_twinnlia
-------\Service_f706ec8b

((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.

2009-02-18 18:53 . 2009-02-18 18:53 250 --a------ c:\windows\gmer.ini
2009-02-17 21:53 . 2009-02-17 21:53 <DIR> d-------- c:\program files\Alwil Software
2009-02-17 21:36 . 2009-02-17 21:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-17 20:32 . 2009-02-17 21:28 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-17 20:30 . 2009-02-18 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-17 20:26 . 2009-02-17 20:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\HP
2009-02-17 20:25 . 2004-08-03 17:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-17 17:26 . 2009-02-18 20:29 <DIR> d-------- c:\program files\Common Files\Softwin
2009-02-16 23:35 . 2009-02-16 23:40 <DIR> d-------- c:\documents and settings\Administrator
2009-02-16 23:04 . 2009-02-16 23:40 <DIR> d-------- c:\windows\system32\3361
2009-02-16 23:04 . 2009-02-16 23:04 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-02-16 23:03 . 2009-02-16 23:03 172 --a------ c:\windows\system32\1C1.tmp
2009-02-16 22:16 . 2009-02-16 22:16 <DIR> d-------- c:\documents and settings\ASK\Application Data\Malwarebytes
2009-02-16 22:15 . 2009-02-16 22:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-16 22:15 . 2009-02-16 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-16 22:15 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-16 22:15 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-16 22:02 . 2009-02-16 22:02 <DIR> d-------- c:\program files\Enigma Software Group
2009-02-16 18:50 . 2009-02-16 23:31 4 --a------ c:\windows\xczuokls
2009-02-16 17:27 . 2009-02-17 17:00 130 --a------ c:\windows\adobe.bat
2009-02-16 17:27 . 2009-02-16 17:32 6 --a------ c:\windows\_id.dat
2009-02-16 15:59 . 2009-02-17 17:01 <DIR> d-------- c:\windows\BDOSCAN8
2009-02-16 15:56 . 2002-02-15 14:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-16 15:55 . 2009-02-18 20:44 <DIR> d-------- c:\windows\system32\inf
2009-02-16 15:55 . 2009-02-16 15:57 67,072 ---h----- c:\windows\system32\secupdat.dat
2009-02-16 15:43 . 2009-02-16 17:00 1,312 --a------ c:\windows\mwgorzqr
2009-02-13 15:30 . 2009-02-13 15:30 244 --ah----- C:\sqmnoopt17.sqm
2009-02-13 15:30 . 2009-02-13 15:30 232 --ah----- C:\sqmdata17.sqm
2009-01-21 18:32 . 2009-01-21 18:32 <DIR> d-------- c:\program files\Common Files\Intuit
2009-01-21 18:32 . 2009-01-21 18:32 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2009-01-21 18:32 . 2009-01-21 18:32 <DIR> d-------- c:\documents and settings\ASK\Application Data\Intuit
2009-01-21 18:32 . 2008-08-19 09:46 3,523,872 --a------ c:\windows\system32\cdintf300.dll
2009-01-21 18:32 . 2008-08-19 09:46 1,848,608 --a------ c:\windows\system32\acXMLParser.dll
2009-01-21 18:31 . 2009-01-21 18:36 <DIR> d-------- c:\program files\Quicken
2009-01-21 18:31 . 2009-01-21 18:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intuit
2009-01-21 18:31 . 2009-01-21 18:40 165 --a------ c:\windows\QUICKEN.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 01:39 90,112 ----a-w c:\windows\DUMP7261.tmp
2009-02-19 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-02-18 02:04 90,112 ----a-w c:\windows\DUMP82fb.tmp
2009-02-18 01:22 --------- d-----w c:\documents and settings\ASK\Application Data\DNA
2009-02-18 01:05 90,112 ----a-w c:\windows\DUMPe5c7.tmp
2009-02-18 01:05 --------- d-----w c:\program files\DNA
2009-02-17 02:52 --------- d-----w c:\documents and settings\ASK\Application Data\StumbleUpon
2009-02-17 02:51 --------- d-----w c:\program files\Yahoo!
2009-02-17 02:50 --------- d-----w c:\program files\ABF software
2009-02-17 00:15 --------- d-----w c:\program files\Common Files\BitDefender
2009-02-17 00:13 --------- d-----w c:\program files\BearShare
2009-02-16 23:32 65,536 ----a-w c:\windows\DUMP86f2.tmp
2009-02-16 22:30 182,912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-14 01:03 --------- d-----w c:\documents and settings\ASK\Application Data\BitTorrent
2009-02-13 20:31 --------- d-----w c:\documents and settings\TKK\Application Data\StumbleUpon
2009-01-21 23:32 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-15 21:45 132 ----a-w C:\httpdwl.dat
2008-12-24 20:00 --------- d-----w c:\program files\BitDefender
2008-10-14 13:50 30,672 ----a-w c:\documents and settings\TKK\Application Data\GDIPFONTCACHEV1.DAT
2008-06-16 23:15 30,672 ----a-w c:\documents and settings\ASK\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2004-08-03 17:56 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\svchost.exe
2004-08-03 17:56 31232 e332f52d78660e691169b906f0d661a0 c:\windows\system32\dllcache\svchost.exe

2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
2004-08-03 17:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\ws2_32.dll
2004-08-03 17:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\dllcache\ws2_32.dll

2008-04-13 19:12 525312 f68129dbb9a9782796165038c2685348 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-08-03 17:56 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\winlogon.exe
2004-08-03 17:56 519680 8f485b68669bfdc1f51551b0e2bc9479 c:\windows\system32\dllcache\winlogon.exe

2008-04-13 14:20 182656 558635d3af1c7546d26067d5d9b6959e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
2009-02-16 17:30 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys
2009-02-16 17:30 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2004-08-03 16:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\dllcache\ip6fw.sys
2004-08-03 16:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\drivers\ip6fw.sys

2007-06-13 06:26 1050624 a344a37bfaf8ec68bda2e3815a7df209 c:\windows\explorer.exe
2005-10-15 03:07 1049600 5e039d348db8dbb6804b09be8d7ecf48 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1050624 d48b96593e70f97bdb205c821f495e15 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2007-06-13 06:26 1050112 7b85073dab6a71bce19bd2cd6838ee57 c:\windows\system32\dllcache\explorer.exe

2008-04-13 19:12 125440 6e50d1ba734525971b3debec479fb96a c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-03 17:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\services.exe
2004-08-03 17:56 124928 3c02e1941837b9099a540967695d71b5 c:\windows\system32\dllcache\services.exe

2008-04-13 19:12 30720 7664a714822c74a2f6dbce3042e1f1b8 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-03 17:56 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\lsass.exe
2004-08-03 17:56 30208 85b92263d95b6698ce1fa19517369d3c c:\windows\system32\dllcache\lsass.exe

2008-04-13 19:12 32256 518addf355de4233b3c83e3aea0f474a c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2004-08-03 17:56 32256 950c303f0c52cf5495cf48e19ab86830 c:\windows\system32\ctfmon.exe
2004-08-03 17:56 32256 a1053e5a8d5d92565e58110ecd9ab95f c:\windows\system32\dllcache\ctfmon.exe

2008-04-13 19:12 74752 5f29d5451b06a6371803ac69154fc041 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2005-10-13 15:36 74752 e4af28a544dadddeecc90edd97c129bc c:\windows\system32\spoolsv.exe
2005-10-13 15:36 75264 c651914c4d217b1315cf99d80494b330 c:\windows\system32\dllcache\spoolsv.exe

2008-04-13 19:12 43008 9f08f923f87a2043c6d94dfee9a733f4 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2009-02-16 15:45 121856 c685101e401617d55b15524e0691204f c:\windows\system32\userinit.exe
2009-02-16 15:45 121856 c685101e401617d55b15524e0691204f c:\windows\system32\dllcache\userinit.exe

2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll
2004-08-03 17:56 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\system32\powrprof.dll
2004-08-03 17:56 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\system32\dllcache\powrprof.dll

2008-04-13 19:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imm32.dll
2004-08-03 17:56 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\system32\imm32.dll
2004-08-03 17:56 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\system32\dllcache\imm32.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-02-19_18.53.24.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 183,808 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-21 01:02:28 184,320 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2000-08-31 13:00:00 48,640 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 49,152 ----a-w c:\windows\NIRCMD.exe
- 2009-02-19 23:46:42 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-20 01:58:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-19 23:46:42 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-20 01:58:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-19 23:46:42 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-20 01:58:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-20 16:19:56 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1711104]
"DriverUpdaterPro"="c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe" [2008-09-19 2311204]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-10-15 186880]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 32256]

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^hp digital imaging monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^hp photosmart premier fast start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^workspace macro pro hotkeys.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Workspace Macro Pro Hotkeys.lnk
backup=c:\windows\pss\Workspace Macro Pro Hotkeys.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\userfaultcheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acrobat assistant 8.0]
--a------ 2007-03-29 22:14 624248 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobeupdater]
--a------ 2007-02-28 23:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aniwzcs2service]
--a------ 2005-11-30 10:35 69632 c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bittorrent dna]
--a------ 2008-12-17 12:54 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 17:56 32256 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d-link wireless g wua-1340]
--a------ 2005-12-15 12:19 2736128 c:\program files\D-Link\Wireless G WUA-1340\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\driverupdaterpro]
--a------ 2008-09-19 00:31 2311204 c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp software update]
--a------ 2005-12-15 11:18 69632 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isuspm startup]
--a------ 2004-07-27 15:50 241664 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isusscheduler]
--a------ 2004-07-27 15:50 102400 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
--a------ 2008-02-04 14:18 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcpldaemon]
--a------ 2006-10-22 12:22 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvmediacenter]
--a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
--a------ 2008-01-31 23:13 405504 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\roxiodragtodisc]
--a------ 2006-08-17 08:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spyhunter security suite]
--a------ 2009-01-13 13:52 884736 c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1642496 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\soundman]
--a------ 2006-11-17 04:42 598016 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Autodesk\\Combustion 2008\\combustion.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]

--- Other Services/Drivers In Memory ---

*Deregistered* - Aavmker4
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - ANIO
*Deregistered* - Apple Mobile Device
*Deregistered* - aswFsBlk
*Deregistered* - aswMon2
*Deregistered* - aswRdr
*Deregistered* - aswSP
*Deregistered* - aswTdi
*Deregistered* - aswUpdSv
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avast! Antivirus
*Deregistered* - avast! Mail Scanner
*Deregistered* - avast! Web Scanner
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - DLABMFSM
*Deregistered* - DLABOIOM
*Deregistered* - DLADResM
*Deregistered* - DLAIFS_M
*Deregistered* - DLAOPIOM
*Deregistered* - DLAPoolM
*Deregistered* - DLARTL_M
*Deregistered* - DLAUDF_M
*Deregistered* - DLAUDFAM
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - DRVNDDM
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - MySQL
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - StillCam
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72d906f8-e270-11dc-982a-e3821693e49c}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2009-02-20 c:\windows\Tasks\login.job
- c:\windows\system32\cmd.exe [2004-08-03 17:56]

2009-02-20 c:\windows\Tasks\schnappzmedia.job
- c:\windows\system32\cmd.exe [2004-08-03 17:56]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-twinnlia.sys

.
------- Supplementary Scan -------
.
uStart Page =
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 11:25:17
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dumprep.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-20 11:29:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-20 16:29:02
ComboFix2.txt 2009-02-20 00:11:46

Pre-Run: 48,879,173,632 bytes free
Post-Run: 48,863,285,248 bytes free

500 --- E O F --- 2009-02-14 18:18:08