Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

FireFox/IE are redirected to ad sites [Solved]

Started by sufhi , Apr 14 2009 10:45 AM

  • This topic is locked This topic is locked

#1
sufhi
Posted 14 April 2009 - 10:45 AM

sufhi

    New Member

  • Member
  • Pip
  • 8 posts
Hello,
I've been having problems with my internet for the past few days. It begun when Firefox and IE did crashed on startup. I ran some antispyware software and scanned the computer with McAfee AV which find and removed several items. This have solved the browsers start up problem but now I have this redirect problem:
For both firefox and IE, whenever I search on google and click on a link, I get redirected to a ad page.
I hope you could help me with that.
Enclose is HijackThis log file.

Thanks!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:56, on 14/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svcnost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RSSoft\RedSwoosh.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\isuspm.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\5eae7d80-f310-4e5d-9692-6088d97adf62.exe
C:\PROGRA~1\McAfee\MSC\mcregist.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mcsvrcnt.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Red Swoosh] C:\Program Files\RSSoft\RedSwoosh.exe /S
O4 - HKCU\..\Run: [Babylon Translator] C:\Program Files\Babylon\Babylon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\5eae7d80-f310-4e5d-9692-6088d97adf62.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.ordernet.co.il
O15 - Trusted Zone: http://www.winwin.co.il
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200748464734
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate1c99cf9c8128dfe) (gupdate1c99cf9c8128dfe) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 13237 bytes
  • 0

Advertisements

#2
Extremeboy
Posted 20 April 2009 - 07:16 PM

Extremeboy

    Malware Removal Staff

  • Retired Staff
  • 824 posts
Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.

First of all, I need to see the OTListIT2 log and the Rooter log which you didn't proivde and is mentioned already in the >>guide over here<<

Anyways, please run this tool for me first. Then follow the instructions below.

Run GooredFix using Option2 (Removal)

Please download GooredFix and save it to your Desktop.
Alternative Download Mirror #2

Please make sure all instances of Firefox are closed at this point before proceeding.

  • Please double-click Goored.exe on your Desktop to run it.
  • A window will appear, please Select 2. (Fix Goored) by typing 2 and pressing Enter.
  • Type Y at the prompt and press Enter. The removal process will begin
  • A log will open with the file after completion, please post the contents of that log in your next reply
*Note: The log can also be found on your desktop (Goored.txt)

There are some steps in the guide that is not needed right now, so only follow the ones I listed below in that guide and post back with the required logs in your next reply please. Any questions PLEASE ASK.

These are the ones that I would like you to follow:
Run ATFCleaner
Run ERUNT
Install and scan with Malwarebytes Anti-Malware
Run Rooter
Run OTLIstIT2

Then post back with:
-GooredFix log
-MBAM log
-Rooter log
-OTListIT2 log

Thanks.

With Regards,
Extremeboy
  • 0

#3
sufhi
Posted 20 April 2009 - 09:22 PM

sufhi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi EB,

Thanks again for your replay.
Unfortunately I did make several install/uninstall in my computer in the last week. I hope it didn't do any serious damage though I must admit that it was after these actions that my computer started limping.
I followed the steps you have mentioned. However, Malwarebytes could not be opened and run on my computer (I also changed its name when saving to desktop but it did not help).
Also, I run ERUNT about five days ago due to the Malware and Spyware Cleaning Guide. Do I need to run it again?

Here are the log files you have asked:

GooredFix log

GooredFix v1.92 by jpshortstuff
Log created at 21:30 on 20/04/2009 running Option #2 (Administrator)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\"


Rooter log

Microsoft Windows XP Professional (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:152625 Mo/Free:1480 Mo)
D:\ [Fixed] - NTFS - (Total:238464 Mo/Free:3955 Mo)
F:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:980 Mo/Free:977 Mo)

Mon 04/20/2009|21:43

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
---------- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\Program Files\Symantec AntiVirus\DefWatch.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\Program Files\Google\Update\GoogleUpdate.exe
---------- C:\Program Files\McAfee\MBK\MBackMonitor.exe
---------- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
---------- C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
---------- c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
---------- c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
---------- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\Program Files\McAfee\MPF\MPFSrv.exe
---------- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
---------- C:\Program Files\McAfee\MSK\MskSrver.exe
---------- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
---------- C:\Program Files\CyberLink\Shared Files\RichVideo.exe
---------- C:\Program Files\Spyware Doctor\pctsAuxs.exe
---------- C:\Program Files\Spyware Doctor\pctsSvc.exe
---------- C:\Program Files\Spyware Doctor\pctsTray.exe
---------- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
---------- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
---------- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
---------- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
---------- c:\PROGRA~1\mcafee.com\agent\mcagent.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\VTTimer.exe
---------- C:\WINDOWS\system32\S3trayp.exe
---------- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
---------- C:\WINDOWS\system32\gsicon.exe
---------- C:\WINDOWS\system32\dslagent.exe
---------- C:\WINDOWS\vVX1000.exe
---------- C:\Program Files\QuickTime\QTTask.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\PROGRA~1\SYMANT~1\VPTray.exe
---------- C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\RSSoft\RedSwoosh.exe
---------- C:\Program Files\Babylon\Babylon.exe
---------- C:\Program Files\PeerGuardian2\pg2.exe
---------- C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\isuspm.exe
---------- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
---------- C:\Program Files\Messenger\msmsgs.exe
---------- C:\Program Files\SUPERAntiSpyware\5eae7d80-f310-4e5d-9692-6088d97adf62.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
---------- c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
---------- C:\Program Files\Internet Explorer\IEXPLORE.EXE
---------- C:\Documents and Settings\Administrator\Desktop\Rooter.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Mon 04/20/2009|21:44

----------------------\\ Scan completed at 21:44


OTListIT2 log

OTListIt logfile created on: 20/04/2009 21:48:12 - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 0000040D | Country: Israel | Language: HEB | Date Format: dd/MM/yyyy

894.17 Mb Total Physical Memory | 260.53 Mb Available Physical Memory | 29.14% Memory free
2.12 Gb Paging File | 1.34 Gb Available in Paging File | 63.10% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 117.45 Gb Free Space | 78.80% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 139.86 Gb Free Space | 60.06% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 980.72 Mb Total Space | 977.59 Mb Free Space | 99.68% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NETTA
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Program Files\McAfee\MBK\MBackMonitor.exe (McAfee)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe ()
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
PRC - C:\Program Files\Microsoft LifeCam\MSCamS32.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\MSK\MskSrver.exe (McAfee, Inc.)
PRC - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
PRC - C:\Program Files\CyberLink\Shared Files\RichVideo.exe ()
PRC - C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
PRC - C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
PRC - C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
PRC - C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe (GEMTEKS)
PRC - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe (Linksys)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\VTTimer.exe (S3 Graphics, Inc.)
PRC - C:\WINDOWS\system32\S3trayp.exe (S3 Graphics Co., Ltd.)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\gsicon.exe (GlobespanVirata, Inc.)
PRC - C:\WINDOWS\system32\dslagent.exe ()
PRC - C:\WINDOWS\vVX1000.exe (Microsoft Corporation)
PRC - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
PRC - C:\Program Files\RSSoft\RedSwoosh.exe ()
PRC - C:\Program Files\Babylon\Babylon.exe (Babylon Ltd.)
PRC - C:\Program Files\PeerGuardian2\pg2.exe (Methlabs)
PRC - C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\isuspm.exe (Macrovision Corporation)
PRC - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\SUPERAntiSpyware\5eae7d80-f310-4e5d-9692-6088d97adf62.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - c:\Program Files\McAfee\MSC\mcupdmgr.exe (McAfee, Inc.)
PRC - C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (ccEvtMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (ccPwdSvc [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (Symantec Corporation)
SRV - (ccSetMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (DefWatch [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gupdate1c99cf9c8128dfe [Auto | Stopped]) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (MBackMonitor [Auto | Running]) -- C:\Program Files\McAfee\MBK\MBackMonitor.exe (McAfee)
SRV - (McAfee SiteAdvisor Service [Auto | Running]) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe ()
SRV - (mcmscsvc [Auto | Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McNASvc [Auto | Running]) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (McODS [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McProxy [Auto | Running]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McShield [Unknown | Running]) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon [On_Demand | Running]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (MpfService [Auto | Running]) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (MSCamSvc [Auto | Running]) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe (Microsoft Corporation)
SRV - (MSK80Service [Auto | Running]) -- C:\Program Files\McAfee\MSK\MskSrver.exe (McAfee, Inc.)
SRV - (MSSQL$SQLEXPRESS [Auto | Running]) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (MSSQLServerADHelper [Disabled | Stopped]) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe (Microsoft Corporation)
SRV - (msvsmon90 [Disabled | Stopped]) -- D:\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NMIndexingService [Disabled | Stopped]) -- File not found
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (RichVideo [Auto | Running]) -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe ()
SRV - (SavRoam [On_Demand | Stopped]) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (sdAuxService [Auto | Running]) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
SRV - (sdCoreService [Auto | Running]) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
SRV - (SNDSrvc [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)
SRV - (SQLBrowser [Auto | Running]) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
SRV - (SQLWriter [Auto | Running]) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
SRV - (Symantec AntiVirus [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (WUSB54GCSVC [Auto | Running]) -- File not found

========== Driver Services (SafeList) ==========

DRV - (AegisP [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys (Meetinghouse Data Communications)
DRV - (BrScnUsb [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys (Brother Industries Ltd.)
DRV - (dfmirage [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\dfmirage.sys (DemoForge, LLC)
DRV - (FET5X86V [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys (VIA Technologies, Inc. )
DRV - (FETNDIS [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\fetnd5.sys (VIA Technologies, Inc. )
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HdAudAddService [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (IKFileSec [Boot | Running]) -- C:\WINDOWS\system32\drivers\ikfilesec.sys (PCTools Research Pty Ltd.)
DRV - (IKSysFlt [System | Running]) -- C:\WINDOWS\system32\drivers\iksysflt.sys (PCTools Research Pty Ltd.)
DRV - (IKSysSec [System | Running]) -- C:\WINDOWS\system32\drivers\iksyssec.sys (PCTools Research Pty Ltd.)
DRV - (mfeavfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfebopk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mfehidk [System | Running]) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mferkdk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (mfesmfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (MPFP [System | Running]) -- C:\WINDOWS\System32\Drivers\Mpfp.sys (McAfee, Inc.)
DRV - (NAVENG [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090417.007\NAVENG.SYS (Symantec Corporation)
DRV - (NAVEX15 [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090417.007\NAVEX15.SYS (Symantec Corporation)
DRV - (PQNTDrv [System | Running]) -- C:\WINDOWS\System32\drivers\PQNTDRV.sys (PowerQuest Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (RT73 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\rt73.sys (Ralink Technology, Corp.)
DRV - (S3GIGP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys (S3 Graphics Co., Ltd.)
DRV - (SASDIFSV [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM [On_Demand | Running]) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SAVRT [System | Running]) -- C:\Program Files\Symantec AntiVirus\savrt.sys (Symantec Corporation)
DRV - (SAVRTPEL [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SymEvent [On_Demand | Running]) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (SYMREDRV [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (SYMTDI [System | Running]) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (TVICHW32 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS (EnTech Taiwan)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.)
DRV - (usbaudio [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (viamraid [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\viamraid.sys (VIA Technologies inc,.ltd)
DRV - (ViBus [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ViBus.sys (VIA Technologies, Inc.)
DRV - (videX32 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\videX32.sys (VIA Technologies, Inc.)
DRV - (ViPrt [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ViPrt.sys (VIA Technologies, Inc.)
DRV - (VX1000 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\VX1000.sys (Microsoft Corporation)
DRV - (wanusb [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\gwausb.sys (GlobespanVirata Inc.)
DRV - (WINIO [On_Demand | Stopped]) -- C:\WINDOWS\system32\winio.sys ()
DRV - (pgfilter [On_Demand | Running]) -- C:\Program Files\PeerGuardian2\pgfilter.sys ()

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..extensions.enabledItems: [email protected]:0.8.1
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.10
FF - prefs.js..extensions.enabledItems: [email protected]:2.8.14
FF - prefs.js..extensions.enabledItems: {000a9d1c-beef-4f90-9363-039d445309b8}:0.5.4.2
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:5.0.20090324W
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.9
FF - prefs.js..extensions.enabledItems: [email protected]:3.1.1C
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.8


FF - HKLM\software\mozilla\Firefox\extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\PROGRAM FILES\GOOGLE\GOOGLE GEARS\FIREFOX\ [2009/03/04 12:48:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2008/12/13 12:00:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\PROGRAM FILES\MCAFEE\SITEADVISOR [2009/04/14 21:23:09 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/12 23:38:17 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/12 16:34:39 | 00,000,000 | ---D | M]

[2008/09/30 16:11:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions
[2008/09/30 16:11:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/04/16 23:08:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\8xq2r8x4.default\extensions
[2009/04/13 14:16:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\8xq2r8x4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/04/13 22:07:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\8xq2r8x4.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2008/09/05 13:12:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\8xq2r8x4.default\extensions\{a50b11b9-8495-450d-a90a-0b6be34abe9e}
[2009/04/13 14:11:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\8xq2r8x4.default\extensions\{DCBD1271-D228-4082-9FBC-36D9B7660B03}
[2009/04/06 20:47:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\8xq2r8x4.default\extensions\[email protected]
[2009/04/06 20:47:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\8xq2r8x4.default\extensions\[email protected]
[2009/04/13 22:07:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\8xq2r8x4.default\extensions\staged-xpis
[2008/09/06 01:41:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\8xq2r8x4.default\extensions\[email protected]
[2009/04/16 12:44:52 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/04/07 10:55:12 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/04/12 16:34:39 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/10/02 11:46:40 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2008/12/13 12:00:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/04/06 11:41:59 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2008/04/07 10:55:13 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\[email protected]
[2009/03/26 13:11:21 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/03/26 13:11:22 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/03/26 12:56:22 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/03/26 12:56:22 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/03/26 12:56:22 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/03/26 12:56:22 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/03/26 12:56:22 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/03/26 12:56:22 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/03/26 12:56:22 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - Reg Error: Key error. File not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee Phishing Filter) - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\Program Files\McAfee\MSK\mcapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll (Google Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
O4 - HKLM..\Run: [DSLAGENTEXE] dslagent.exe USB ()
O4 - HKLM..\Run: [GSICONEXE] gsicon.exe (GlobespanVirata, Inc.)
O4 - HKLM..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" (PC Tools)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe (McAfee)
O4 - HKLM..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide (McAfee, Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [S3Trayp] S3trayp.exe (S3 Graphics Co., Ltd.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [VTTimer] VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Babylon Translator] C:\Program Files\Babylon\Babylon.exe (Babylon Ltd.)
O4 - HKCU..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
O4 - HKCU..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\isuspm.exe" -scheduler (Macrovision Corporation)
O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe (Methlabs)
O4 - HKCU..\Run: [Red Swoosh] C:\Program Files\RSSoft\RedSwoosh.exe /S ()
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\5eae7d80-f310-4e5d-9692-6088d97adf62.exe (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll (Google Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: google.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Sites: ordernet.co.il ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: winwin.co.il ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} http://download.micr...20/pmupd806.exe (MSN Money Charting)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1200748464734 (WUWebControl Class)
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} http://das.microsoft...tail/DASAct.cab (DASWebDownload Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://www.adobe.com...obat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} http://driveragent.c...driveragent.cab (Driver Agent ActiveX Control)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: System - (C:\WINDOWS\system32\svcnost.exe) - C:\WINDOWS\system32\svcnost.exe File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O32 - Autorun File - D:\AUTORUN.INF () - [ NTFS ]
O33 - MountPoints2\{be14185f-c858-11dc-82b0-001bb9d24e1f}\Shell - "" = AutoRun
O33 - MountPoints2\{be14185f-c858-11dc-82b0-001bb9d24e1f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{be14185f-c858-11dc-82b0-001bb9d24e1f}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{be141860-c858-11dc-82b0-001bb9d24e1f}\Shell - "" = AutoRun
O33 - MountPoints2\{be141860-c858-11dc-82b0-001bb9d24e1f}\Shell\Auto\command - "" = Cn911.exe
O33 - MountPoints2\{be141860-c858-11dc-82b0-001bb9d24e1f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e57a5cc2-c6c9-11dc-97c0-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{e57a5cc2-c6c9-11dc-97c0-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e57a5cc2-c6c9-11dc-97c0-806d6172696f}\Shell\AutoRun\command - "" = D:\Setup.EXE -- [2008/11/30 20:35:00 | 03,507,843 | ---- | M] ()
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/04/20 21:45:23 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\DOCUME~1\ADMINI~1\Desktop\OTListIt2.exe
[2009/04/20 21:43:43 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/20 21:43:23 | 00,267,612 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\Rooter.exe
[2009/04/20 21:42:41 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/20 21:42:41 | 00,000,696 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/20 21:42:39 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/20 21:42:38 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/20 21:42:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/20 21:30:00 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ADMINI~1\Desktop\GooredFixBackups
[2009/04/20 21:25:59 | 00,094,208 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\GooredFix.exe
[2009/04/20 21:25:59 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ADMINI~1\Desktop\Yuval
[2009/04/19 22:15:29 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/04/19 22:04:39 | 00,110,584 | ---- | C] () -- D:\ISO1_DVD.nri
[2009/04/19 16:00:22 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\Documents\Gibuy
[2009/04/18 20:39:44 | 00,014,848 | -HS- | C] () -- D:\Thumbs.db
[2009/04/18 00:40:09 | 00,485,898 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\Malware and Spyware Cleaning Guide.mht
[2009/04/17 23:04:01 | 02,967,800 | ---- | C] (Malwarebytes Corporation ) -- C:\DOCUME~1\ADMINI~1\Desktop\gtrs.exe
[2009/04/17 22:44:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/17 22:43:09 | 00,000,611 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\NTREGOPT.lnk
[2009/04/17 22:43:09 | 00,000,592 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\ERUNT.lnk
[2009/04/17 22:43:09 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/04/17 22:41:18 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\DOCUME~1\ADMINI~1\Desktop\erunt_setup.exe
[2009/04/17 22:39:23 | 00,021,504 | ---- | C] (Doug Knox) -- C:\DOCUME~1\ADMINI~1\Desktop\SysRestorePoint.exe
[2009/04/17 21:06:08 | 00,000,067 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/04/17 10:07:05 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/17 10:07:05 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/17 10:07:04 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/17 10:07:04 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/17 10:07:04 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/17 10:07:04 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/17 10:07:04 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/17 10:07:04 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/17 10:07:04 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/17 10:05:41 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/17 10:05:39 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/17 10:05:38 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/16 00:47:45 | 00,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2009/04/14 10:29:06 | 00,001,734 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\HijackThis.lnk
[2009/04/14 10:29:06 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/14 10:28:51 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\DOCUME~1\ADMINI~1\Desktop\HJTInstall.exe
[2009/04/14 00:37:36 | 00,000,260 | ---- | C] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/04/14 00:37:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\KB905474
[2009/04/13 21:18:06 | 00,010,905 | ---- | C] () -- C:\WINDOWS\System32\Config.MPF
[2009/04/13 21:17:54 | 00,000,666 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\McAfee EasyNetwork.lnk
[2009/04/13 21:17:53 | 00,000,671 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\McAfee Security Center.lnk
[2009/04/13 21:17:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
[2009/04/13 21:16:40 | 00,143,360 | ---- | C] (Inner Media, Inc.) -- C:\WINDOWS\System32\dunzip32.dll
[2009/04/13 21:14:58 | 00,033,832 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2009/04/13 21:14:56 | 00,201,320 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2009/04/13 21:14:56 | 00,079,304 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/04/13 21:14:56 | 00,040,488 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2009/04/13 21:14:56 | 00,035,240 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/04/13 21:14:53 | 00,113,952 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2009/04/13 21:14:42 | 00,000,356 | ---- | C] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/04/13 21:14:41 | 00,000,348 | ---- | C] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/04/13 21:14:30 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2009/04/13 21:14:19 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2009/04/13 21:14:12 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/04/13 21:11:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/04/13 21:03:28 | 00,000,666 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\gBurner.lnk
[2009/04/13 21:03:12 | 00,000,000 | ---D | C] -- C:\Program Files\gBurner
[2009/04/13 21:02:51 | 01,453,991 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\gburner25.exe
[2009/04/13 20:49:07 | 00,001,486 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\MagicISO.lnk
[2009/04/13 20:49:06 | 00,000,000 | ---D | C] -- C:\Program Files\MagicISO
[2009/04/13 20:48:26 | 03,067,375 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\Setup_MagicISO.exe
[2009/04/13 16:05:05 | 00,018,432 | ---- | C] () -- D:\Timetable.xls
[2009/04/13 14:21:30 | 17,673,936 | ---- | C] (eAcceleration Corp ) -- C:\DOCUME~1\ADMINI~1\Desktop\stop-sign_install.exe
[2009/04/13 00:51:47 | 00,000,394 | ---- | C] () -- C:\WINDOWS\System32\BDUpdateV1.xml
[2009/04/12 23:49:38 | 00,081,984 | ---- | C] () -- C:\WINDOWS\System32\bdod.bin
[2009/04/12 23:40:40 | 00,000,280 | ---- | C] () -- C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job
[2009/04/12 23:37:56 | 00,000,850 | ---- | C] () -- C:\WINDOWS\System32\ProductTweaks.xml
[2009/04/12 23:37:55 | 00,000,385 | ---- | C] () -- C:\WINDOWS\System32\user_gensett.xml
[2009/04/12 23:29:09 | 00,000,354 | ---- | C] () -- C:\WINDOWS\tasks\Uniblue SpyEraser.job
[2009/04/12 23:28:20 | 00,000,000 | ---D | C] -- C:\Program Files\BitDefender
[2009/04/12 23:14:21 | 00,156,496 | ---- | C] (Microsoft Corporation) -- D:\bitdefender_antivirus.exe
[2009/04/12 22:30:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/04/12 20:36:36 | 00,000,780 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/04/12 20:36:34 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/04/12 20:36:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
[2009/04/12 20:36:08 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/04/12 20:31:20 | 06,237,728 | ---- | C] () -- D:\SUPERAntiSpyware-1.exe
[2009/04/12 20:29:13 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/04/12 20:29:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/12 20:27:22 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- D:\spybotsd162.exe
[2009/04/12 20:18:49 | 06,237,728 | ---- | C] () -- D:\SUPERAntiSpyware.exe
[2009/04/12 19:33:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Uniblue
[2009/04/12 19:33:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Uniblue
[2009/04/12 19:04:30 | 00,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2009/04/10 17:58:38 | 00,087,380 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/04/09 21:22:05 | 29,972,167 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Documents\International Economics Krugman.pdf
[2009/04/09 13:14:33 | 00,020,648 | ---- | C] (Softland) -- C:\WINDOWS\System32\dopdfmn6.dll
[2009/04/09 13:14:33 | 00,018,088 | ---- | C] (Softland) -- C:\WINDOWS\System32\dopdfmi6.dll
[2009/04/09 13:14:33 | 00,007,533 | ---- | C] () -- C:\WINDOWS\System32\dopdf6.ctm
[2009/04/09 13:14:25 | 00,000,000 | ---D | C] -- C:\Program Files\Softland
[2009/04/09 13:07:49 | 01,723,032 | ---- | C] (Softland ) -- D:\dopdf.exe
[2009/04/07 21:13:21 | 00,028,672 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\Way to Medix.doc
[2009/04/02 22:23:39 | 00,012,918 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\USCCWQ737020.doc
[2009/03/26 22:08:21 | 00,001,804 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\iTunes.lnk
[2009/03/26 22:07:21 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/03/26 22:07:08 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/03/26 22:07:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/03/26 21:46:29 | 00,002,187 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Safari.lnk
[2009/03/26 21:46:08 | 00,000,000 | ---D | C] -- C:\Program Files\Safari
[2009/03/26 21:43:00 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2009/03/25 22:57:44 | 00,056,832 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\FUN.doc
[2009/03/25 00:40:23 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/03/24 16:07:25 | 00,025,600 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\Childcare spreadsheet.xls
[2009/03/24 15:54:06 | 00,178,662 | ---- | C] () -- C:\DOCUME~1\ADMINI~1\Desktop\photo.jpg
[2009/03/22 01:08:35 | 00,342,957 | ---- | C] () -- D:\mozactivex-ff-15.xpi
[2008/11/30 20:35:16 | 00,001,392 | ---- | C] () -- C:\WINDOWS\ydownloaderlibpr.ini
[2008/11/06 21:24:06 | 00,000,065 | ---- | C] () -- C:\WINDOWS\minitab.ini
[2008/10/09 16:31:54 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\txmlutil.dll
[2008/09/19 15:55:10 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/09/19 15:55:10 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/09/19 15:54:18 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/09/11 13:31:33 | 00,026,624 | ---- | C] () -- C:\WINDOWS\GetIe.dll
[2008/08/22 15:18:33 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2008/08/22 15:17:53 | 00,001,361 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2008/07/23 10:50:52 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/05/23 15:03:23 | 00,000,071 | ---- | C] () -- C:\WINDOWS\sqplus.ini
[2008/05/16 14:15:50 | 00,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
[2008/02/09 17:48:46 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/02/05 16:00:02 | 00,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2008/02/05 16:00:02 | 00,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2008/02/05 15:56:43 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2008/02/05 15:53:39 | 00,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2008/02/05 15:36:19 | 00,037,376 | ---- | C] () -- C:\WINDOWS\System32\CoInst.dll
[2008/02/05 15:36:17 | 00,016,653 | ---- | C] () -- C:\WINDOWS\wwdslcfg.ini
[2008/01/20 13:39:06 | 00,041,324 | ---- | C] () -- C:\WINDOWS\System32\winio.sys
[2008/01/20 13:39:01 | 00,000,156 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2008/01/20 13:20:03 | 00,000,520 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/20 12:56:56 | 00,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/01/20 12:56:54 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/01/19 08:27:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2006/10/27 00:26:56 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2004/08/04 06:00:00 | 00,000,624 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 06:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/07 07:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/04 02:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/04/20 21:42:41 | 00,000,696 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/20 21:19:36 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\DOCUME~1\ADMINI~1\Desktop\OTListIt2.exe
[2009/04/20 21:18:44 | 00,267,612 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\Rooter.exe
[2009/04/20 21:15:14 | 00,094,208 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\GooredFix.exe
[2009/04/20 20:49:01 | 00,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-839522115-725345543-500.job
[2009/04/20 20:49:01 | 00,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[2009/04/20 14:27:55 | 00,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/04/20 14:27:42 | 00,001,316 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/20 14:27:18 | 00,001,316 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2009/04/20 14:17:20 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/20 14:17:19 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/20 14:13:36 | 00,010,905 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/04/19 22:04:39 | 00,110,584 | ---- | M] () -- D:\ISO1_DVD.nri
[2009/04/18 20:39:45 | 00,014,848 | -HS- | M] () -- D:\Thumbs.db
[2009/04/18 10:21:38 | 00,588,016 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/18 10:21:38 | 00,488,028 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/18 10:21:38 | 00,089,028 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/18 03:03:28 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/18 03:01:54 | 00,000,624 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/04/18 00:40:19 | 00,485,898 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\Malware and Spyware Cleaning Guide.mht
[2009/04/17 23:04:10 | 02,967,800 | ---- | M] (Malwarebytes Corporation ) -- C:\DOCUME~1\ADMINI~1\Desktop\gtrs.exe
[2009/04/17 22:43:09 | 00,000,611 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\NTREGOPT.lnk
[2009/04/17 22:43:09 | 00,000,592 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\ERUNT.lnk
[2009/04/17 22:41:20 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\DOCUME~1\ADMINI~1\Desktop\erunt_setup.exe
[2009/04/17 22:39:23 | 00,021,504 | ---- | M] (Doug Knox) -- C:\DOCUME~1\ADMINI~1\Desktop\SysRestorePoint.exe
[2009/04/17 21:06:08 | 00,000,067 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/04/16 14:25:14 | 00,002,261 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Skype.lnk
[2009/04/16 00:47:45 | 00,000,136 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2009/04/14 16:25:03 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/14 10:29:06 | 00,001,734 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\HijackThis.lnk
[2009/04/14 10:28:53 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\DOCUME~1\ADMINI~1\Desktop\HJTInstall.exe
[2009/04/13 21:17:54 | 00,000,666 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\McAfee EasyNetwork.lnk
[2009/04/13 21:17:53 | 00,000,671 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\McAfee Security Center.lnk
[2009/04/13 21:14:42 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/04/13 21:14:41 | 00,000,348 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/04/13 21:03:28 | 00,000,666 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\gBurner.lnk
[2009/04/13 21:02:52 | 01,453,991 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\gburner25.exe
[2009/04/13 20:49:07 | 00,001,486 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\MagicISO.lnk
[2009/04/13 20:48:26 | 03,067,375 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\Setup_MagicISO.exe
[2009/04/13 16:23:42 | 00,018,432 | ---- | M] () -- D:\Timetable.xls
[2009/04/13 14:22:28 | 17,673,936 | ---- | M] (eAcceleration Corp ) -- C:\DOCUME~1\ADMINI~1\Desktop\stop-sign_install.exe
[2009/04/13 01:01:21 | 00,081,984 | ---- | M] () -- C:\WINDOWS\System32\bdod.bin
[2009/04/13 00:57:41 | 00,000,394 | ---- | M] () -- C:\WINDOWS\System32\BDUpdateV1.xml
[2009/04/12 23:40:42 | 00,000,280 | ---- | M] () -- C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job
[2009/04/12 23:37:56 | 00,000,850 | ---- | M] () -- C:\WINDOWS\System32\ProductTweaks.xml
[2009/04/12 23:37:55 | 00,000,385 | ---- | M] () -- C:\WINDOWS\System32\user_gensett.xml
[2009/04/12 23:29:09 | 00,000,354 | ---- | M] () -- C:\WINDOWS\tasks\Uniblue SpyEraser.job
[2009/04/12 23:14:22 | 00,156,496 | ---- | M] (Microsoft Corporation) -- D:\bitdefender_antivirus.exe
[2009/04/12 20:36:36 | 00,000,780 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/04/12 20:31:33 | 06,237,728 | ---- | M] () -- D:\SUPERAntiSpyware-1.exe
[2009/04/12 20:27:22 | 16,409,960 | ---- | M] (Safer Networking Limited ) -- D:\spybotsd162.exe
[2009/04/12 20:18:59 | 06,237,728 | ---- | M] () -- D:\SUPERAntiSpyware.exe
[2009/04/12 18:25:48 | 00,002,187 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Safari.lnk
[2009/04/10 17:58:38 | 00,087,380 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/04/10 14:54:29 | 00,342,957 | ---- | M] () -- D:\mozactivex-ff-15.xpi
[2009/04/09 20:27:17 | 00,141,824 | -HS- | M] () -- C:\DOCUME~1\ALLUSE~1\Documents\Thumbs.db
[2009/04/09 14:58:57 | 00,105,984 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/09 14:57:57 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/09 13:07:50 | 01,723,032 | ---- | M] (Softland ) -- D:\dopdf.exe
[2009/04/07 21:13:21 | 00,028,672 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\Way to Medix.doc
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 08:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/05 23:50:15 | 29,972,167 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Documents\International Economics Krugman.pdf
[2009/04/02 22:23:40 | 00,012,918 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\USCCWQ737020.doc
[2009/03/27 00:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/26 22:08:21 | 00,001,804 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\iTunes.lnk
[2009/03/25 22:57:44 | 00,056,832 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\FUN.doc
[2009/03/24 16:07:26 | 00,025,600 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\Childcare spreadsheet.xls
[2009/03/24 15:54:06 | 00,178,662 | ---- | M] () -- C:\DOCUME~1\ADMINI~1\Desktop\photo.jpg

========== Alternate Data Streams ==========

@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

Best Regards,
sufhi
  • 0

#4
Extremeboy
Posted 21 April 2009 - 03:32 PM

Extremeboy

    Malware Removal Staff

  • Retired Staff
  • 824 posts
Hello.

We will run Combofix. Please read the instructions on running it.

Download and Run ComboFix (Rename Before Saving)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.

With Regards,
Extremeboy
  • 0

#5
sufhi
Posted 21 April 2009 - 05:23 PM

sufhi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi EB,

O.K. I ran Combofix and it deleted several files. It also made a reboot. Nevertheless, it did not ask me for installing the Recovery Console so I guessed it was OK and continued. In the log file it said that I don't have a Recovery Console - I hope it is fine.
Enclosed is the Combofix log file:

Thanks again,
sufhi

ComboFix 09-04-22.02 - Administrator 04/21/2009 17:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.894.416 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\bits.dll
c:\windows\Downloaded Program Files\Temp
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\gxvxcarmkmsrntjixjcrnsnpymmqwrumbdctn.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxclvipjnkltfaadbqlrvkjtmxcmdtmladd.dll
D:\Autorun.inf
D:\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-21 03:43 . 2009-04-21 03:44 -------- d-----w C:\Rooter$
2009-04-21 03:42 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-21 03:42 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 03:42 . 2009-04-21 03:42 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-18 03:06 . 2009-04-18 03:06 67 ----a-w c:\windows\wininit.ini
2009-04-17 16:07 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 16:07 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 16:07 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 16:07 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 16:07 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 16:07 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 16:07 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 16:07 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 16:07 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 16:05 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 16:05 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 16:05 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 06:47 . 2009-04-16 06:47 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-04-15 03:19 . 2009-04-15 03:19 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-04-15 03:19 . 2009-04-15 03:19 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-14 06:37 . 2009-04-14 06:37 -------- d-----w c:\windows\system32\KB905474
2009-04-14 06:37 . 2009-03-11 04:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-14 06:37 . 2009-03-11 04:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-14 06:37 . 2009-02-10 00:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-14 03:18 . 2009-04-21 23:47 11069 ----a-w c:\windows\system32\Config.MPF
2009-04-14 03:17 . 2009-04-15 16:24 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-04-14 03:16 . 2006-03-03 14:07 143360 ----a-w c:\windows\system32\dunzip32.dll
2009-04-14 03:14 . 2007-11-22 12:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-14 03:14 . 2007-12-02 18:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-14 03:14 . 2007-11-22 12:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-14 03:14 . 2007-11-22 12:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-14 03:14 . 2007-11-22 12:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-04-14 03:14 . 2007-07-13 12:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-14 03:11 . 2009-04-16 06:47 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-13 06:51 . 2009-04-13 06:57 394 ----a-w c:\windows\system32\BDUpdateV1.xml
2009-04-13 05:49 . 2009-04-13 07:01 81984 ----a-w c:\windows\system32\bdod.bin
2009-04-13 05:37 . 2009-04-13 05:37 850 ----a-w c:\windows\system32\ProductTweaks.xml
2009-04-13 05:37 . 2009-04-13 05:37 385 ----a-w c:\windows\system32\user_gensett.xml
2009-04-13 04:30 . 2009-04-13 04:30 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-13 02:36 . 2009-04-13 02:36 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-13 02:29 . 2009-04-13 06:58 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-13 02:03 . 2009-04-18 04:58 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-13 01:33 . 2009-04-13 06:59 -------- d-----w c:\documents and settings\All Users\Application Data\Uniblue
2009-04-13 01:33 . 2009-04-13 06:59 -------- d-----w c:\documents and settings\Administrator\Application Data\Uniblue
2009-04-10 23:58 . 2009-04-10 23:58 87380 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-09 19:14 . 2009-03-18 16:41 20648 ----a-w c:\windows\system32\dopdfmn6.dll
2009-04-09 19:14 . 2009-03-18 16:41 18088 ----a-w c:\windows\system32\dopdfmi6.dll
2009-04-09 19:14 . 2008-10-13 21:23 7533 ----a-w c:\windows\system32\dopdf6.ctm
2009-03-27 04:07 . 2009-03-27 04:07 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-27 03:59 . 2009-03-06 05:59 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-25 06:40 . 2009-03-25 06:40 -------- d--h--w c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 23:50 . 2008-01-19 18:58 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-21 23:34 . 2008-04-07 16:57 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-21 23:26 . 2008-09-28 20:20 -------- d-----w c:\program files\PeerGuardian2
2009-04-21 21:04 . 2008-09-05 19:12 -------- d-----w c:\program files\RSSoft
2009-04-21 19:23 . 2008-05-13 10:50 -------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-04-21 18:40 . 2008-05-13 10:52 -------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2009-04-21 16:52 . 2008-04-07 16:57 -------- d-----w c:\program files\Spyware Doctor
2009-04-21 16:29 . 2008-01-20 18:53 -------- d-----w c:\program files\Babylon
2009-04-21 03:44 . 2009-04-21 03:44 4494 ----a-w C:\Rooter.txt
2009-04-21 03:42 . 2009-04-21 03:42 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 04:43 . 2009-04-18 04:43 -------- d-----w c:\program files\ERUNT
2009-04-15 16:23 . 2009-04-14 03:14 -------- d-----w c:\program files\McAfee
2009-04-14 16:29 . 2009-04-14 16:29 -------- d-----w c:\program files\Trend Micro
2009-04-14 03:35 . 2008-01-19 13:05 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-14 03:14 . 2009-04-14 03:14 -------- d-----w c:\program files\Common Files\McAfee
2009-04-14 03:14 . 2009-04-14 03:14 -------- d-----w c:\program files\McAfee.com
2009-04-14 03:03 . 2009-04-14 03:03 -------- d-----w c:\program files\gBurner
2009-04-14 02:49 . 2009-04-14 02:49 -------- d-----w c:\program files\MagicISO
2009-04-13 22:25 . 2008-02-08 20:00 -------- d-----w c:\documents and settings\Administrator\Application Data\BitTorrent
2009-04-13 21:08 . 2008-01-19 13:05 -------- d-----w c:\program files\Symantec
2009-04-13 07:10 . 2009-04-13 05:28 -------- d-----w c:\program files\BitDefender
2009-04-13 07:10 . 2009-04-13 02:29 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-13 05:27 . 2008-02-22 19:48 -------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft
2009-04-13 04:30 . 2009-04-13 02:36 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-13 02:36 . 2009-04-13 02:36 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-13 01:33 . 2009-04-13 01:04 -------- d-----w c:\program files\Uniblue
2009-04-11 05:00 . 2008-01-19 17:45 -------- d-----w c:\program files\Google
2009-04-10 23:57 . 2009-03-27 03:46 -------- d-----w c:\program files\Safari
2009-04-10 23:52 . 2008-03-11 17:46 -------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2009-04-09 19:14 . 2009-04-09 19:14 -------- d-----w c:\program files\Softland
2009-04-06 17:41 . 2008-10-02 17:46 -------- d-----w c:\program files\Java
2009-03-27 04:07 . 2009-03-27 04:07 -------- d-----w c:\program files\iTunes
2009-03-27 04:07 . 2009-03-27 04:07 -------- d-----w c:\program files\iPod
2009-03-27 04:07 . 2009-01-23 17:25 -------- d-----w c:\program files\Common Files\Apple
2009-03-27 03:43 . 2009-03-27 03:43 -------- d-----w c:\program files\Bonjour
2009-03-20 18:38 . 2008-03-26 20:21 -------- d-----w c:\program files\Options Oracle
2009-03-18 06:40 . 2009-03-10 17:42 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-11 00:47 . 2009-03-10 17:25 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-10 18:45 . 2008-01-19 13:10 113080 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-10 17:48 . 2009-03-10 17:48 -------- d-----w c:\program files\Business Objects
2009-03-10 17:46 . 2008-01-20 19:17 -------- d-----w c:\program files\Microsoft.NET
2009-03-10 17:42 . 2009-03-10 17:42 -------- d-----w c:\program files\Microsoft Device Emulator
2009-03-10 17:42 . 2009-03-10 17:41 -------- d-----w c:\program files\Windows Mobile 5.0 SDK R2
2009-03-10 17:40 . 2009-03-10 17:40 -------- d-----w c:\program files\Microsoft Synchronization Services
2009-03-10 17:40 . 2009-03-10 17:40 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-10 17:34 . 2009-03-10 17:28 -------- d-----w c:\program files\Common Files\Merge Modules
2009-03-10 17:34 . 2009-03-10 17:34 -------- d-----w c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2009-03-10 17:31 . 2009-03-10 17:28 -------- d-----w c:\program files\HTML Help Workshop
2009-03-10 17:30 . 2008-01-19 17:18 -------- d-----w c:\program files\MSBuild
2009-03-10 17:28 . 2009-03-10 17:28 -------- d-----w c:\program files\Microsoft SDKs
2009-03-10 17:28 . 2009-03-10 17:28 -------- d-----w c:\program files\CE Remote Tools
2009-03-10 17:27 . 2009-03-10 17:27 -------- d-----w c:\program files\Microsoft Web Designer Tools
2009-03-09 11:19 . 2008-12-13 18:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 05:59 . 2009-01-23 17:26 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 01:25 . 2008-11-27 03:51 -------- d-----w c:\documents and settings\Administrator\Application Data\CyberLink
2009-03-01 01:25 . 2008-11-27 03:51 -------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-02-24 19:37 . 2008-11-30 20:45 -------- d-----w c:\documents and settings\Administrator\Application Data\mIRC
2009-02-24 19:35 . 2008-11-30 20:45 -------- d-----w c:\program files\mIRC
2009-02-22 17:28 . 2008-05-16 20:34 115224 ----a-w C:\img2-001.raw
2009-02-22 04:50 . 2008-08-28 06:40 -------- d-----w c:\program files\Yahoo!
2009-02-22 04:50 . 2009-02-22 03:26 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-22 04:48 . 2008-05-15 14:55 -------- d-----w c:\program files\Creative
2009-02-22 04:48 . 2008-01-19 12:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-22 03:27 . 2009-02-22 03:27 -------- d-----w c:\documents and settings\Administrator\Application Data\Yahoo!
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-24 05:58 . 2008-01-20 21:26 4096 --sha-w C:\VSNAP.IDX
2008-08-09 18:24 . 2008-08-09 18:24 0 ----a-w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-02-13 21:46 . 2008-02-13 21:46 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2008-01-19 20:08 . 2008-01-19 17:18 83160 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2007-12-21 20:12 . 2008-11-23 19:30 1719336 ----a-w c:\documents and settings\All Users\Application Data\YugmaSE-Uninstaller.exe
2008-10-01 17:03 . 2008-10-01 17:04 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100120081002\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Red Swoosh"="c:\program files\RSSoft\RedSwoosh.exe" [2007-02-27 62436]
"Babylon Translator"="c:\program files\Babylon\Babylon.exe" [2003-12-22 2379776]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-19 1421824]
"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\isuspm.exe" [2007-03-29 222128]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-13 133104]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\5eae7d80-f310-4e5d-9692-6088d97adf62.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-06-15 4957736]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-06-15 20480]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" - c:\windows\system32\S3Trayp.exe [2007-06-11 176128]
"GSICONEXE"="gsicon.exe" - c:\windows\system32\gsicon.exe [2003-01-08 90112]
"DSLAGENTEXE"="dslagent.exe" - c:\windows\system32\dslagent.exe [2003-06-03 16384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\IncredibleCharts\\IncredibleCharts.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 gupdate1c99cf9c8128dfe;Google Update Service (gupdate1c99cf9c8128dfe);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-04 133104]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-02-01 747912]
S0 ViBus;ViBus;c:\windows\system32\DRIVERS\ViBus.sys [2007-03-26 16896]
S0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\DRIVERS\ViPrt.sys [2007-03-26 52224]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys [2005-11-25 31896]
S3 S3GIGP;S3GIGP;c:\windows\system32\DRIVERS\S3gIGPm.sys [2007-07-11 714240]


--- Other Services/Drivers In Memory ---

*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - SQLBrowser
*Deregistered* - SQLWriter
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - Symantec AntiVirus
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WUSB54GCSVC
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be14185f-c858-11dc-82b0-001bb9d24e1f}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be141860-c858-11dc-82b0-001bb9d24e1f}]
\Shell\Auto\command - Cn911.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e57a5cc2-c6c9-11dc-97c0-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.EXE
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-04-21 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-04 18:48]

2009-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-839522115-725345543-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 05:48]

2009-04-14 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-14 19:32]

2009-04-14 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-14 19:32]

2009-04-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 04:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: google.com\www
Trusted Zone: ordernet.co.il
Trusted Zone: winwin.co.il\www
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8xq2r8x4.default\
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 17:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C53C8AFE-780B-A095-1875A9D39C824CF2}\{151E6624-94D7-6041-A2A26FFA6BDDEF0C}\{8D08884B-CD31-5FF0-CA8CAC497363EFC4}*]
"RA4KGUJC6T6LBNJRIDQ63C2L6C1"=hex:01,00,01,00,00,00,00,00,f7,8a,3d,85,55,45,07,
82,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DA5FD177-5ED9-D129-A0BCADEF3ACDBDBC}\{79EAF540-0E74-317B-4A6E156139C845D3}\{99F2609B-7483-5DDB-3E9DF7E4B6714B5D}*]
"RA4KGUJC6T6LBNJRIDQ63C2L6C1"=hex:01,00,01,00,00,00,00,00,f7,8a,3d,85,55,45,07,
82,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-21 17:58
ComboFix-quarantined-files.txt 2009-04-21 23:58

Pre-Run: 126,001,631,232 bytes free
Post-Run: 127,977,836,544 bytes free

336 --- E O F --- 2009-04-18 09:03
  • 0

#6
Extremeboy
Posted 21 April 2009 - 07:59 PM

Extremeboy

    Malware Removal Staff

  • Retired Staff
  • 824 posts
Hello.

Good. Combofix removed the rootkit. Although it's good it's removed but your computer was compromised. Let me know what you decide to do.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,
Extremeboy
  • 0

#7
sufhi
Posted 21 April 2009 - 09:33 PM

sufhi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi EB,

Thank you for helping me out. I'll take the recommended course of action: wipe the drive clean, reformat and reinstall the OS. However, I have sevral tenth GB of data on my D: drive whereas the OS is on C: drive. I would like to keep the data saved on D:. Is it possible?
Also, I have a laptop which is connected to the infected computer through wireless modem. Should I treat that computer as infected as well?
Your advice is much appreciated.

Thanks,
sufhi
  • 0

#8
Extremeboy
Posted 22 April 2009 - 03:09 PM

Extremeboy

    Malware Removal Staff

  • Retired Staff
  • 824 posts
Hello.

However, I have sevral tenth GB of data on my D: drive whereas the OS is on C: drive. I would like to keep the data saved on D:. Is it possible?

Yes, it is possible, but please be careful and read my guidelines below please.

Also, I have a laptop which is connected to the infected computer through wireless modem. Should I treat that computer as infected as well?

In some cases, the computer connected to the network is also infected but sometimes it's not. Usually there is more than just the rootkit on the computer possibly worms and even more. The best action would also to format that one as well. First priority is to format this one because it's confirmed that it's already compromised.

Regarding Backup

When backing up files and datas there are mainly 2 general guidelines:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Note: Some may want to be safe, wondering if their data files are infected or not so to make sure you should scan those files using an anti-virus scanner and an anti-malware/anti-spyware scanner making sure they are free from malware before transfering it to your new formatted computer. From what I have seen the results were always CLEAN, meaning they were not infected at all.

Hope that helps. Let me know if there's anything else you want to ask.

With Regards,
Extremeboy
  • 0

#9
sufhi
Posted 23 April 2009 - 01:35 PM

sufhi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi EB,

Thank you very much! You have helped me a lot!
I'll get the external hard-drive and start the formating.

All the best,
sufhi
  • 0

#10
Extremeboy
Posted 24 April 2009 - 02:53 PM

Extremeboy

    Malware Removal Staff

  • Retired Staff
  • 824 posts
Okay.

Good luck on the format and happy surfing again. Good luck in the future!

Below are some prevention tips. I will close this topic shortly.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.

Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


With Regards,
Extremeboy
  • 0

#11
Extremeboy
Posted 24 April 2009 - 02:53 PM

Extremeboy

    Malware Removal Staff

  • Retired Staff
  • 824 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP