Mal_Otorun1 - Help? - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Mal_Otorun1 - Help? Mal_Otorun1 infection on Win2k3

#1 drholiday

  • Group: Member
  • Posts: 7
  • Joined: 26-April 09

Posted 26 April 2009 - 07:45 PM

I have somehow been infected with Mal_Otorun1. There were others, but TrendMicro's Housecall and my own Eset Smart Security managed to eradicate the others.

Symptoms:

Google Results link to other sites than those I click (mostly ads)

Malwarebyte's Anti-Malware and Spybot S&D unable to start. The process is active in Task Manager, but it doesn't show.


I've tried:

Eset SS 3 (Which didn't see it)
Housecall (Which saw it but wasn't able to clean it)

Oh and ComboFix doesn't run on Win2k3. If anyone knows how to circumvent that, it would be extremely helpful.

Below are my HijackThis and OtViewit logs:

hijackthis said:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:19 PM, on 4/26/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Opera 10 Preview\opera.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunServices: [Windows Print Spooling] winrar.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [DefaultP17] P17Def.Exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Process Blocker - Softros Systems, Inc. - C:\Program Files\Process Blocker\Process Blocker.exe

--
End of file - 4470 bytes


Otviewit said:

OTViewIt logfile created on: 4/26/2009 9:43:34 PM - Run 2
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Server2003\Desktop
Windows Server 2003 DataCenter Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.2900.2096)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 574.10 Mb Available Physical Memory | 56.12% Memory free
2.42 Gb Paging File | 2.05 Gb Available in Paging File | 84.97% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.87 Gb Total Space | 49.61 Gb Free Space | 88.79% Space Free | Partition Type: NTFS
Drive D: | 149.04 Gb Total Space | 119.66 Gb Free Space | 80.29% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL
Current User Name: [censored]
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2009/01/14 00:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2008/10/24 16:51:16 | 00,468,224 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
[2009/01/14 00:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2007/02/20 08:12:18 | 00,407,056 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
[2004/09/29 08:14:36 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
[2007/02/20 08:12:28 | 00,734,736 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
[2007/05/07 08:00:00 | 00,034,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2009/02/13 02:33:00 | 00,563,712 | ---- | M] () -- C:\Program Files\Everything\Everything.exe
[2008/10/24 16:50:00 | 01,451,264 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
[2009/04/26 17:50:47 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
[2009/02/13 12:29:50 | 01,172,992 | ---- | M] (Vitalwerks LLC) -- C:\Program Files\No-IP\DUC20.exe
[2006/10/18 17:46:20 | 00,064,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmplayer.exe
[2008/12/02 15:02:36 | 00,108,032 | ---- | M] (Opera Software) -- C:\Program Files\Opera 10 Preview\opera.exe
[2007/05/07 08:00:00 | 00,207,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2009/04/23 16:14:04 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
[2007/05/07 08:00:00 | 00,207,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2009/04/26 18:23:25 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Server2003\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005/09/23 03:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2009/01/14 00:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
[2009/01/13 17:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
[2005/09/23 03:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2007/05/07 08:00:00 | 00,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs [Disabled | Stopped])
[2008/10/24 16:56:30 | 00,019,200 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv [On_Demand | Stopped])
[2008/10/24 16:51:16 | 00,468,224 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn [Auto | Running])
[2007/05/07 08:00:00 | 00,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ [Disabled | Stopped])
[2007/05/07 08:00:00 | 00,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService [Disabled | Stopped])
[2007/05/07 08:00:00 | 00,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs [Disabled | Stopped])
[2003/07/28 08:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/02/20 08:12:18 | 00,407,056 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe -- (PDAgent [Auto | Running])
[2007/02/20 08:12:28 | 00,734,736 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe -- (PDEngine [On_Demand | Running])
[2004/09/29 08:14:36 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Running])
[2008/11/21 18:27:52 | 00,142,040 | ---- | M] (Softros Systems, Inc.) -- C:\Program Files\Process Blocker\Process Blocker.exe -- (Process Blocker [On_Demand | Stopped])
[2007/05/07 08:00:00 | 00,067,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv [Disabled | Stopped])
[2007/05/07 08:00:00 | 00,071,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis [Disabled | Stopped])
[2007/05/07 08:00:00 | 00,352,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\vds.exe -- (vds [Disabled | Stopped])
[2006/10/18 16:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2003/03/24 23:04:50 | 00,007,168 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\drivers\aliide.sys -- (AliIde [Boot | Running])
[2007/02/17 02:17:00 | 00,007,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\amdide.sys -- (AmdIde [Boot | Running])
[2009/01/14 03:14:01 | 03,455,488 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
[2003/03/24 18:25:20 | 01,078,656 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\drivers\BCMDM.sys -- (BCMModem [On_Demand | Running])
[2003/03/24 22:39:28 | 00,012,416 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\system32\drivers\BrFiltLo.sys -- (BrFiltLo [Boot | Running])
[2003/03/24 22:39:28 | 00,004,608 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\system32\drivers\BrFiltUp.sys -- (BrFiltUp [Boot | Running])
[2007/02/17 02:31:22 | 00,009,216 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\drivers\cmdide.sys -- (CmdIde [Boot | Running])
[2007/02/16 22:34:58 | 00,017,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\crcdisk.sys -- (crcdisk [Boot | Running])
[2006/02/26 11:22:48 | 00,138,752 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
[2007/02/01 01:57:54 | 00,068,376 | ---- | M] (Raxco Software, Inc.) -- C:\WINDOWS\System32\drivers\DefragFs.sys -- (DefragFS [Boot | Running])
[2007/05/07 08:00:00 | 00,034,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver [Boot | Running])
[2007/02/17 02:51:02 | 00,207,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4.sys -- (Dot4 [Boot | Running])
[2003/03/24 23:03:04 | 00,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4usb.sys -- (dot4usb [Boot | Running])
[2006/10/31 09:15:24 | 00,165,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Running])
[2008/10/24 16:45:32 | 00,039,944 | ---- | M] (ESET) -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon [Auto | Running])
[2008/10/24 16:46:24 | 00,053,256 | ---- | M] (ESET) -- C:\WINDOWS\system32\drivers\easdrv.sys -- (easdrv [System | Running])
[2008/10/24 16:53:20 | 00,073,224 | ---- | M] (ESET) -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw [Auto | Running])
[2008/10/24 16:53:24 | 00,031,240 | ---- | M] (ESET) -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis [On_Demand | Running])
[2008/10/24 16:53:26 | 00,054,280 | ---- | M] (ESET) -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi [System | Running])
[2005/07/15 11:17:42 | 00,051,120 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
[2005/07/15 11:17:42 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
[2005/07/15 11:17:42 | 00,021,744 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12 [Boot | Running])
[2007/02/17 03:26:58 | 00,017,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2006/07/19 07:27:26 | 00,013,568 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd [On_Demand | Running])
[2006/12/14 22:41:56 | 00,041,248 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta [On_Demand | Running])
[2007/02/16 23:33:14 | 00,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
[2006/02/26 11:22:48 | 00,106,496 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[2006/02/26 11:22:48 | 01,389,056 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\P17.sys -- (P17 [On_Demand | Running])
[2006/12/14 22:37:12 | 00,490,016 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LV561AV.SYS -- (PID_0928 [On_Demand | Running])
[2006/11/07 18:02:36 | 00,021,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\point32.sys -- (Point32 [On_Demand | Running])
[2007/05/07 08:00:00 | 00,020,480 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/02/17 03:58:10 | 00,046,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sbp2port.sys -- (sbp2port [Boot | Running])
[2007/05/07 08:00:00 | 00,163,644 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2006/08/15 11:48:00 | 00,732,928 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt [On_Demand | Running])
[2003/03/24 23:03:14 | 00,019,968 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sermouse.sys -- (sermouse [On_Demand | Stopped])
[2003/03/24 23:16:26 | 00,006,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\smbhc.sys -- (SMBHC [System | Stopped])
[2006/08/15 11:48:00 | 00,260,352 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
[2003/03/24 23:07:18 | 00,009,216 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1 [Boot | Running])
[2009/04/26 18:02:24 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])
[2007/02/17 00:07:52 | 00,024,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\vgapnp.sys -- (vga [On_Demand | Stopped])
[2006/11/08 09:23:52 | 00,102,912 | ---- | M] (VIA Technologies inc,.ltd) -- C:\WINDOWS\system32\drivers\viamraid.sys -- (viamraid [Boot | Running])
[2003/03/24 23:09:14 | 00,011,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wd.sys -- (Wd [Boot | Running])
[2007/05/07 08:00:00 | 00,169,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS [On_Demand | Stopped])
[2007/02/17 04:09:38 | 00,011,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wmiacpi.sys -- (WmiAcpi [System | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\SYSTEM32\blank.htm
"Start Page"=http://www.google.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://www.google.com/ie_rsearch.html

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\SYSTEM32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.google.com
"Start Page"=http://www.google.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/keyword/%s
"provider"=gogl

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\g]
""=http://www.google.com/search?q=%s

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} (HKLM) -- C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice (ESET)
"Everything"="C:\Program Files\Everything\Everything.exe" -startup ()
"P17Helper"=Rundll32 P17.dll,P17Helper ()
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)

========== (O4) RunServices Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Print Spooling"=winrar.exe File not found

========== (O4) Startup Folders ==========

[2009/02/13 12:29:50 | 01,172,992 | ---- | M] (Vitalwerks LLC) -- C:\Documents and Settings\Server2003\Start Menu\Programs\Startup\No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\Software\policies\microsoft\internet explorer\Infodelivery\Restrictions]
"NoJITSetup"=1
"NoWebJITSetup"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"ShowSuperHidden"=1
"NoRemoteRecursiveEvents"=1
"MemCheckBoxInRunDlg"=1
"NoCDBurning"=1
"StartMenuFavorites"=0
"Start_ShowHelp"=0
"Start_ShowMyComputer"=1
"Start_ShowMyDocs"=1
"Start_ShowMyMusic"=0
"Start_ShowMyPics"=1
"Start_ShowRun"=1
"Start_ShowSearch"=0
"NoDriveTypeAutoRun"=177

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"disablecad"=1
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"scforceoption"=0
"shutdownwithoutlogon"=0
"undockwithoutlogon"=1
"verbosestatus"=1
"NoInternetOpenWith"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=255
"NoInternetIcon"=1
"ForceClassicControlPanel"=1
"NoResolveTrack"=1
"LinkResolveIgnoreLinkInfo"=1
"NoResolveSearch"=1
"ClearRecentDocsOnExit"=1
"NoStartBanner"=1
"NoSMConfigurePrograms"=1
"MemCheckBoxInRunDlg"=1
"NoSharedDocuments"=1
"NoActiveDesktop"=1
"NoRecentDocsMenu"=1
"NoSMHelp"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/26 21:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{77BF5300-1474-4EC7-9980-D32B190E9B07}: Button: Skype -- %ProgramFiles%\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009/02/04 08:27:34 | 01,082,880 | ---- | M] (Skype Technologies S.A.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 18:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{77BF5300-1474-4EC7-9980-D32B190E9B07} [HKLM] -> %ProgramFiles%\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [Skype add-on (button)] -> [2009/02/04 08:27:34 | 01,082,880 | ---- | M] (Skype Technologies S.A.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 18:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_13
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_13
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_13

========== (O17) DNS Name Servers ==========

{18EFA5BA-F79F-44C6-85CE-CA9A435B7478} (Servers: | Description: )

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)

========== IFEO "Debugger" Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
Your Image File Name Here without a path:"Debugger" = File not found

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2009/02/13 11:28:10 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

autorun.inf [[autorun] | ;jzkdocrfuyo | shellexecute="RECYCLER\S-8-0-43-100021053-100026924-100020910-5593.com c:\" | ;qbrrqwbhsekyheefpypbubeilhogmxqdzdvwqda | shell\Open\command="RECYCLER\S-8-0-43-100021053-100026924-100020910-5593.com c:\" | ;ylbkityarmgvkzxecqcjbfwxgseiybhjlubnlqgpvctrxmlxgqrjizvdcpnsltuqqnjphbegotcfurydebasdevaazmxspxifw | shell=Open | ]
[2009/04/19 22:13:29 | 00,000,340 | RHS- | M] () -- C:\autorun.inf -- [ NTFS ]

autorun.inf [[autorun] | ;ujxwenidqwzwvdgaqogcplslnscmphweycjqpteomcvzocfvcjgmzziqovh | shellexecute="RECYCLER\S-8-0-43-100021053-100026924-100020910-5593.com d:\" | ;pssmjjbgmzvttbzzwubggrovcuktlsamptlistoqjqramupgbidpgiraoangugkijahuwykmapzbxaev | shell\Open\command="RECYCLER\S-8-0-43-100021053-100026924-100020910-5593.com d:\" | ;enajiitdmvlvefbzfisbnajcbukoovyzdqdrfqdynjlansgzynmhzvnhzskevsxmwfqyaz | shell=Open | ]
[2009/04/19 22:13:29 | 00,000,401 | RHS- | M] () -- D:\autorun.inf -- [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8764462-25fe-11de-9662-0007e988a700}\Shell]
""=Autorun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8764462-25fe-11de-9662-0007e988a700}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8764462-25fe-11de-9662-0007e988a700}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\shell32.dll -- [2007/05/07 08:00:00 | 08,359,936 | ---- | M] (Microsoft Corporation)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8764462-25fe-11de-9662-0007e988a700}\Shell\Open\command]
""=RECYCLER\S-1-3-91-100014821-100018072-100000857-2735.com g:\

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/04/26 21:35:38 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/04/26 21:35:23 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.execf
[2009/04/26 21:32:25 | 03,006,230 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\ComboFix.exe
[2009/04/26 19:02:05 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/26 19:02:05 | 00,000,728 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/26 19:02:03 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/26 19:02:01 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/26 18:25:41 | 38,250,496 | ---- | C] ( ) -- C:\Documents and Settings\Server2003\Desktop\setup_7.0.0.290_26.04.2009_08-50.exe
[2009/04/26 18:23:26 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Server2003\Desktop\OTViewIt.exe
[2009/04/26 18:23:02 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2009/04/26 18:22:32 | 00,389,632 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Server2003\Desktop\OTMoveIt3.exe
[2009/04/26 18:04:33 | 00,102,664 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/04/26 17:56:58 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/04/26 17:50:39 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/04/26 17:48:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Server2003\Application Data\Sun
[2009/04/26 17:34:06 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/04/26 17:34:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/26 17:33:04 | 02,967,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Server2003\Desktop\mbam-setup.exe
[2009/04/26 17:30:21 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Server2003\Desktop\spybotsd162.exe
[2009/04/26 16:48:30 | 00,001,766 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\HijackThis.lnk
[2009/04/26 16:48:30 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/21 15:05:43 | 06,513,472 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\bozorgdasht-shahnaz-tar.wmv
[2009/04/19 02:00:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Server2003\Desktop\New Folder
[2009/04/18 22:36:05 | 00,001,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/04/18 12:56:19 | 00,000,000 | ---D | C] -- C:\spoolerlogs
[2009/04/12 13:08:15 | 00,057,344 | -HS- | C] () -- C:\Documents and Settings\Server2003\Desktop\Thumbs.db
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Server2003\Desktop\Thumbs.db:encryptable
[2009/04/12 12:57:50 | 02,933,719 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\DSC00582.JPG
[2009/04/12 12:57:43 | 03,028,070 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\DSC00581.JPG
[2009/04/12 12:57:36 | 03,348,850 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\DSC00580.JPG
[2009/04/12 12:57:29 | 03,123,322 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\DSC00578.JPG
[2009/04/12 11:21:47 | 03,156,293 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\MehdiHosseini-DjBeManFazBede128.mp3
[2009/04/12 02:13:43 | 11,581,120 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\royksopp2.mp3
[2009/04/12 02:13:33 | 07,463,485 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\R%f6yksopp - Vision One.mp3
[2009/04/10 19:23:02 | 00,041,808 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2009/04/08 17:01:54 | 03,448,207 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\05 - Takin Back My Love.mp3
[2009/04/08 16:12:59 | 00,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\gxvxcserv.sys
[2009/04/07 21:50:36 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Server2003\My Documents\End of War.doc
[2009/04/07 21:38:37 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\Server2003\My Documents\Sea Warfare.doc
[2009/04/07 21:14:50 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\Server2003\My Documents\Air Warfare.doc
[2009/04/07 20:47:32 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\Server2003\My Documents\Land Warfare.doc
[2009/04/07 20:31:45 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\Server2003\My Documents\The Beginning of WWI.doc
[2009/04/05 20:34:58 | 00,000,250 | ---- | C] () -- C:\WINDOWS\tasks\Process Blocker ON.job
[2009/04/05 20:33:21 | 00,000,252 | ---- | C] () -- C:\WINDOWS\tasks\Process Blocker OFF.job
[2009/04/05 20:30:10 | 00,000,097 | ---- | C] () -- C:\WINDOWS\Process Blocker OFF.bat
[2009/04/05 20:28:18 | 00,000,098 | ---- | C] () -- C:\WINDOWS\Process Blocker ON.bat
[2009/04/05 20:22:02 | 00,000,000 | ---D | C] -- C:\Program Files\Process Blocker
[2009/04/05 18:02:06 | 00,000,340 | RHS- | C] () -- C:\autorun.inf
[2009/04/05 13:24:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/04/05 00:26:08 | 00,189,784 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2009/04/05 00:07:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Server2003\Local Settings\Application Data\PunkBuster
[2009/04/05 00:04:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Server2003\Application Data\id Software
[2009/04/04 23:55:09 | 00,022,328 | ---- | C] () -- C:\Documents and Settings\Server2003\Application Data\PnkBstrK.sys
[2009/04/04 23:54:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\id Software
[2009/03/31 00:08:55 | 00,000,120 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\httpfedveblubdu.cnhlegolnEJxV.1XVVJWUUE6EBWZAf5.AUMqBmPMBWCTAhs5R-YSU52DU9QNUKkVUGjRU0zLU.URL
[2009/03/29 22:16:18 | 00,004,509 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\1078849292.html
[2009/03/29 20:23:55 | 00,000,002 | ---- | C] () -- C:\USBoot.phase-II
[2009/03/29 20:23:54 | 00,000,012 | ---- | C] () -- C:\USBoot.SystemRoot
[2009/03/29 20:21:54 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\amdide.sys
[2009/03/29 20:21:46 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\toside.sys
[2009/03/29 20:21:42 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\viaide.sys
[2009/03/29 20:20:39 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\wd.sys
[2009/03/29 20:20:22 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mouhid.sys
[2009/03/29 20:20:14 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sermouse.sys
[2009/03/29 20:19:28 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\kbdhid.sys
[2009/03/29 20:19:16 | 00,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdkor.dll
[2009/03/29 20:18:58 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdjpn.dll
[2009/03/29 20:18:51 | 00,014,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\battc.sys
[2009/03/29 20:18:51 | 00,010,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\compbatt.sys
[2009/03/29 20:18:47 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\wmiacpi.sys
[2009/03/29 20:18:43 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\smbhc.sys
[2009/03/29 20:18:42 | 00,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\smbclass.sys
[2009/03/29 20:16:56 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbohci.sys
[2009/03/29 20:16:34 | 00,046,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sbp2port.sys
[2009/03/29 20:14:30 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\Dot4usb.sys
[2009/03/29 20:14:26 | 00,207,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\Dot4.sys
[2009/03/29 20:14:19 | 00,012,416 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\drivers\BrFiltLo.sys
[2009/03/29 20:14:19 | 00,004,608 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\drivers\BrFiltUp.sys
[2009/03/29 20:13:45 | 00,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\arp1394.sys
[2009/03/29 20:13:45 | 00,061,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ohci1394.sys
[2009/03/29 20:13:45 | 00,058,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\nic1394.sys
[2009/03/29 20:13:45 | 00,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\1394bus.sys
[2009/03/29 20:13:45 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\enum1394.sys
[2009/03/29 20:12:08 | 00,000,002 | ---- | C] () -- C:\USBoot.phase-I
[2009/03/29 20:12:05 | 02,430,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ntkrnl.exe
[2009/03/29 20:12:04 | 02,469,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ntkrnlmp.exe
[2009/03/29 20:12:04 | 00,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\halmacpi.dll
[2009/03/29 20:12:04 | 00,118,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\halaacpi.dll
[2009/03/29 20:12:04 | 00,082,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\halacpi.dll
[2009/03/29 20:12:03 | 00,109,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\haleisa.dll
[2009/03/29 20:11:55 | 00,532,872 | ---- | C] () -- C:\WINDOWS\ubsvcgd.dat
[2009/03/29 20:11:49 | 00,451,784 | ---- | C] () -- C:\WINDOWS\ubdevgd.dat
[2009/03/29 20:06:21 | 00,398,824 | ---- | C] () -- C:\WINDOWS\System32\ubsvcgd.sys
[2009/03/29 20:06:21 | 00,234,984 | ---- | C] () -- C:\WINDOWS\System32\ubdevgd.dll
[2009/03/29 20:06:21 | 00,104,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ubarcgd.sys
[2009/03/29 20:06:21 | 00,042,344 | ---- | C] () -- C:\WINDOWS\System32\drivers\ubdrvgd.sys
[2009/03/29 20:06:19 | 00,006,326 | ---- | C] () -- C:\WINDOWS\!SysVol!.mrk
[2009/03/29 19:44:51 | 00,000,443 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\NodEnabler 2.81.lnk
[2009/03/29 19:11:55 | 04,065,792 | ---- | C] (Geza Kovacs) -- C:\Documents and Settings\Server2003\Desktop\unetbootin-windows-319.exe
[2009/03/29 18:15:46 | 00,000,000 | -H-- | C] () -- C:\Documents and Settings\Server2003\My Documents\Default.rdp
[2009/03/29 18:07:47 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/03/29 17:25:37 | 00,000,683 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2009/03/29 17:25:36 | 00,000,000 | ---D | C] -- C:\Program Files\Opera 10 Preview
[2009/03/29 17:15:27 | 00,001,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox 3.1 Beta 3.lnk
[2009/03/29 17:15:24 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox 3.1 Beta 3
[2009/03/29 13:55:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Server2003\Desktop\Saved Websites

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/04/26 21:35:44 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.execf
[2009/04/26 21:32:51 | 03,006,230 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\ComboFix.exe
[2009/04/26 21:20:07 | 00,453,260 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/26 21:20:07 | 00,391,330 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/26 21:20:07 | 00,055,640 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/26 21:15:52 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/26 21:15:51 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/26 21:15:11 | 03,761,152 | -H-- | M] () -- C:\Documents and Settings\Server2003\Local Settings\Application Data\IconCache.db
[2009/04/26 21:09:00 | 00,532,872 | ---- | M] () -- C:\WINDOWS\ubsvcgd.dat
[2009/04/26 19:02:05 | 00,000,728 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/26 18:30:14 | 38,250,496 | ---- | M] ( ) -- C:\Documents and Settings\Server2003\Desktop\setup_7.0.0.290_26.04.2009_08-50.exe
[2009/04/26 18:23:25 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Server2003\Desktop\OTViewIt.exe
[2009/04/26 18:22:38 | 00,389,632 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Server2003\Desktop\OTMoveIt3.exe
[2009/04/26 18:02:24 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/04/26 17:51:14 | 00,451,784 | ---- | M] () -- C:\WINDOWS\ubdevgd.dat
[2009/04/26 17:33:34 | 02,967,800 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Server2003\Desktop\mbam-setup.exe
[2009/04/26 17:33:05 | 16,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Server2003\Desktop\spybotsd162.exe
[2009/04/26 16:48:30 | 00,001,766 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\HijackThis.lnk
[2009/04/26 12:00:02 | 00,000,250 | ---- | M] () -- C:\WINDOWS\tasks\Process Blocker ON.job
[2009/04/24 16:11:28 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/23 21:51:05 | 00,057,344 | -HS- | M] () -- C:\Documents and Settings\Server2003\Desktop\Thumbs.db
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Server2003\Desktop\Thumbs.db:encryptable
[2009/04/23 21:51:04 | 00,005,632 | ---- | M] () -- C:\Documents and Settings\Server2003\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/21 15:06:18 | 06,513,472 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\bozorgdasht-shahnaz-tar.wmv
[2009/04/20 21:31:44 | 10,728,12032 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2009/04/19 22:13:29 | 00,000,340 | RHS- | M] () -- C:\autorun.inf
[2009/04/18 22:36:05 | 00,001,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/04/18 21:17:31 | 00,039,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\gxvxcserv.sys
[2009/04/17 16:00:00 | 00,000,252 | ---- | M] () -- C:\WINDOWS\tasks\Process Blocker OFF.job
[2009/04/15 17:18:13 | 00,189,784 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2009/04/15 00:21:50 | 00,000,020 | ---- | M] () -- C:\WINDOWS\System32\PDBootState
[2009/04/13 21:36:35 | 03,156,293 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\MehdiHosseini-DjBeManFazBede128.mp3
[2009/04/13 00:00:26 | 00,000,097 | ---- | M] () -- C:\WINDOWS\Process Blocker OFF.bat
[2009/04/12 13:46:21 | 11,581,120 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\royksopp2.mp3
[2009/04/12 11:26:44 | 03,448,207 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\05 - Takin Back My Love.mp3
[2009/04/12 02:14:29 | 07,463,485 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\R%f6yksopp - Vision One.mp3
[2009/04/11 00:04:02 | 02,933,719 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\DSC00582.JPG
[2009/04/10 23:41:28 | 03,028,070 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\DSC00581.JPG
[2009/04/10 21:21:40 | 03,348,850 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\DSC00580.JPG
[2009/04/10 21:18:56 | 03,123,322 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\DSC00578.JPG
[2009/04/10 19:23:02 | 00,041,808 | ---- | M] () -- C:\WINDOWS\System32\xfcodec.dll
[2009/04/07 21:50:36 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\Server2003\My Documents\End of War.doc
[2009/04/07 21:38:37 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Server2003\My Documents\Sea Warfare.doc
[2009/04/07 21:14:50 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Server2003\My Documents\Air Warfare.doc
[2009/04/07 20:47:32 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Server2003\My Documents\Land Warfare.doc
[2009/04/07 20:31:46 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Server2003\My Documents\The Beginning of WWI.doc
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/05 20:30:55 | 00,000,098 | ---- | M] () -- C:\WINDOWS\Process Blocker ON.bat
[2009/04/05 00:01:55 | 00,022,328 | ---- | M] () -- C:\Documents and Settings\Server2003\Application Data\PnkBstrK.sys
[2009/03/31 00:08:55 | 00,000,120 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\httpfedveblubdu.cnhlegolnEJxV.1XVVJWUUE6EBWZAf5.AUMqBmPMBWCTAhs5R-YSU52DU9QNUKkVUGjRU0zLU.URL
[2009/03/29 22:16:19 | 00,004,509 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\1078849292.html
[2009/03/29 20:23:55 | 00,000,002 | ---- | M] () -- C:\USBoot.phase-II
[2009/03/29 20:23:54 | 00,000,012 | ---- | M] () -- C:\USBoot.SystemRoot
[2009/03/29 20:12:08 | 00,000,002 | ---- | M] () -- C:\USBoot.phase-I
[2009/03/29 19:44:51 | 00,000,443 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\NodEnabler 2.81.lnk
[2009/03/29 19:14:06 | 04,065,792 | ---- | M] (Geza Kovacs) -- C:\Documents and Settings\Server2003\Desktop\unetbootin-windows-319.exe
[2009/03/29 18:15:46 | 00,000,000 | -H-- | M] () -- C:\Documents and Settings\Server2003\My Documents\Default.rdp
[2009/03/29 17:25:37 | 00,000,683 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2009/03/29 17:15:27 | 00,001,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox 3.1 Beta 3.lnk
[2009/03/29 13:55:04 | 00,000,600 | ---- | M] () -- C:\WINDOWS\Rtcw.INI
< End of report >

#2 XmichouX

  • Group: Retired Staff
  • Posts: 1,292
  • Joined: 18-June 08

Posted 10 May 2009 - 02:21 AM

Welcome to the site! :) My name's XmichouX and I'll be helping clean up your computer. :) I'm currently looking over your log. I am still in training here, so there might be a delay between my replies as they need to be checked by an expert before I can post them. I'll need a bit of time to research your log fully, so please bear with me.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Malware Removal - HijackThis™ Logs Go Here.
  • Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
  • When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad click on Format | Uncheck Word Wrap)
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
  • Make sure you reply to this thread using the Add Reply button: Posted Image


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


Regards,

#3 XmichouX

  • Group: Retired Staff
  • Posts: 1,292
  • Joined: 18-June 08

Posted 10 May 2009 - 09:05 AM

Hi,

1) Download Rooter.exe (Eric 71) on your Desktop.
  • Double-click Rooter.exe, a window will open, you'll must to wait.
  • Post here the report which opens.
Note : The report is here : %SystemDrive%\Rooter.txt (%SystemDrive% being the partition where is installed Windows; C:\ typically)

2)
  • Download OTListIt2 to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.


Regards,

#4 drholiday

  • Group: Member
  • Posts: 7
  • Joined: 26-April 09

Posted 11 May 2009 - 12:42 PM

Okay, rooter did not work. It simply flashed a blue screen before exiting. I added a couple of numbers in the name and tried again, but it didn't seem to make a difference.

Here are the results for OTListIt2:

Quote

OTListIt logfile created on: 5/11/2009 2:38:50 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.6 Folder = C:\Documents and Settings\Server2003\Desktop
Windows Server 2003 DataCenter Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.2900.2096)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 679.54 Mb Available Physical Memory | 66.43% Memory free
2.42 Gb Paging File | 2.16 Gb Available in Paging File | 89.60% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.87 Gb Total Space | 48.89 Gb Free Space | 87.50% Space Free | Partition Type: NTFS
Drive D: | 149.04 Gb Total Space | 115.98 Gb Free Space | 77.82% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL
Current User Name: [Removed]
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe (Raxco Software, Inc.)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe (Raxco Software, Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Everything\Everything.exe ()
PRC - C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\No-IP\DUC20.exe (Vitalwerks LLC)
PRC - C:\Program Files\Opera 10 Preview\opera.exe (Opera Software)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Server2003\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (ATI Smart [Auto | Stopped]) -- C:\WINDOWS\system32\ati2sgag.exe ()
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Dfs [Disabled | Stopped]) -- C:\WINDOWS\system32\Dfssvc.exe (Microsoft Corporation)
SRV - (EhttpSrv [On_Demand | Stopped]) -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe (ESET)
SRV - (ekrn [Auto | Running]) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)
SRV - (IsmServ [Disabled | Stopped]) -- C:\WINDOWS\System32\ismserv.exe (Microsoft Corporation)
SRV - (LicenseService [Disabled | Stopped]) -- C:\WINDOWS\System32\llssrv.exe (Microsoft Corporation)
SRV - (NtFrs [Disabled | Stopped]) -- C:\WINDOWS\system32\ntfrs.exe (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PDAgent [Auto | Running]) -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe (Raxco Software, Inc.)
SRV - (PDEngine [On_Demand | Running]) -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe (Raxco Software, Inc.)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (Process Blocker [On_Demand | Stopped]) -- C:\Program Files\Process Blocker\Process Blocker.exe (Softros Systems, Inc.)
SRV - (RSoPProv [Disabled | Stopped]) -- C:\WINDOWS\system32\RSoPProv.exe (Microsoft Corporation)
SRV - (sacsvr [Disabled | Stopped]) -- C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
SRV - (TrkSvr [Disabled | Stopped]) -- C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
SRV - (Tssdis [Disabled | Stopped]) -- C:\WINDOWS\System32\tssdis.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (AliIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (BCMModem [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\BCMDM.sys (Broadcom Corporation)
DRV - (BrFiltLo [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (CmdIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys (Creative Technology Ltd)
DRV - (DefragFS [Boot | Running]) -- C:\WINDOWS\System32\drivers\DefragFs.sys (Raxco Software, Inc.)
DRV - (DfsDriver [Boot | Running]) -- C:\WINDOWS\system32\drivers\Dfs.sys (Microsoft Corporation)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (eamon [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\eamon.sys (ESET)
DRV - (easdrv [System | Running]) -- C:\WINDOWS\system32\DRIVERS\easdrv.sys (ESET)
DRV - (epfw [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\epfw.sys (ESET)
DRV - (Epfwndis [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Epfwndis.sys (ESET)
DRV - (epfwtdi [System | Running]) -- C:\WINDOWS\system32\DRIVERS\epfwtdi.sys (ESET)
DRV - (HPZid412 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys (HP)
DRV - (L8042Kbd [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys (Logitech Inc.)
DRV - (LVUSBSta [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys (Logitech Inc.)
DRV - (MODEMCSA [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ctoss2k.sys (Creative Technology Ltd.)
DRV - (P17 [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\P17.sys (Creative Technology Ltd.)
DRV - (PID_0928 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\LV561AV.SYS (Logitech Inc.)
DRV - (Point32 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\point32.sys (Microsoft Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (senfilt [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\senfilt.sys (Creative Technology Ltd.)
DRV - (SMBHC [System | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SMBHC.sys (Microsoft Corporation)
DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (SONYPVU1 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS (Sony Corporation)
DRV - (tmcomm [Auto | Running]) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (viamraid [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\viamraid.sys (VIA Technologies inc,.ltd)
DRV - (WLBS [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\wlbs.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie_rsearch.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.0.2
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX 3.1 BETA 3\COMPONENTS [2009/04/30 21:56:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX 3.1 BETA 3\PLUGINS [2009/04/30 21:56:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Components: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\COMPONENTS [2009/03/26 23:00:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\PLUGINS

[2009/03/29 17:15:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\mozilla\Extensions
[2009/03/29 17:15:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/10 23:15:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\mozilla\Firefox\Profiles\61449fxz.default\extensions
[2009/04/16 18:47:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\mozilla\Firefox\Profiles\61449fxz.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/03/29 17:25:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\mozilla\Firefox\Profiles\61449fxz.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice (ESET)
O4 - HKLM..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup ()
O4 - HKLM..\Run: [P17Helper] Rundll32 P17.dll,P17Helper ()
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\RunServices: [Windows Print Spooling] winrar.exe File not found
O4 - Startup: C:\Documents and Settings\Server2003\Start Menu\Programs\Startup\No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe (Vitalwerks LLC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuFavorites = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowHelp = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyComputer = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyDocs = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyMusic = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyPics = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowRun = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowSearch = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 177
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetIcon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceClassicControlPanel = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartBanner = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsMenu = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O13 - ftp Prefix: missing
O13 - gopher Prefix: missing
O13 - home Prefix: missing
O13 - mosaic Prefix: missing
O13 - www Prefix: missing
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O27 - HKLM IFEO\Your Image File Name Here without a path: Debugger - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/13 11:28:10 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/04/19 22:13:29 | 00,000,340 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/04/19 22:13:29 | 00,000,401 | RHS- | M] () - D:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{4899969b-f9df-11dd-b6b9-806e6f6e6963}\Shell - "" = Autorun
O33 - MountPoints2\{4899969b-f9df-11dd-b6b9-806e6f6e6963}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4899969b-f9df-11dd-b6b9-806e6f6e6963}\Shell\Open\command - "" = RECYCLER\S-8-0-43-100021053-100026924-100020910-5593.com c:\
O33 - MountPoints2\{8c82e7bc-f9ed-11dd-b0d9-0007e988a700}\Shell - "" = Autorun
O33 - MountPoints2\{8c82e7bc-f9ed-11dd-b0d9-0007e988a700}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8c82e7bc-f9ed-11dd-b0d9-0007e988a700}\Shell\Open\command - "" = RECYCLER\S-1-3-91-100014821-100018072-100000857-2735.com g:\
O33 - MountPoints2\{a8764462-25fe-11de-9662-0007e988a700}\Shell - "" = Autorun
O33 - MountPoints2\{a8764462-25fe-11de-9662-0007e988a700}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a8764462-25fe-11de-9662-0007e988a700}\Shell\Open\command - "" = RECYCLER\S-1-3-91-100014821-100018072-100000857-2735.com g:\
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\system32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]
[2009/05/11 14:37:43 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Server2003\Desktop\OTListIt2.exe
[2009/05/11 14:36:16 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\Rooter.exe
[2009/05/11 14:35:21 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/05/10 00:41:20 | 00,051,047 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\download.php
[2009/05/09 22:13:12 | 00,724,952 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\avenger.zip
[2009/05/09 22:08:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Server2003\Desktop\New Folder (2)
[2009/05/09 22:06:57 | 11,873,098 | ---- | C] (PortableAppZ.blogspot.com) -- C:\Documents and Settings\Server2003\Desktop\SpybotSD_Portable_1.6.2.46_MultiLang.paf.exe
[2009/05/09 13:18:55 | 04,123,212 | ---- | C] () -- C:\Documents and Settings\Server2003\My Documents\11_ Tan'nek.mp3
[2009/05/09 13:12:35 | 03,986,539 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\12_ Pak Sho.mp3
[2009/05/09 13:12:10 | 04,123,212 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\11_ Tan'nek.mp3
[2009/05/09 13:11:44 | 03,913,396 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\10_ Naz Nakon.mp3
[2009/05/09 13:11:03 | 03,549,772 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\09_ Bi To.mp3
[2009/05/09 13:10:33 | 04,349,328 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\08_ Dooset Daram.mp3
[2009/05/09 13:09:42 | 03,371,721 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\07_ Touloue Eshgh.mp3
[2009/05/09 13:09:26 | 03,923,009 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\06_ Sepideh.mp3
[2009/05/09 13:08:05 | 04,727,999 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\05_ Shak Nakon.mp3
[2009/05/09 13:07:46 | 03,933,458 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\04_ Kurdestan.mp3
[2009/05/09 13:07:10 | 03,160,234 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\03_ Avalin Negah.mp3
[2009/05/09 13:04:06 | 03,003,917 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\02_ Sher O Ghazal.mp3
[2009/05/09 09:12:19 | 03,712,776 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\12_ Zareh Zareh.mp3
[2009/05/09 09:04:09 | 03,465,762 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\11_ Del Farib.mp3
[2009/05/09 08:43:02 | 03,424,384 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\10_ Mano Tou.mp3
[2009/05/09 08:42:41 | 03,524,694 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\09_ Jazebeh.mp3
[2009/05/09 08:36:52 | 03,288,129 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\08_ Velesh Kon.mp3
[2009/05/09 08:26:55 | 03,540,577 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\07_ Kam Kam.mp3
[2009/05/09 08:23:57 | 03,156,054 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\06_ Aab Baba Bar.mp3
[2009/05/09 08:20:46 | 03,706,924 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\05_ Entezar.mp3
[2009/05/09 08:15:03 | 04,548,276 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\04_ Doostam Nadari.mp3
[2009/05/09 08:12:44 | 03,662,203 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\03_ Atre Nafashat (Didar).mp3
[2009/05/09 08:09:05 | 03,540,577 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\02_ Bimarami.mp3
[2009/05/09 08:07:40 | 03,004,335 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\01_ Yeki Yeki.mp3
[2009/05/02 13:08:47 | 18,686,947 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\Shahab Tiam - Zaraban.zip
[2009/04/30 21:18:40 | 03,685,191 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\04_ Elahi Ghorbunet Beram.mp3
[2009/04/30 21:14:36 | 04,137,004 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\03_ Gol E Goldoon.mp3
[2009/04/26 23:15:09 | 10,844,707 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\love_lockdown.mp3
[2009/04/26 23:14:32 | 11,126,421 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\Love Lockdown (T-Wrecks Remix).mp3
[2009/04/26 23:14:26 | 11,343,607 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\love_lockdown_chew_fu_small_room_fix.mp3
[2009/04/26 23:14:20 | 06,666,224 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\Love Lockdown (Doctor Rosen Rosen REMIX).mp3
[2009/04/26 21:35:23 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.execf
[2009/04/26 19:02:05 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/26 19:02:05 | 00,000,728 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/26 19:02:03 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/26 19:02:01 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/26 18:25:41 | 38,250,496 | ---- | C] ( ) -- C:\Documents and Settings\Server2003\Desktop\setup_7.0.0.290_26.04.2009_08-50.exe
[2009/04/26 18:04:33 | 00,102,664 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/04/26 17:56:58 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/04/26 17:50:39 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/04/26 17:48:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Server2003\Application Data\Sun
[2009/04/26 17:34:06 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/04/26 17:34:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/26 17:33:04 | 02,967,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Server2003\Desktop\mbam-setup.exe
[2009/04/26 17:30:21 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Server2003\Desktop\spybotsd162.exe
[2009/04/26 16:48:30 | 00,001,766 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\HijackThis.lnk
[2009/04/26 16:48:30 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/19 02:00:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Server2003\Desktop\New Folder
[2009/04/18 22:36:05 | 00,001,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/04/18 12:56:19 | 00,000,000 | ---D | C] -- C:\spoolerlogs
[2009/04/12 13:08:15 | 00,057,344 | -HS- | C] () -- C:\Documents and Settings\Server2003\Desktop\Thumbs.db
[2009/04/12 12:57:50 | 02,933,719 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\DSC00582.JPG
[2009/04/12 12:57:43 | 03,028,070 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\DSC00581.JPG
[2009/04/12 12:57:36 | 03,348,850 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\DSC00580.JPG
[2009/04/12 12:57:29 | 03,123,322 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\DSC00578.JPG
[2009/04/12 11:21:47 | 03,156,293 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\MehdiHosseini-DjBeManFazBede128.mp3
[2009/04/12 02:13:43 | 11,581,120 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\royksopp2.mp3
[2009/04/12 02:13:33 | 07,463,485 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\R%f6yksopp - Vision One.mp3
[2009/04/10 19:23:02 | 00,041,808 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2009/03/29 20:06:21 | 00,398,824 | ---- | C] () -- C:\WINDOWS\System32\ubsvcgd.sys
[2009/03/29 20:06:21 | 00,234,984 | ---- | C] () -- C:\WINDOWS\System32\ubdevgd.dll
[2009/03/29 20:06:21 | 00,104,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ubarcgd.sys
[2009/03/29 20:06:21 | 00,042,344 | ---- | C] () -- C:\WINDOWS\System32\drivers\ubdrvgd.sys
[2009/03/07 10:22:48 | 00,000,600 | ---- | C] () -- C:\WINDOWS\Rtcw.INI
[2009/02/13 15:10:25 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/13 14:18:31 | 00,000,433 | ---- | C] () -- C:\WINDOWS\xccwinsys.ini
[2009/02/13 13:51:32 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/02/13 13:51:31 | 00,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/02/13 12:37:32 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/02/13 11:31:36 | 00,462,848 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2009/02/13 11:15:02 | 00,048,205 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/02/13 11:10:38 | 00,064,512 | ---- | C] () -- C:\WINDOWS\System32\P17.dll
[2009/02/13 11:10:38 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\P17CPI.dll
[2009/02/13 11:10:32 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[2009/02/13 11:10:18 | 00,006,307 | ---- | C] () -- C:\WINDOWS\System32\Ludap17.ini
[2009/02/13 11:10:18 | 00,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/05/07 08:00:00 | 00,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2007/05/07 08:00:00 | 00,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2007/05/07 08:00:00 | 00,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2007/05/07 08:00:00 | 00,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2007/05/07 08:00:00 | 00,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2007/05/07 08:00:00 | 00,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2007/05/07 08:00:00 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2007/05/07 08:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/07 11:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/05/11 14:37:50 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Server2003\Desktop\OTListIt2.exe
[2009/05/11 14:36:51 | 00,453,260 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/05/11 14:36:51 | 00,391,330 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/11 14:36:51 | 00,055,640 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/05/11 14:36:39 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\Rooter.exe
[2009/05/11 14:32:56 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Server2003\Local Settings\desktop.ini
[2009/05/11 14:32:49 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/11 14:32:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/11 14:32:40 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/10 12:00:00 | 00,000,250 | ---- | M] () -- C:\WINDOWS\tasks\Process Blocker ON.job
[2009/05/10 00:41:20 | 00,051,047 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\download.php
[2009/05/09 22:13:25 | 00,724,952 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\avenger.zip
[2009/05/09 22:08:32 | 11,873,098 | ---- | M] (PortableAppZ.blogspot.com) -- C:\Documents and Settings\Server2003\Desktop\SpybotSD_Portable_1.6.2.46_MultiLang.paf.exe
[2009/05/09 13:15:56 | 04,123,212 | ---- | M] () -- C:\Documents and Settings\Server2003\My Documents\11_ Tan'nek.mp3
[2009/05/09 13:15:55 | 04,123,212 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\11_ Tan'nek.mp3
[2009/05/09 13:15:45 | 03,986,539 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\12_ Pak Sho.mp3
[2009/05/09 13:15:04 | 03,913,396 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\10_ Naz Nakon.mp3
[2009/05/09 13:14:22 | 04,349,328 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\08_ Dooset Daram.mp3
[2009/05/09 13:14:10 | 03,549,772 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\09_ Bi To.mp3
[2009/05/09 13:12:28 | 03,923,009 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\06_ Sepideh.mp3
[2009/05/09 13:12:24 | 03,371,721 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\07_ Touloue Eshgh.mp3
[2009/05/09 13:12:01 | 04,727,999 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\05_ Shak Nakon.mp3
[2009/05/09 13:10:23 | 03,933,458 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\04_ Kurdestan.mp3
[2009/05/09 13:09:02 | 03,160,234 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\03_ Avalin Negah.mp3
[2009/05/09 13:06:22 | 03,003,917 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\02_ Sher O Ghazal.mp3
[2009/05/09 12:35:15 | 03,712,776 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\12_ Zareh Zareh.mp3
[2009/05/09 09:20:28 | 03,465,762 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\11_ Del Farib.mp3
[2009/05/09 09:12:10 | 03,524,694 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\09_ Jazebeh.mp3
[2009/05/09 09:03:53 | 03,288,129 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\08_ Velesh Kon.mp3
[2009/05/09 08:43:29 | 03,424,384 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\10_ Mano Tou.mp3
[2009/05/09 08:42:01 | 03,156,054 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\06_ Aab Baba Bar.mp3
[2009/05/09 08:36:36 | 03,706,924 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\05_ Entezar.mp3
[2009/05/09 08:27:28 | 03,540,577 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\07_ Kam Kam.mp3
[2009/05/09 08:26:43 | 04,548,276 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\04_ Doostam Nadari.mp3
[2009/05/09 08:20:31 | 03,662,203 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\03_ Atre Nafashat (Didar).mp3
[2009/05/09 08:12:25 | 03,540,577 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\02_ Bimarami.mp3
[2009/05/09 08:12:07 | 03,004,335 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\01_ Yeki Yeki.mp3
[2009/05/02 13:19:03 | 18,686,947 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\Shahab Tiam - Zaraban.zip
[2009/05/01 16:00:00 | 00,000,252 | ---- | M] () -- C:\WINDOWS\tasks\Process Blocker OFF.job
[2009/04/30 21:19:05 | 03,685,191 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\04_ Elahi Ghorbunet Beram.mp3
[2009/04/30 21:15:07 | 04,137,004 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\03_ Gol E Goldoon.mp3
[2009/04/26 23:18:40 | 10,844,707 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\love_lockdown.mp3
[2009/04/26 23:18:13 | 11,343,607 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\love_lockdown_chew_fu_small_room_fix.mp3
[2009/04/26 23:18:11 | 11,126,421 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\Love Lockdown (T-Wrecks Remix).mp3
[2009/04/26 23:16:20 | 06,666,224 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\Love Lockdown (Doctor Rosen Rosen REMIX).mp3
[2009/04/26 21:35:44 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.execf
[2009/04/26 21:09:00 | 00,532,872 | ---- | M] () -- C:\WINDOWS\ubsvcgd.dat
[2009/04/26 19:02:05 | 00,000,728 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/26 18:30:14 | 38,250,496 | ---- | M] ( ) -- C:\Documents and Settings\Server2003\Desktop\setup_7.0.0.290_26.04.2009_08-50.exe
[2009/04/26 18:02:24 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/04/26 17:51:14 | 00,451,784 | ---- | M] () -- C:\WINDOWS\ubdevgd.dat
[2009/04/26 17:33:34 | 02,967,800 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Server2003\Desktop\mbam-setup.exe
[2009/04/26 17:33:05 | 16,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Server2003\Desktop\spybotsd162.exe
[2009/04/26 16:48:30 | 00,001,766 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\HijackThis.lnk
[2009/04/23 21:51:05 | 00,057,344 | -HS- | M] () -- C:\Documents and Settings\Server2003\Desktop\Thumbs.db
[2009/04/20 21:31:44 | 10,728,12032 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2009/04/19 22:13:29 | 00,000,340 | RHS- | M] () -- C:\autorun.inf
[2009/04/18 22:36:05 | 00,001,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/04/18 21:17:31 | 00,039,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\gxvxcserv.sys
[2009/04/15 17:18:13 | 00,189,784 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2009/04/15 00:21:50 | 00,000,020 | ---- | M] () -- C:\WINDOWS\System32\PDBootState
[2009/04/13 21:36:35 | 03,156,293 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\MehdiHosseini-DjBeManFazBede128.mp3
[2009/04/13 00:00:26 | 00,000,097 | ---- | M] () -- C:\WINDOWS\Process Blocker OFF.bat
[2009/04/12 13:46:21 | 11,581,120 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\royksopp2.mp3
[2009/04/12 11:26:44 | 03,448,207 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\05 - Takin Back My Love.mp3
[2009/04/12 02:14:29 | 07,463,485 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\R%f6yksopp - Vision One.mp3

========== LOP Check ==========

[2009/05/09 22:14:50 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/02/13 15:10:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
[2009/02/14 20:43:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ATI
[2009/02/13 12:50:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2009/04/04 23:54:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\id Software
[2009/02/13 14:41:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/02/13 15:09:14 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/02/13 11:43:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Raxco
[2009/02/23 11:09:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Skype
[2009/04/26 17:57:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/26 17:48:42 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Server2003\Application Data
[2009/02/13 15:29:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\Adobe
[2009/02/14 20:43:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\ATI
[2009/02/13 12:51:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\ESET
[2009/02/14 16:37:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\GetRightToGo
[2009/02/13 14:56:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\gtk-2.0
[2009/02/13 11:34:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\Help
[2009/04/05 00:04:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\id Software
[2009/02/14 12:45:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\ImgBurn
[2009/02/13 11:40:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\Macromedia
[2009/02/13 14:41:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\Malwarebytes
[2009/04/03 21:25:10 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Server2003\Application Data\Microsoft
[2009/03/29 13:44:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\Mozilla
[2009/03/29 17:25:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\Opera
[2009/02/24 19:27:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\Skype
[2009/02/23 11:10:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\skypePM
[2009/04/26 17:48:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\Sun
[2009/02/13 11:48:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\Talkback
[2009/02/13 11:48:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\Thunderbird
[2009/05/03 23:45:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\uTorrent
[2009/04/13 18:21:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\Xfire
[2007/05/07 08:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/05/01 16:00:00 | 00,000,252 | ---- | M] () -- C:\WINDOWS\Tasks\Process Blocker OFF.job
[2009/05/10 12:00:00 | 00,000,250 | ---- | M] () -- C:\WINDOWS\Tasks\Process Blocker ON.job
[2009/05/11 14:32:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/05/10 23:51:55 | 00,032,608 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt

========== Purity Check ==========

< End of report >


Quote

OTListIt Extras logfile created on: 5/11/2009 2:38:50 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.6 Folder = C:\Documents and Settings\Server2003\Desktop
Windows Server 2003 DataCenter Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.2900.2096)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 679.54 Mb Available Physical Memory | 66.43% Memory free
2.42 Gb Paging File | 2.16 Gb Available in Paging File | 89.60% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.87 Gb Total Space | 48.89 Gb Free Space | 87.50% Space Free | Partition Type: NTFS
Drive D: | 149.04 Gb Total Space | 115.98 Gb Free Space | 77.82% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL
Current User Name: [Removed]
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- C:\Program Files\Opera 10 Preview\opera.exe (Opera Software)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent (BitTorrent, Inc.)
"Ôø" = Ôø:*:Enabled:Windows Print Spooling
C:\Program Files\Wolfenstein - Enemy Territory\ET.exe:*:Enabled:ET File not found
C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype (Skype Technologies S.A.)
C:\Program Files\abgx360\abgx360gui.exe:*:Enabled:abgx360 GUI ()
C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire (Xfire Inc.)
C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA File not found
C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB File not found
C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe:*:Enabled:Firefox (Mozilla Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0965D484-1777-4BA5-8C3A-095A6B0D2696}_is1" = Driver Sweeper 1.5.5
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{212F5777-1190-4DEF-8E4D-6B2F313B45E7}" = PerfectDisk
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{2A947CBB-4F5E-38D8-F49E-6C2C0D9D848E}" = Catalyst Control Center Graphics Previews Common
"{2FC1B3A7-9BD2-48B2-B05E-43243C72FFB7}" = Process Blocker
"{30DE45EC-48B3-7617-193A-7B4CDCE18D22}" = Skins
"{423CF09F-11C9-410E-9B1A-31E087CED383}" = Opera 10.00
"{4CEBE5E6-D1FD-4BDF-8C9C-29A9A3CC2B7C}" = ESET Smart Security
"{4F34C602-4D6D-470D-A2A0-59E4F25DDBF2}" = Orca
"{5469D537-9B44-4c78-BF2D-5F9807564F74}" = HP PSC & OfficeJet 4.7
"{5C08205C-C9E0-A607-9EB1-EB0D7C5659B3}" = Catalyst Control Center Core Implementation
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8CADD3F6-E808-4D48-893D-797B4849DE72}" = Quake Live Mozilla Plugin
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90A2EB5A-8446-1554-235A-D174E39AF4E5}" = Catalyst Control Center Graphics Full Existing
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B48442EE-FF84-3A89-CA50-EA2D1C64733E}" = ccc-utility
"{CC1086AD-1635-01EF-3137-04AB16B46F9F}" = ccc-core-preinstall
"{D01B4212-C867-9074-217D-B40BB5A578FE}" = Catalyst Control Center Graphics Full New
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{DCFF3DB2-0E96-6DF5-DF22-AB1C18CF5E86}" = Catalyst Control Center Graphics Light
"{DE9D0AF5-08ED-70A5-66FA-4C3B3E2A85E8}" = Catalyst Control Center HydraVision Full
"{F104E135-A5EF-9551-4924-2A7B94DDDADF}" = ccc-core-static
"{FBB6D1D6-BD35-50E0-37B7-375BAB8E199B}" = CCC Help English
"7-Zip" = 7-Zip 4.65
"abgx360" = abgx360 v1.0.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner (remove only)
"Everything" = Everything 1.2.1.355
"ffdshow_is1" = ffdshow [rev 2676] [2009-02-11]
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 4.7
"ImgBurn" = ImgBurn
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"Mozilla Thunderbird (2.0.0.21)" = Mozilla Thunderbird (2.0.0.21)
"No-IP.com DUC" = No-IP.com DUC (remove only)
"PROSet" = Intel® PRO Network Connections Drivers
"SelfImage" = SelfImage 1.2.1
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xfire" = Xfire (remove only)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/13/2009 12:14:57 PM | Computer Name = HOME-3857C70AD5 | Source = MsiInstaller | ID = 11719
Description = Product: ESET Smart Security -- Error 1719. The Windows Installer
Service could not be accessed. This can occur if you are running Windows in safe
mode, or if the Windows Installer is not correctly installed. Contact your support
personnel for assistance.

Error - 2/13/2009 12:15:23 PM | Computer Name = HOME-3857C70AD5 | Source = MsiInstaller | ID = 11719
Description = Product: ESET Smart Security -- Error 1719. The Windows Installer
Service could not be accessed. This can occur if you are running Windows in safe
mode, or if the Windows Installer is not correctly installed. Contact your support
personnel for assistance.

Error - 2/13/2009 12:30:46 PM | Computer Name = HOME-3857C70AD5 | Source = MsiInstaller | ID = 11719
Description = Product: Scan -- Error 1719.The Windows Installer Service could not
be accessed. This can occur if you are running Windows in safe mode, or if the
Windows Installer is not correctly installed. Contact your support personnel for
assistance.

Error - 2/13/2009 3:39:23 PM | Computer Name = HOME-3857C70AD5 | Source = MsiInstaller | ID = 10005
Description = Product: ESET Smart Security -- Error 5003. This product version is
not intended for server operating systems.

Error - 2/14/2009 8:37:14 PM | Computer Name = DELL | Source = VSS | ID = 8211
Description = Volume Shadow Copy Service error: Writer with name WMI Writer and
ID {a6ad56c2-b509-4e6c-bb19-49d8f43532f0} attempted to subscribe in safe mode.

Error - 2/14/2009 9:24:00 PM | Computer Name = DELL | Source = VSS | ID = 8211
Description = Volume Shadow Copy Service error: Writer with name WMI Writer and
ID {a6ad56c2-b509-4e6c-bb19-49d8f43532f0} attempted to subscribe in safe mode.

Error - 2/17/2009 4:36:59 AM | Computer Name = DELL | Source = MsiInstaller | ID = 11309
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1309.
Error reading from file: C:\DOCUME~1\SERVER~1\LOCALS~1\Temp\7zS3A.tmp\FILES\PFILES\COMMON\MSSHARED\TEXTCONV\WPEQU532.DLL.
System error 3. Verify that the file exists and that you can access it.

Error - 2/17/2009 4:37:02 AM | Computer Name = DELL | Source = MsiInstaller | ID = 11309
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1309.
Error reading from file: C:\DOCUME~1\SERVER~1\LOCALS~1\Temp\7zS3A.tmp\FILES\PFILES\COMMON\MSSHARED\TEXTCONV\WPFT532.CNV.
System error 3. Verify that the file exists and that you can access it.

Error - 2/17/2009 4:37:38 AM | Computer Name = DELL | Source = MsiInstaller | ID = 11309
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1309.
Error reading from file: C:\DOCUME~1\SERVER~1\LOCALS~1\Temp\7zS3A.tmp\FILES\PFILES\COMMON\MSSHARED\TEXTCONV\WPEQU532.DLL.
System error 3. Verify that the file exists and that you can access it.

Error - 4/26/2009 5:37:57 PM | Computer Name = DELL | Source = VSS | ID = 8211
Description = Volume Shadow Copy Service error: Writer with name WMI Writer and
ID {a6ad56c2-b509-4e6c-bb19-49d8f43532f0} attempted to subscribe in safe mode.

[ System Events ]
Error - 4/26/2009 4:49:51 PM | Computer Name = DELL | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume C:.

Error - 4/26/2009 4:49:51 PM | Computer Name = DELL | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume C:.

Error - 4/26/2009 5:38:30 PM | Computer Name = DELL | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/26/2009 5:39:30 PM | Computer Name = DELL | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
easdrv Fips

Error - 5/9/2009 8:44:19 PM | Computer Name = DELL | Source = TermServDevices | ID = 1111
Description = Driver Microsoft Shared Fax Driver required for printer Fax is unknown.
Contact the administrator to install the driver before you log in again.

Error - 5/9/2009 8:44:19 PM | Computer Name = DELL | Source = TermServDevices | ID = 1111
Description = Driver Epson Stylus CX6400 (M) required for printer Epson Stylus CX6400
(M) is unknown. Contact the administrator to install the driver before you log
in again.

Error - 5/9/2009 8:44:34 PM | Computer Name = DELL | Source = TermServDevices | ID = 1111
Description = Driver Microsoft XPS Document Writer required for printer Microsoft
XPS Document Writer is unknown. Contact the administrator to install the driver
before you log in again.

Error - 5/10/2009 10:28:08 PM | Computer Name = DELL | Source = TermServDevices | ID = 1111
Description = Driver Microsoft Shared Fax Driver required for printer Fax is unknown.
Contact the administrator to install the driver before you log in again.

Error - 5/10/2009 10:28:16 PM | Computer Name = DELL | Source = TermServDevices | ID = 1111
Description = Driver Epson Stylus CX6400 (M) required for printer Epson Stylus CX6400
(M) is unknown. Contact the administrator to install the driver before you log
in again.

Error - 5/10/2009 10:28:17 PM | Computer Name = DELL | Source = TermServDevices | ID = 1111
Description = Driver Microsoft XPS Document Writer required for printer Microsoft
XPS Document Writer is unknown. Contact the administrator to install the driver
before you log in again.


< End of report >


I understand that this program looks for things based on age. I noticed there was a 30 day history setting - it may help to know that this has been going on for a bit more than a month.

#5 XmichouX

  • Group: Retired Staff
  • Posts: 1,292
  • Joined: 18-June 08

Posted 12 May 2009 - 01:08 PM

Hi,

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image

--------------------------------------------------------------------
* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


  • Double click on ComboFix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Regards,

#6 drholiday

  • Group: Member
  • Posts: 7
  • Joined: 26-April 09

Posted 12 May 2009 - 01:42 PM

ComboFix is incompatible with Windows 2003. Is there an alternative?

#7 XmichouX

  • Group: Retired Staff
  • Posts: 1,292
  • Joined: 18-June 08

Posted 14 May 2009 - 10:22 AM

Hi,

In the future, please don't quote the reports.

Hi,

I can see on you computer softwares of P2P. P2P is nowadays the 1st vector of infections. I strongly advise you to remove it.

Quote

[2009/05/09 22:13:12 | 00,724,952 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\avenger.zip

I want you delete this file. Please don't use tools without supervision, especially tools like that.

1)
  • Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.


2) Run OTList2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Services
gxvxcserv.sys

:OTLI
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O4 - HKLM..\RunServices: [Windows Print Spooling] winrar.exe File not found
O32 - AutoRun File - [2009/04/19 22:13:29 | 00,000,340 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/04/19 22:13:29 | 00,000,401 | RHS- | M] () - D:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{4899969b-f9df-11dd-b6b9-806e6f6e6963}\Shell - "" = Autorun
O33 - MountPoints2\{4899969b-f9df-11dd-b6b9-806e6f6e6963}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4899969b-f9df-11dd-b6b9-806e6f6e6963}\Shell\Open\command - "" = RECYCLER\S-8-0-43-100021053-100026924-100020910-5593.com c:\
O33 - MountPoints2\{8c82e7bc-f9ed-11dd-b0d9-0007e988a700}\Shell - "" = Autorun
O33 - MountPoints2\{8c82e7bc-f9ed-11dd-b0d9-0007e988a700}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8c82e7bc-f9ed-11dd-b0d9-0007e988a700}\Shell\Open\command - "" = RECYCLER\S-1-3-91-100014821-100018072-100000857-2735.com g:\
O33 - MountPoints2\{a8764462-25fe-11de-9662-0007e988a700}\Shell - "" = Autorun
O33 - MountPoints2\{a8764462-25fe-11de-9662-0007e988a700}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a8764462-25fe-11de-9662-0007e988a700}\Shell\Open\command - "" = RECYCLER\S-1-3-91-100014821-100018072-100000857-2735.com g:\
[2009/02/13 14:18:31 | 00,000,433 | ---- | C] () -- C:\WINDOWS\xccwinsys.ini
[2009/04/26 21:09:00 | 00,532,872 | ---- | M] () -- C:\WINDOWS\ubsvcgd.dat
[2009/04/26 17:51:14 | 00,451,784 | ---- | M] () -- C:\WINDOWS\ubdevgd.dat
[2009/04/18 21:17:31 | 00,039,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\gxvxcserv.sys


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time )


3) Please download SmitfraudFix (by S!Ri) to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Reboot into normal mode.

4) Double-click on SmitfraudFix.exe
Select option #5 - by typing 5.

This option will restore your legitims DNS servers and clean the fake DNS servers you have.

A report will appear; please post me it here.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Regards,

#8 drholiday

  • Group: Member
  • Posts: 7
  • Joined: 26-April 09

Posted 14 May 2009 - 04:56 PM

Flash Eater did not run. I've had success with Autorun Eater, however, and it has deleted target files from both my hard drives and my mobile phone. Is this acceptable? The error message upon trying to access my hard drives are gone. It stays in the tray. However, disabling it for a period of time resulted in the infection returning. I have since kept it running permanently until another solution is found.

The log is attached.

Smitfraudfix.exe would not run. I rebooted back and my screen was green/yellow colored! I rebooted again and the normal color returned.

OTListIt logfile created on: 5/14/2009 6:49:43 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.15.6 Folder = C:\Documents and Settings\Server2003\Desktop
Windows Server 2003 DataCenter Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.2900.2096)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 650.39 Mb Available Physical Memory | 63.58% Memory free
2.42 Gb Paging File | 2.13 Gb Available in Paging File | 88.38% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.87 Gb Total Space | 49.13 Gb Free Space | 87.93% Space Free | Partition Type: NTFS
Drive D: | 149.04 Gb Total Space | 115.98 Gb Free Space | 77.82% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL
Current User Name: [Removed]
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe (Raxco Software, Inc.)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe (Raxco Software, Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Everything\Everything.exe ()
PRC - C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Autorun Eater\oldmcdonald.exe (Old McDonald's Farm)
PRC - C:\Program Files\No-IP\DUC20.exe (Vitalwerks LLC)
PRC - C:\Program Files\Autorun Eater\billy.exe (Old McDonald's Farm)
PRC - C:\Program Files\Opera 10 Preview\opera.exe (Opera Software)
PRC - C:\Documents and Settings\Server2003\Desktop\OTListIt2.exe (OldTimer Tools)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (ATI Smart [Auto | Stopped]) -- C:\WINDOWS\system32\ati2sgag.exe ()
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Dfs [Disabled | Stopped]) -- C:\WINDOWS\system32\Dfssvc.exe (Microsoft Corporation)
SRV - (EhttpSrv [On_Demand | Stopped]) -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe (ESET)
SRV - (ekrn [Auto | Running]) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)
SRV - (IsmServ [Disabled | Stopped]) -- C:\WINDOWS\System32\ismserv.exe (Microsoft Corporation)
SRV - (LicenseService [Disabled | Stopped]) -- C:\WINDOWS\System32\llssrv.exe (Microsoft Corporation)
SRV - (NtFrs [Disabled | Stopped]) -- C:\WINDOWS\system32\ntfrs.exe (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PDAgent [Auto | Running]) -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe (Raxco Software, Inc.)
SRV - (PDEngine [On_Demand | Running]) -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe (Raxco Software, Inc.)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (Process Blocker [On_Demand | Stopped]) -- C:\Program Files\Process Blocker\Process Blocker.exe (Softros Systems, Inc.)
SRV - (RSoPProv [Disabled | Stopped]) -- C:\WINDOWS\system32\RSoPProv.exe (Microsoft Corporation)
SRV - (sacsvr [Disabled | Stopped]) -- C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
SRV - (TrkSvr [Disabled | Stopped]) -- C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
SRV - (Tssdis [Disabled | Stopped]) -- C:\WINDOWS\System32\tssdis.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (AliIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (BCMModem [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\BCMDM.sys (Broadcom Corporation)
DRV - (BrFiltLo [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (CmdIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys (Creative Technology Ltd)
DRV - (DefragFS [Boot | Running]) -- C:\WINDOWS\System32\drivers\DefragFs.sys (Raxco Software, Inc.)
DRV - (DfsDriver [Boot | Running]) -- C:\WINDOWS\system32\drivers\Dfs.sys (Microsoft Corporation)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (eamon [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\eamon.sys (ESET)
DRV - (easdrv [System | Running]) -- C:\WINDOWS\system32\DRIVERS\easdrv.sys (ESET)
DRV - (epfw [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\epfw.sys (ESET)
DRV - (Epfwndis [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Epfwndis.sys (ESET)
DRV - (epfwtdi [System | Running]) -- C:\WINDOWS\system32\DRIVERS\epfwtdi.sys (ESET)
DRV - (HPZid412 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys (HP)
DRV - (L8042Kbd [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys (Logitech Inc.)
DRV - (LVUSBSta [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys (Logitech Inc.)
DRV - (MODEMCSA [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ctoss2k.sys (Creative Technology Ltd.)
DRV - (P17 [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\P17.sys (Creative Technology Ltd.)
DRV - (PID_0928 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\LV561AV.SYS (Logitech Inc.)
DRV - (Point32 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\point32.sys (Microsoft Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (senfilt [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\senfilt.sys (Creative Technology Ltd.)
DRV - (SMBHC [System | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SMBHC.sys (Microsoft Corporation)
DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (SONYPVU1 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS (Sony Corporation)
DRV - (tmcomm [Auto | Running]) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (viamraid [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\viamraid.sys (VIA Technologies inc,.ltd)
DRV - (WLBS [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\wlbs.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie_rsearch.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.0.2
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX 3.1 BETA 3\COMPONENTS [2009/04/30 21:56:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX 3.1 BETA 3\PLUGINS [2009/04/30 21:56:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Components: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\COMPONENTS [2009/03/26 23:00:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\PLUGINS

[2009/03/29 17:15:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\mozilla\Extensions
[2009/03/29 17:15:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/11 23:29:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\mozilla\Firefox\Profiles\61449fxz.default\extensions
[2009/04/16 18:47:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\mozilla\Firefox\Profiles\61449fxz.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/03/29 17:25:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Server2003\Application Data\mozilla\Firefox\Profiles\61449fxz.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe (Old McDonald's Farm)
O4 - HKLM..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice (ESET)
O4 - HKLM..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup ()
O4 - HKLM..\Run: [P17Helper] Rundll32 P17.dll,P17Helper ()
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\Server2003\Start Menu\Programs\Startup\No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe (Vitalwerks LLC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuFavorites = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowHelp = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyComputer = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyDocs = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyMusic = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyPics = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowRun = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowSearch = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 177
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetIcon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceClassicControlPanel = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartBanner = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsMenu = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O13 - ftp Prefix: missing
O13 - gopher Prefix: missing
O13 - home Prefix: missing
O13 - mosaic Prefix: missing
O13 - www Prefix: missing
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O27 - HKLM IFEO\Your Image File Name Here without a path: Debugger - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/13 11:28:10 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\system32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]
[2009/05/14 18:42:41 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/05/14 18:41:42 | 00,132,597 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\Flash_Djhghisinfector.exe
[2009/05/14 18:41:05 | 00,132,597 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\Flash_Disinfector.exe
[2009/05/12 15:40:59 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/05/12 15:40:29 | 03,021,349 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\Combo-Fix.exe
[2009/05/12 15:40:00 | 03,021,349 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\dddd.exe
[2009/05/12 15:24:43 | 00,437,837 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\YouTube - Night Run II.mht
[2009/05/12 03:12:29 | 00,080,788 | ---- | C] () -- C:\1242081937455.ini
[2009/05/11 23:43:41 | 00,082,846 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\LG Incite Forum - Post Your Screenshots and Today Screens (merged).htm
[2009/05/11 23:33:27 | 00,028,230 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\1162072453.html
[2009/05/11 23:30:48 | 00,004,202 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\1129214561.html
[2009/05/11 23:30:11 | 00,004,373 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\1149262864.html
[2009/05/11 22:40:49 | 00,167,721 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\09rotmbanner.jpg
[2009/05/11 22:25:15 | 00,057,035 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\spb mobile shell - Google Search.mht
[2009/05/11 21:11:00 | 01,143,868 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\01819_birdonabranch_1920x1200.jpg
[2009/05/11 21:10:56 | 05,231,565 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\Guara_WallPack_by_EAMejia.rar
[2009/05/11 17:15:04 | 00,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Autorun Eater.lnk
[2009/05/11 17:15:04 | 00,000,000 | ---D | C] -- C:\Program Files\Autorun Eater
[2009/05/11 14:37:43 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Server2003\Desktop\OTListIt2.exe
[2009/05/11 14:35:21 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/05/10 00:41:20 | 00,051,047 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\download.php
[2009/05/09 22:13:12 | 00,724,952 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\avenger.zip
[2009/05/09 22:08:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Server2003\Desktop\New Folder (2)
[2009/05/09 22:06:57 | 11,873,098 | ---- | C] (PortableAppZ.blogspot.com) -- C:\Documents and Settings\Server2003\Desktop\SpybotSD_Portable_1.6.2.46_MultiLang.paf.exe
[2009/05/09 13:18:55 | 04,123,212 | ---- | C] () -- C:\Documents and Settings\Server2003\My Documents\11_ Tan'nek.mp3
[2009/05/09 13:12:35 | 03,986,539 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\12_ Pak Sho.mp3
[2009/05/09 13:12:10 | 04,123,212 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\11_ Tan'nek.mp3
[2009/05/09 13:11:44 | 03,913,396 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\10_ Naz Nakon.mp3
[2009/05/09 13:11:03 | 03,549,772 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\09_ Bi To.mp3
[2009/05/09 13:10:33 | 04,349,328 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\08_ Dooset Daram.mp3
[2009/05/09 13:09:42 | 03,371,721 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\07_ Touloue Eshgh.mp3
[2009/05/09 13:09:26 | 03,923,009 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\06_ Sepideh.mp3
[2009/05/09 13:08:05 | 04,727,999 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\05_ Shak Nakon.mp3
[2009/05/09 13:07:46 | 03,933,458 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\04_ Kurdestan.mp3
[2009/05/09 13:07:10 | 03,160,234 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\03_ Avalin Negah.mp3
[2009/05/09 13:04:06 | 03,003,917 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\02_ Sher O Ghazal.mp3
[2009/05/09 09:12:19 | 03,712,776 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\12_ Zareh Zareh.mp3
[2009/05/09 09:04:09 | 03,465,762 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\11_ Del Farib.mp3
[2009/05/09 08:43:02 | 03,424,384 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\10_ Mano Tou.mp3
[2009/05/09 08:42:41 | 03,524,694 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\09_ Jazebeh.mp3
[2009/05/09 08:36:52 | 03,288,129 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\08_ Velesh Kon.mp3
[2009/05/09 08:26:55 | 03,540,577 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\07_ Kam Kam.mp3
[2009/05/09 08:23:57 | 03,156,054 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\06_ Aab Baba Bar.mp3
[2009/05/09 08:20:46 | 03,706,924 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\05_ Entezar.mp3
[2009/05/09 08:15:03 | 04,548,276 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\04_ Doostam Nadari.mp3
[2009/05/09 08:12:44 | 03,662,203 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\03_ Atre Nafashat (Didar).mp3
[2009/05/09 08:09:05 | 03,540,577 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\02_ Bimarami.mp3
[2009/05/09 08:07:40 | 03,004,335 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\01_ Yeki Yeki.mp3
[2009/05/02 13:08:47 | 18,686,947 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\Shahab Tiam - Zaraban.zip
[2009/04/30 21:18:40 | 03,685,191 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\04_ Elahi Ghorbunet Beram.mp3
[2009/04/30 21:14:36 | 04,137,004 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\03_ Gol E Goldoon.mp3
[2009/04/26 23:15:09 | 10,844,707 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\love_lockdown.mp3
[2009/04/26 23:14:32 | 11,126,549 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\Love Lockdown (T-Wrecks Remix).mp3
[2009/04/26 23:14:26 | 11,343,607 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\love_lockdown_chew_fu_small_room_fix.mp3
[2009/04/26 23:14:20 | 06,666,224 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\Love Lockdown (Doctor Rosen Rosen REMIX).mp3
[2009/04/26 21:35:23 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.execf
[2009/04/26 19:02:05 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/26 19:02:05 | 00,000,728 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/26 19:02:03 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/26 19:02:01 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/26 18:25:41 | 38,250,496 | ---- | C] ( ) -- C:\Documents and Settings\Server2003\Desktop\setup_7.0.0.290_26.04.2009_08-50.exe
[2009/04/26 18:04:33 | 00,102,664 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/04/26 17:56:58 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/04/26 17:50:39 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/04/26 17:48:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Server2003\Application Data\Sun
[2009/04/26 17:34:06 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/04/26 17:34:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/26 17:33:04 | 02,967,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Server2003\Desktop\mbam-setup.exe
[2009/04/26 17:30:21 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Server2003\Desktop\spybotsd162.exe
[2009/04/26 16:48:30 | 00,001,766 | ---- | C] () -- C:\Documents and Settings\Server2003\Desktop\HijackThis.lnk
[2009/04/26 16:48:30 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/19 02:00:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Server2003\Desktop\New Folder
[2009/04/18 22:36:05 | 00,001,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/04/18 12:56:19 | 00,000,000 | ---D | C] -- C:\spoolerlogs
[2009/04/10 19:23:02 | 00,041,808 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2009/03/29 20:06:21 | 00,398,824 | ---- | C] () -- C:\WINDOWS\System32\ubsvcgd.sys
[2009/03/29 20:06:21 | 00,234,984 | ---- | C] () -- C:\WINDOWS\System32\ubdevgd.dll
[2009/03/29 20:06:21 | 00,104,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ubarcgd.sys
[2009/03/29 20:06:21 | 00,042,344 | ---- | C] () -- C:\WINDOWS\System32\drivers\ubdrvgd.sys
[2009/03/07 10:22:48 | 00,000,600 | ---- | C] () -- C:\WINDOWS\Rtcw.INI
[2009/02/13 15:10:25 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/13 13:51:32 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/02/13 13:51:31 | 00,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/02/13 12:37:32 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/02/13 11:31:36 | 00,462,848 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2009/02/13 11:15:02 | 00,048,205 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/02/13 11:10:38 | 00,064,512 | ---- | C] () -- C:\WINDOWS\System32\P17.dll
[2009/02/13 11:10:38 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\P17CPI.dll
[2009/02/13 11:10:32 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[2009/02/13 11:10:18 | 00,006,307 | ---- | C] () -- C:\WINDOWS\System32\Ludap17.ini
[2009/02/13 11:10:18 | 00,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/05/07 08:00:00 | 00,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2007/05/07 08:00:00 | 00,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2007/05/07 08:00:00 | 00,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2007/05/07 08:00:00 | 00,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2007/05/07 08:00:00 | 00,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2007/05/07 08:00:00 | 00,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2007/05/07 08:00:00 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2007/05/07 08:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/07 11:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/05/14 18:48:19 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Server2003\Local Settings\desktop.ini
[2009/05/14 18:48:03 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/14 18:48:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/14 18:42:46 | 00,453,260 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/05/14 18:42:46 | 00,391,330 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/14 18:42:46 | 00,055,640 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/05/14 18:41:42 | 00,132,597 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\Flash_Djhghisinfector.exe
[2009/05/14 18:41:05 | 00,132,597 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\Flash_Disinfector.exe
[2009/05/14 18:38:44 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/12 15:41:05 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.execf
[2009/05/12 15:40:42 | 03,021,349 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\Combo-Fix.exe
[2009/05/12 15:40:25 | 03,021,349 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\dddd.exe
[2009/05/12 15:24:43 | 00,437,837 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\YouTube - Night Run II.mht
[2009/05/12 03:12:30 | 00,080,788 | ---- | M] () -- C:\1242081937455.ini
[2009/05/11 23:43:42 | 00,082,846 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\LG Incite Forum - Post Your Screenshots and Today Screens (merged).htm
[2009/05/11 23:33:27 | 00,028,230 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\1162072453.html
[2009/05/11 23:30:48 | 00,004,202 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\1129214561.html
[2009/05/11 23:30:12 | 00,004,373 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\1149262864.html
[2009/05/11 22:40:50 | 00,167,721 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\09rotmbanner.jpg
[2009/05/11 22:25:15 | 00,057,035 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\spb mobile shell - Google Search.mht
[2009/05/11 21:11:40 | 05,231,565 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\Guara_WallPack_by_EAMejia.rar
[2009/05/11 21:11:00 | 01,143,868 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\01819_birdonabranch_1920x1200.jpg
[2009/05/11 17:20:55 | 11,126,549 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\Love Lockdown (T-Wrecks Remix).mp3
[2009/05/11 17:15:04 | 00,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Autorun Eater.lnk
[2009/05/11 14:37:50 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Server2003\Desktop\OTListIt2.exe
[2009/05/10 12:00:00 | 00,000,250 | ---- | M] () -- C:\WINDOWS\tasks\Process Blocker ON.job
[2009/05/10 00:41:20 | 00,051,047 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\download.php
[2009/05/09 22:13:25 | 00,724,952 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\avenger.zip
[2009/05/09 22:08:32 | 11,873,098 | ---- | M] (PortableAppZ.blogspot.com) -- C:\Documents and Settings\Server2003\Desktop\SpybotSD_Portable_1.6.2.46_MultiLang.paf.exe
[2009/05/09 13:15:56 | 04,123,212 | ---- | M] () -- C:\Documents and Settings\Server2003\My Documents\11_ Tan'nek.mp3
[2009/05/09 13:15:55 | 04,123,212 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\11_ Tan'nek.mp3
[2009/05/09 13:15:45 | 03,986,539 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\12_ Pak Sho.mp3
[2009/05/09 13:15:04 | 03,913,396 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\10_ Naz Nakon.mp3
[2009/05/09 13:14:22 | 04,349,328 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\08_ Dooset Daram.mp3
[2009/05/09 13:14:10 | 03,549,772 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\09_ Bi To.mp3
[2009/05/09 13:12:28 | 03,923,009 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\06_ Sepideh.mp3
[2009/05/09 13:12:24 | 03,371,721 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\07_ Touloue Eshgh.mp3
[2009/05/09 13:12:01 | 04,727,999 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\05_ Shak Nakon.mp3
[2009/05/09 13:10:23 | 03,933,458 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\04_ Kurdestan.mp3
[2009/05/09 13:09:02 | 03,160,234 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\03_ Avalin Negah.mp3
[2009/05/09 13:06:22 | 03,003,917 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\02_ Sher O Ghazal.mp3
[2009/05/09 12:35:15 | 03,712,776 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\12_ Zareh Zareh.mp3
[2009/05/09 09:20:28 | 03,465,762 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\11_ Del Farib.mp3
[2009/05/09 09:12:10 | 03,524,694 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\09_ Jazebeh.mp3
[2009/05/09 09:03:53 | 03,288,129 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\08_ Velesh Kon.mp3
[2009/05/09 08:43:29 | 03,424,384 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\10_ Mano Tou.mp3
[2009/05/09 08:42:01 | 03,156,054 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\06_ Aab Baba Bar.mp3
[2009/05/09 08:36:36 | 03,706,924 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\05_ Entezar.mp3
[2009/05/09 08:27:28 | 03,540,577 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\07_ Kam Kam.mp3
[2009/05/09 08:26:43 | 04,548,276 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\04_ Doostam Nadari.mp3
[2009/05/09 08:20:31 | 03,662,203 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\03_ Atre Nafashat (Didar).mp3
[2009/05/09 08:12:25 | 03,540,577 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\02_ Bimarami.mp3
[2009/05/09 08:12:07 | 03,004,335 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\01_ Yeki Yeki.mp3
[2009/05/02 13:19:03 | 18,686,947 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\Shahab Tiam - Zaraban.zip
[2009/05/01 16:00:00 | 00,000,252 | ---- | M] () -- C:\WINDOWS\tasks\Process Blocker OFF.job
[2009/04/30 21:19:05 | 03,685,191 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\04_ Elahi Ghorbunet Beram.mp3
[2009/04/30 21:15:07 | 04,137,004 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\03_ Gol E Goldoon.mp3
[2009/04/26 23:18:40 | 10,844,707 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\love_lockdown.mp3
[2009/04/26 23:18:13 | 11,343,607 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\love_lockdown_chew_fu_small_room_fix.mp3
[2009/04/26 23:16:20 | 06,666,224 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\Love Lockdown (Doctor Rosen Rosen REMIX).mp3
[2009/04/26 19:02:05 | 00,000,728 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/26 18:30:14 | 38,250,496 | ---- | M] ( ) -- C:\Documents and Settings\Server2003\Desktop\setup_7.0.0.290_26.04.2009_08-50.exe
[2009/04/26 18:02:24 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/04/26 17:33:34 | 02,967,800 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Server2003\Desktop\mbam-setup.exe
[2009/04/26 17:33:05 | 16,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Server2003\Desktop\spybotsd162.exe
[2009/04/26 16:48:30 | 00,001,766 | ---- | M] () -- C:\Documents and Settings\Server2003\Desktop\HijackThis.lnk
[2009/04/23 21:51:05 | 00,057,344 | -HS- | M] () -- C:\Documents and Settings\Server2003\Desktop\Thumbs.db
[2009/04/20 21:31:44 | 10,728,12032 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2009/04/18 22:36:05 | 00,001,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/04/15 17:18:13 | 00,189,784 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2009/04/15 00:21:50 | 00,000,020 | ---- | M] () -- C:\WINDOWS\System32\PDBootState
< End of report >

Attached File(s)


#9 XmichouX

  • Group: Retired Staff
  • Posts: 1,292
  • Joined: 18-June 08

Posted 15 May 2009 - 12:16 PM

Hi,

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again


  • Start AVZ.

  • Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.


When restarted

  • Start AVZ.

  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.


Attach both zip files to your next post

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post


Regards,

#10 drholiday

  • Group: Member
  • Posts: 7
  • Joined: 26-April 09

Posted 15 May 2009 - 05:46 PM

Attached.

Attached File(s)


#11 XmichouX

  • Group: Retired Staff
  • Posts: 1,292
  • Joined: 18-June 08

Posted 16 May 2009 - 06:03 AM

Hi,

  • Close all windows then double click on AVZ.exe

  • Click File > Custom scripts

  • Copy & paste the contents of the following codebox in the box in the program

    begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 BC_DeleteFile('C:\WINDOWS\system32\drivers\gaopdxcfqxbnykmpvggeptalkdvbxjiqerqhec.sys');
DeleteFile('C:\WINDOWS\system32\drivers\gaopdxcfqxbnykmpvggeptalkdvbxjiqerqhec.sys');
 BC_DeleteFile('C:\WINDOWS\system32\drivers\gaopdxgrkdtqdtpuhampaeqljaexygogwkxjbw.sys');
DeleteFile('C:\WINDOWS\system32\drivers\gaopdxgrkdtqdtpuhampaeqljaexygogwkxjbw.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.



  • Note: When you run the script, your PC will be restarted

  • Click Run

  • Restart your PC if it doesn't do it automatically, and post back with a new HijackThis log.


Regards,

#12 drholiday

  • Group: Member
  • Posts: 7
  • Joined: 26-April 09

Posted 16 May 2009 - 09:32 AM

Posted log.

EDIT: It says I am not allowed to post this type of file. I am including it in code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:13 AM, on 5/16/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [DefaultP17] P17Def.Exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O13 - DefaultPrefix: 
O13 - WWW Prefix: 
O13 - Home Prefix: 
O13 - Mosaic Prefix: 
O13 - FTP Prefix: 
O13 - Gopher Prefix: 
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Process Blocker - Softros Systems, Inc. - C:\Program Files\Process Blocker\Process Blocker.exe

--
End of file - 4426 bytes

#13 XmichouX

  • Group: Retired Staff
  • Posts: 1,292
  • Joined: 18-June 08

Posted 17 May 2009 - 05:43 AM

Hi,

Are you still redirect ? If yes, with the 2 browsers ?

1) Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

2) Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/...rweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.


Regards,

#14 XmichouX

  • Group: Retired Staff
  • Posts: 1,292
  • Joined: 18-June 08

Posted 22 May 2009 - 11:56 AM

Hi,

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this topic:


Page 1 of 1