Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

virus blocks connections to antivirus/software sites

Started by igshum , May 06 2010 10:12 AM

  • Please log in to reply

#1
igshum
Posted 06 May 2010 - 10:12 AM

igshum

    New Member

  • Member
  • Pip
  • 8 posts
Hi,

I use Sygate firewall and (until recently) AVG antivirus, on XP-SP3.

After a guest used my computer, the following behavior started:

1) services.exe wanted to connect to www.navlot.com and www.arrodilla.com I disallowed the connections with sygate, and redirected them to 127.0.0.1 in "hosts" file

2) AVG kept finding an infected file with a "generic" type of infection, and i kept deleting it. it happened for about 5 times. Then AVG didnt find that file anymore.

3) I cant open connections (http) to www.avira.com, www.avast.com, www.eset.com, www.cnet.com, and several other sites that may offer antivirus apps. I used a sniffer (wireshark) to check it - when i http to one of these sites, i dont even see a SYN request, so its blocked somewhere before wireshark on the tcp stack.

Timewise this behavior began after i let Nokia OVI download an update, but i dont think its related.

i cant find the virus/malware blocking my connections (and possibly doing other malicious stuff), i'm asking for your help.

i followed the instructions on this site:
1) Malwarebytes didnt find anything of use (only several bad cookies). When i ran it again, it didnt find anything anymore
2) I uninstalled AVG and installed Avast! that didnt find anything as well.
3) ran TFC, ERUNT
4) when i run GMER with "files" test, at some point i get a blue screen. i tried several runs - it keep blue-screening. so i the log i attach DOES NOT INCLUDE FILES, i hope its enough for now.

i cant seem to find the virus/malware blocking my connections, i'm asking for your help.

thank you.

%%%%%%%%%%%%%%%%%%%% GMER LOG START %%%%%%%%%%%%%%%%%%%%

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-06 08:45:43
Windows 5.1.2600 Service Pack 3
Running: fkikoszg.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgldrpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xBA28AB30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA429EC08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA429EAC4]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xBA28A6F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA429F078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA429EFA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA429E69A]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xBA28A470]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA429EB9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA429E5DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA429E63E]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xBA28AC50]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA429ECBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA429F146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA429EC7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA429EDFE]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xBA28A990]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xBA28A8D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xBA28AD60]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA42AB50A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA42AB32E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA42AB468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C74 80504510 4 Bytes JMP 9192A429
PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP A42AB46C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805AB38E 7 Bytes JMP A42AB332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC502 5 Bytes JMP A42A74AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP A42A897E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP A42AB50E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text tcpip.sys!IPTransmit + 10FC A43CBD3A 6 Bytes CALL B9D07CE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 A43CD690 6 Bytes CALL B9D07CE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 A43E3454 6 Bytes CALL B9D07CE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B5CD03FD 7 Bytes CALL B9D07E30 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

Device \Driver\aswTdi \Device\AswUdpFilter wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

Device \Driver\aswTdi \Device\ASWTDI wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\aswTdi \Device\AswTcpFilter wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

---- EOF - GMER 1.0.15 ----
%%%%%%%%%%%%%%%%%%%% GMER LOG END %%%%%%%%%%%%%%%%%%%%


%%%%%%%%%%%%%%%%%%%% MBAM LOG START %%%%%%%%%%%%%%%%%%%%

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4069

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

05/05/2010 21:10:30
mbam-log-2010-05-05 (21-10-30).txt

Scan type: Quick scan
Objects scanned: 116466
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

%%%%%%%%%%%%%%%%%%%% MBAM LOG END %%%%%%%%%%%%%%%%%%%%


%%%%%%%%%%%%%%%%%%%% OTL LOG START %%%%%%%%%%%%%%%%%%%%

OTL logfile created on: 06/05/2010 08:56:35 - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\tmp\vir
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 85.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.50 Gb Total Space | 661.27 Gb Free Space | 70.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 298.08 Gb Total Space | 34.93 Gb Free Space | 11.72% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IS
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/26 01:50:50 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\tmp\vir\OTL.exe
PRC - [2010/04/14 19:47:08 | 002,790,472 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/14 19:47:05 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/12/15 18:19:14 | 002,465,792 | ---- | M] (SEC) -- C:\Program Files\MagicTune Premium\MagicTune.exe
PRC - [2009/11/27 03:33:24 | 000,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2008/07/23 18:04:20 | 005,625,344 | ---- | M] () -- C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/23 16:05:00 | 000,045,056 | ---- | M] () -- C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
PRC - [2007/01/15 17:18:00 | 000,036,864 | ---- | M] () -- C:\Program Files\MagicTune Premium\GammaTray.exe
PRC - [2004/08/13 20:05:56 | 002,532,576 | ---- | M] (Sygate Technologies, Inc.) -- C:\Program Files\Sygate\SPF\Smc.exe
PRC - [2004/03/31 16:23:06 | 000,823,296 | ---- | M] (LockTime) -- C:\Program Files\NetLimiter\NetLimiter.exe


========== Modules (SafeList) ==========

MOD - [2010/04/26 01:50:50 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\tmp\vir\OTL.exe
MOD - [2004/08/10 18:05:30 | 000,083,096 | ---- | M] (Sygate Technologies, Inc.) -- C:\WINDOWS\system32\SSSensor.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/14 19:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/04/14 19:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/04/14 19:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/11/27 03:33:24 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-110309-193829)
SRV - [2009/10/27 09:26:36 | 000,657,408 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/10/20 21:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/11/27 16:38:04 | 000,695,136 | ---- | M] (National Instruments, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\system32\lkcitdl.exe -- (LkCitadelServer)
SRV - [2007/11/27 14:57:52 | 000,213,552 | ---- | M] (National Instruments Corporation) [On_Demand | Stopped] -- C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe -- (NIDomainService)
SRV - [2007/11/27 14:57:20 | 000,050,736 | ---- | M] (National Instruments Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lktsrv.exe -- (lkTimeSync)
SRV - [2007/11/27 14:56:48 | 000,040,488 | ---- | M] (National Instruments Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lkads.exe -- (lkClassAds)
SRV - [2007/11/07 09:58:18 | 003,004,416 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90)
SRV - [2007/08/23 16:05:00 | 000,045,056 | ---- | M] () [Auto | Running] -- C:\Program Files\MagicTune Premium\MagicTuneEngine.exe -- (MagicTuneEngine)
SRV - [2007/07/19 17:38:16 | 000,048,704 | ---- | M] (National Instruments Corp.) [On_Demand | Stopped] -- C:\WINDOWS\System32\nisvcloc.exe -- (niSvcLoc)
SRV - [2007/01/29 16:19:48 | 001,007,616 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe -- (NILM License Manager)
SRV - [2004/08/13 20:05:56 | 002,532,576 | ---- | M] (Sygate Technologies, Inc.) [Auto | Running] -- C:\Program Files\Sygate\SPF\Smc.exe -- (SmcService)


========== Driver Services (SafeList) ==========

DRV - [2010/04/14 19:35:47 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/04/14 19:35:25 | 000,162,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/04/14 19:31:39 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/04/14 19:31:12 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/04/14 19:31:01 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/04/14 19:30:45 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/10/20 21:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/10/06 11:52:50 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009/10/06 11:52:34 | 000,022,016 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2009/10/06 11:52:34 | 000,017,664 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2009/10/06 11:52:34 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2009/06/04 14:53:04 | 000,014,080 | ---- | M] (Samsung Electronics, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MTiCtwl.sys -- (MagicTune)
DRV - [2009/03/21 00:21:31 | 000,110,080 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2009/03/21 00:21:30 | 006,048,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2009/03/21 00:19:38 | 000,111,360 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/03/21 00:18:34 | 000,012,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2009/03/21 00:15:20 | 004,745,216 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/11/02 22:55:08 | 000,062,464 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BazisVirtualCD.sys -- (BazisVirtualCD)
DRV - [2008/11/02 16:14:10 | 000,056,320 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VirtDiskBus.sys -- (VirtDiskBus)
DRV - [2008/09/18 17:49:33 | 000,324,120 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 05:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/10/23 11:00:00 | 000,004,096 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cvintdrv.sys -- (cvintdrv)
DRV - [2005/01/02 04:10:37 | 000,026,240 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys -- (ElbyCDFL)
DRV - [2005/01/02 04:07:05 | 000,009,728 | ---- | M] (Elaborate Bytes AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2004/08/13 05:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/10 18:05:44 | 000,014,240 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys -- (wg6n)
DRV - [2004/08/10 18:05:42 | 000,014,240 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys -- (wg5n)
DRV - [2004/08/10 18:05:42 | 000,014,240 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys -- (wg4n)
DRV - [2004/08/10 18:05:42 | 000,014,240 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys -- (wg3n)
DRV - [2004/08/10 17:53:14 | 000,021,075 | ---- | M] (Sygate Technologies, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\wpsdrvnt.sys -- (wpsdrvnt)
DRV - [2004/08/10 17:51:30 | 000,059,984 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\Teefer.sys -- (Teefer)
DRV - [2003/09/25 02:00:00 | 000,174,530 | ---- | M] (OmniVision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ov519vid.sys -- (ovt519)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://il.msn.com/iat/us_il.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 70 43 E1 AD C9 E0 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.8
FF - prefs.js..extensions.enabledItems: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e}:0.6.4.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/10 17:06:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/26 01:21:41 | 000,000,000 | ---D | M]

[2009/03/22 00:52:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/05/01 15:36:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions
[2009/10/07 17:18:06 | 000,000,000 | ---D | M] (Gmail Notifier) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}
[2010/04/20 22:45:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions\{a089fffd-e0cb-431b-8d3a-ebb8afb26dcf}
[2010/05/01 15:36:56 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/13 11:48:02 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/04/20 22:45:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2009/12/25 17:54:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions\filtersetg@updater
[2010/05/05 11:51:55 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/25 11:58:43 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2007/02/08 11:48:16 | 000,028,448 | ---- | M] (National Instruments) -- C:\Program Files\Mozilla Firefox\plugins\NPLV82Win32.dll
[2007/07/24 19:03:42 | 000,023,040 | ---- | M] (National Instruments) -- C:\Program Files\Mozilla Firefox\plugins\nplv85win32.dll

O1 HOSTS File: ([2010/04/24 01:49:27 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [CloneCDTray] C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe (SlySoft, Inc.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe (LockTime)
O4 - HKLM..\Run: [NI Background Service] C:\Program Files\National Instruments\Shared\Update Service\BackgroundService.exe (National Instruments)
O4 - HKLM..\Run: [Six Engine] C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe ()
O4 - HKLM..\Run: [SmcService] C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk = C:\Program Files\MagicTune Premium\GammaTray.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\NetLimiter\nl_lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\NetLimiter\nl_lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\NetLimiter\nl_lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\NetLimiter\nl_lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\NetLimiter\nl_lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\NetLimiter\nl_lsp.dll ()
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Domains: orange.co.il ([access] https in Trusted sites)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} https://access.orang...ca32/wficat.cab (Citrix ICA Client)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1272040042125 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-09.su...ows-i586-jc.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} https://access.orang...t/EPAClient.exe (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.117.235.237 62.219.186.7
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/20 09:15:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9ea08bb8-3733-11de-b8e2-002354269aa5}\Shell - "" = AutoRun
O33 - MountPoints2\{9ea08bb8-3733-11de-b8e2-002354269aa5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9ea08bb8-3733-11de-b8e2-002354269aa5}\Shell\AutoRun\command - "" = G:\autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/03/20 09:14:48 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/05 21:12:32 | 000,162,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/05/05 21:12:32 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/05/05 21:12:32 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/05/05 21:12:32 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/05/05 21:12:32 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/05/05 21:12:32 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/05/05 21:12:32 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/05/05 21:12:26 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/05/05 21:12:26 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/05/05 21:12:23 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/05/05 21:12:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/05/05 20:49:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/05 20:49:15 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/05 12:03:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2010/05/05 12:03:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PCSuite
[2010/05/05 12:03:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nokia
[2010/05/05 12:03:37 | 000,018,816 | ---- | C] (Nokia) -- C:\WINDOWS\System32\drivers\pccsmcfd.sys
[2010/05/05 12:03:33 | 000,000,000 | ---D | C] -- C:\Program Files\PC Connectivity Solution
[2010/05/05 12:03:31 | 000,007,936 | ---- | C] (Nokia) -- C:\WINDOWS\System32\drivers\usbser_lowerfltj.sys
[2010/05/05 12:03:31 | 000,007,936 | ---- | C] (Nokia) -- C:\WINDOWS\System32\drivers\usbser_lowerflt.sys
[2010/05/05 12:03:30 | 000,022,016 | ---- | C] (Nokia) -- C:\WINDOWS\System32\drivers\ccdcmbo.sys
[2010/05/05 12:03:29 | 000,660,480 | ---- | C] (Nokia) -- C:\WINDOWS\System32\nmwcdcocls.dll
[2010/05/05 12:03:29 | 000,017,664 | ---- | C] (Nokia) -- C:\WINDOWS\System32\drivers\ccdcmb.sys
[2010/05/05 12:03:27 | 000,000,000 | ---D | C] -- C:\Program Files\Nokia
[2010/05/04 12:18:01 | 000,000,000 | ---D | C] -- C:\Program Files\BwgSoftware
[2010/05/03 09:05:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\pics
[2010/05/01 15:53:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\vlc
[2010/05/01 15:52:32 | 000,000,000 | ---D | C] -- C:\Program Files\vlc-1.0.5
[2010/04/28 12:37:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/04/25 23:25:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/04/25 23:25:48 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/25 23:25:47 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/25 23:25:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/25 23:25:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/24 01:40:18 | 000,000,000 | ---D | C] -- C:\AVGTemp
[2010/04/21 10:22:34 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/04/21 00:51:17 | 000,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/04/20 23:16:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/14 17:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\VLSI
[2010/04/08 17:42:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Vinnitsa_2010
[2010/03/25 12:17:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\skypePM
[2010/03/25 12:14:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\OvtCam
[2010/03/25 12:12:25 | 000,000,000 | ---D | C] -- C:\Program Files\directx
[2010/03/25 12:12:21 | 000,174,530 | ---- | C] (OmniVision Technologies, Inc.) -- C:\WINDOWS\System32\drivers\ov519vid.sys
[2010/03/25 12:12:21 | 000,135,168 | ---- | C] (OmniVision Technologies, Inc.) -- C:\WINDOWS\ov519cap.exe
[2010/03/25 12:12:21 | 000,061,440 | ---- | C] (OmniVision Technologies, Inc.) -- C:\WINDOWS\ov519dib.dll
[2010/03/25 12:12:21 | 000,040,960 | ---- | C] (OmniVision Technologies Inc.) -- C:\WINDOWS\System32\ov519ext.dll
[2010/03/25 12:12:21 | 000,025,211 | ---- | C] (OmniVision Technologies Inc.) -- C:\WINDOWS\System32\drivers\ov519cmd.sys
[2010/03/25 12:12:21 | 000,025,099 | ---- | C] (OmniVision Technologies Inc.) -- C:\WINDOWS\System32\ov519ext.ax
[2010/03/25 12:12:21 | 000,016,426 | ---- | C] (OmniVision Technologies Inc.) -- C:\WINDOWS\System32\ov519usd.dll
[2010/03/25 12:12:21 | 000,000,000 | ---D | C] -- C:\Program Files\VGA USB Camera
[2010/03/25 12:11:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Skype
[2010/03/25 11:58:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/03/25 11:58:20 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/03/25 11:58:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/03/24 18:45:14 | 000,000,000 | ---D | C] -- C:\disk_on_key_backup
[2010/03/24 11:49:13 | 000,000,000 | ---D | C] -- C:\Program Files\Xming
[2010/03/24 11:28:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SSH
[2010/03/20 19:57:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\gtk-2.0
[2010/03/19 00:14:51 | 000,000,000 | ---D | C] -- C:\Program Files\avisplit
[2010/03/12 18:54:58 | 000,000,000 | ---D | C] -- C:\canon_downloads
[2010/02/22 14:25:37 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2010/02/06 13:42:49 | 000,000,000 | ---D | C] -- C:\GMouse20
[2010/02/06 13:42:45 | 000,283,648 | ---- | C] (Stirling Technologies, Inc.) -- C:\WINDOWS\uninst.exe
[2010/02/06 13:42:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\WINDOWS

========== Files - Modified Within 90 Days ==========

[2010/05/06 08:32:41 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/06 08:32:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/06 08:23:19 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{33678BF7-0ACC-41A0-BD5B-03F8DD4BA146}.job
[2010/05/06 01:23:43 | 007,147,520 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/05/06 01:23:43 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/05/06 00:37:59 | 000,028,014 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\win_logon.reg
[2010/05/05 21:12:32 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/05/05 21:12:32 | 000,001,703 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/05/05 12:06:36 | 000,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/05 12:06:36 | 000,432,492 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/05 12:06:36 | 000,067,448 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/05 12:03:43 | 000,001,766 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Nokia PC Suite.lnk
[2010/05/04 12:18:01 | 000,002,112 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\BwgBurn.lnk
[2010/05/04 11:24:44 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/01 15:53:16 | 000,000,663 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\vlc.exe.lnk
[2010/04/30 14:55:43 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/30 02:46:15 | 000,000,063 | ---- | M] () -- C:\WINDOWS\vbaddin.ini
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 20:37:33 | 000,075,808 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/26 20:36:50 | 000,303,624 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/23 19:38:28 | 000,000,528 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/23 19:38:28 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/04/22 11:47:00 | 004,318,672 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/04/21 01:14:34 | 000,570,790 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\me.jpg
[2010/04/21 00:51:17 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/04/20 22:59:43 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/04/15 03:51:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/14 19:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/14 19:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/14 19:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/14 19:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/14 19:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/14 19:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/14 19:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/14 19:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/14 19:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/10 20:20:50 | 003,351,750 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\kefir_05_kak_na_ulitcu.mp3
[2010/03/26 16:46:11 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
[2010/03/25 12:17:46 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/20 22:07:48 | 000,000,218 | ---- | M] () -- C:\Documents and Settings\Administrator\.recently-used.xbel
[2010/03/04 01:01:44 | 000,000,519 | ---- | M] () -- C:\WINDOWS\WINCMD.INI
[2010/02/06 19:17:10 | 000,000,110 | ---- | M] () -- C:\WINDOWS\GMouse.ini

========== Files Created - No Company Name ==========

[2010/05/06 00:37:59 | 000,028,014 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\win_logon.reg
[2010/05/05 21:12:32 | 000,001,703 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/05/05 12:03:43 | 000,001,766 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Nokia PC Suite.lnk
[2010/05/04 12:18:01 | 000,002,112 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\BwgBurn.lnk
[2010/05/01 15:53:16 | 000,000,663 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\vlc.exe.lnk
[2010/04/21 10:35:00 | 000,000,438 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{33678BF7-0ACC-41A0-BD5B-03F8DD4BA146}.job
[2010/04/21 01:14:34 | 000,570,790 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\me.jpg
[2010/04/20 21:54:07 | 003,351,750 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\kefir_05_kak_na_ulitcu.mp3
[2010/04/16 11:59:55 | 007,147,520 | ---- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/03/26 16:46:11 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
[2010/03/25 12:17:46 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/25 12:12:21 | 000,200,704 | ---- | C] () -- C:\WINDOWS\sel3110.exe
[2010/03/25 12:12:21 | 000,040,960 | ---- | C] () -- C:\WINDOWS\CleanDev.exe
[2010/03/25 12:12:21 | 000,032,528 | ---- | C] () -- C:\WINDOWS\amcap.exe
[2010/03/25 11:58:21 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/20 22:07:48 | 000,000,218 | ---- | C] () -- C:\Documents and Settings\Administrator\.recently-used.xbel
[2010/02/06 19:17:10 | 000,000,110 | ---- | C] () -- C:\WINDOWS\GMouse.ini
[2009/10/20 21:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/03/23 01:47:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/03/21 01:12:39 | 000,000,519 | ---- | C] () -- C:\WINDOWS\WINCMD.INI
[2009/03/21 00:21:56 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v5002.dll
[2009/03/21 00:18:48 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/03/21 00:18:48 | 000,012,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/03/21 00:18:45 | 000,011,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2009/03/21 00:18:45 | 000,010,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2009/03/21 00:15:45 | 000,001,746 | ---- | C] () -- C:\WINDOWS\Language_trs.ini
[2009/03/20 23:31:56 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/03/20 23:31:50 | 000,034,642 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/03/20 23:31:50 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/11/02 16:12:02 | 000,062,464 | ---- | C] () -- C:\WINDOWS\System32\drivers\BazisVirtualCD.sys
[2008/11/02 16:11:38 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\drivers\VirtDiskBus.sys
[2007/10/23 11:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\cvintdrv.sys
[2004/08/10 21:39:04 | 000,218,264 | ---- | C] () -- C:\WINDOWS\System32\SetAid.dll
[2004/03/30 23:47:44 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\nl_msgs.dll
[2004/03/30 23:47:41 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\nl_msgc.dll

========== LOP Check ==========

[2009/12/22 18:13:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\AVG9
[2009/05/03 21:41:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BwgSoftware
[2009/06/04 13:03:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Citrix
[2009/03/24 04:07:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/03/24 02:45:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Design Science
[2010/05/05 14:06:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\foobar2000
[2010/03/20 20:00:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\gtk-2.0
[2009/05/29 16:31:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\hte
[2009/06/08 19:16:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ICAClient
[2009/04/10 15:10:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\LockTime
[2009/07/14 18:25:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mp3tag
[2009/05/25 20:54:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MuPAD
[2009/04/15 19:24:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\National Instruments
[2009/06/04 13:03:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Netscape
[2010/05/05 11:39:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nokia
[2009/12/30 01:33:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nokia Ovi Suite
[2010/01/24 15:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Notepad++
[2009/08/16 09:28:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PC Suite
[2010/03/24 18:57:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SSH
[2010/04/14 02:42:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2010/02/03 01:26:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Wireshark
[2010/05/05 21:12:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/05/05 20:59:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/05/05 12:02:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2009/04/15 18:45:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\National Instruments
[2010/05/05 12:05:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2009/12/26 20:18:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
[2010/05/06 08:23:19 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{33678BF7-0ACC-41A0-BD5B-03F8DD4BA146}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2003/02/19 15:23:20 | 000,315,240 | ---- | M] (Microsoft Corporation) -- C:\Q814761_WXP_SP2_x86_ENU.exe
[2003/02/19 15:23:22 | 000,131,944 | ---- | M] (Microsoft Corporation) -- C:\Q814761_WXP_SP2_x86_ENU_Symbols.exe


< MD5 for: AGP440.SYS >
[2008/07/12 18:19:54 | 018,835,952 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/07/12 18:19:54 | 018,835,952 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 07:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2007/01/23 17:22:16 | 000,032,890 | ---- | M] () MD5=4FA5D1120762802A741F374F8B391E69 -- C:\Program Files\MATLAB\R2009a\sys\perl\win32\lib\auto\Win32\EventLog\EventLog.dll
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2009/03/21 00:20:25 | 000,324,120 | ---- | M] (Intel Corporation) MD5=707C1692214B1C290271067197F075F6 -- C:\Drivers\RAID\IMSM_V8501032_XPVista\IMSM\Driver\32bit\IaStor.sys
[2008/09/18 17:49:33 | 000,324,120 | ---- | M] (Intel Corporation) MD5=707C1692214B1C290271067197F075F6 -- C:\WINDOWS\NLDRV\001\iastor.sys
[2008/09/18 17:49:33 | 000,324,120 | ---- | M] (Intel Corporation) MD5=707C1692214B1C290271067197F075F6 -- C:\WINDOWS\system32\drivers\iaStor.sys
[2009/03/21 00:20:25 | 000,402,456 | ---- | M] (Intel Corporation) MD5=FC28E90F2204D8FD147FA9BFA8A51C01 -- C:\Drivers\RAID\IMSM_V8501032_XPVista\IMSM\Driver\64bit\IaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/03/21 05:06:28 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/03/21 05:06:28 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/03/21 05:06:28 | 000,917,504 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/14 19:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aavmker4.sys
[2010/04/14 19:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys
[2010/04/14 19:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswmon.sys
[2010/04/14 19:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswmon2.sys
[2010/04/14 19:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswRdr.sys
[2010/04/14 19:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswSP.sys
[2010/04/14 19:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswTdi.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 16:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/02/11 14:36:50 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys
[2010/04/21 00:51:17 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys
< End of report >

%%%%%%%%%%%%%%%%%%%% OTL LOG END %%%%%%%%%%%%%%%%%%%%


%%%%%%%%%%%%%%%%%%%% OTL EXTRAS LOG START %%%%%%%%%%%%%%%%%%%%




OTL Extras logfile created on: 06/05/2010 08:56:35 - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\tmp\vir
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 85.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.50 Gb Total Space | 661.27 Gb Free Space | 70.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 298.08 Gb Total Space | 34.93 Gb Free Space | 11.72% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IS
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"8256:TCP" = 8256:TCP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\OLD_C_80gb\Program Files\eMule\emule.exe" = C:\OLD_C_80gb\Program Files\eMule\emule.exe:*:Disabled:eMule -- File not found
"C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe" = C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe:*:Enabled:Nokia Software Updater -- File not found
"C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe" = C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process -- File not found
"C:\OLD_C_80gb\Documents\old_win\eMule\emule.exe" = C:\OLD_C_80gb\Documents\old_win\eMule\emule.exe:*:Enabled:eMule -- (http://www.emule-project.net)
"C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" = C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe:*:Enabled:Nokia Ovi Suite 2 -- File not found
"C:\Program Files\MagicTune Premium\MagicTune.exe" = C:\Program Files\MagicTune Premium\MagicTune.exe:*:Enabled:MagicTune -- (SEC)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05EC21B8-4593-3037-A781-A6B5AFFCB19D}" = Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
"{065F29A4-D4D9-4BB9-85AF-8A878907BBD6}" = NI LabVIEW Run-Time Engine 8.5.1
"{0699C67B-F5B5-4CA3-A3A9-B976406FA4DA}" = NI Service Locator
"{17F4ADCB-387E-43A5-8292-A4A37704D670}" = NI MDF Support
"{19DC9559-9C20-4A46-A67D-7ECBA52A2788}" = Nokia PC Suite
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{241F2BF7-69EB-42A4-9156-96B2426C7504}" = Microsoft SQL Server Compact 3.5 for Devices ENU
"{25A90BCC-92FB-4998-A1C2-403237B79D54}" = NI Circuit Design Suite 10.1 Edu Licenses
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{291B3A3B-F808-45B8-8113-DF232FCB6C82}" = Microsoft .NET Compact Framework 3.5
"{297BDF30-471F-4E8C-9C05-09C3882300CD}" = NI LabWindows/CVI 8.1.1 Run-Time Engine
"{2E5C075E-11AB-4BDD-918C-7B9A68953FF8}" = Microsoft SQL Server Compact 3.5 Design Tools ENU
"{3116A1B1-4E07-46ED-89F9-57409D88588A}" = NI MetaSuite Installer
"{329A3C81-7884-4A64-B8F6-078795C31506}" = Citrix Endpoint Analysis Client
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{38A4AD83-3492-4A4E-A502-48106D88DD3E}" = NI USI 1.5.0
"{3A762A82-618D-3CAA-B847-D074ABFA0B2E}" = MSDN Library for Visual Studio 2008 - ENU
"{45FA54F6-8574-49D2-9E2D-0BDDE6237822}" = NI LabVIEW Run-Time Engine 8.2.1
"{4E0DE929-EB66-4A28-A351-645B22369078}" = NI Update Service 1.0
"{5474BF08-A9D0-49A2-9FCA-4D081B3797B5}" = NI Logos XT Support
"{57700DD3-0C10-4CE6-95BA-630284EE2CB1}" = NI License Manager
"{64c5b887-b5ee-42b8-8596-78905a6b5f1f}" = Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
"{671A5B67-1A00-424A-A902-49BC020FB3D1}" = NI VC2005MSMs x86
"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
"{69F9B60B-DD42-43F6-8B74-3E2C85DB3347}" = NI Circuit Design Suite 10.1 Education
"{6C9F6D23-E9AD-43C9-B43A-011562AAF876}" = Windows Mobile 5.0 SDK R2 for Pocket PC
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6E0352EE-6F0D-4FBC-B1B8-4FF032C78BE0}" = PC Connectivity Solution
"{6E605604-E2CE-4331-AA19-5FEF273F3CFD}" = NI LabVIEW Real-Time FIFO for Runtime
"{6F7D11DC-DE87-45C8-A37E-A35B724FC771}" = NI Help Assistant
"{7469D3E1-2470-4539-81CB-A95036683D9B}" = NI Update Service Extras 1.0
"{74712ACB-DD68-4A05-8D2B-8ABD5B29087C}" = NI Circuit Design Suite 10.1 Core
"{77F73F6E-139D-4B38-AB0D-6D2F0E860478}" = NI Logos 4.9.1
"{7C0B9FD1-5181-4446-AD62-299873B5508B}" = NI Uninstaller
"{7E3668CB-1228-416E-B721-C2FA3247B985}" = NI LabVIEW Real-Time FIFO for Runtime
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8AD1C907-5AA3-471C-9825-90099149D453}" = BwgBurn Version 0.7.6
"{8F66047B-1AF3-40D9-80D7-106E2EDC2C2A}" = EPU-4 Engine
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007
"{90120000-0021-0000-0000-0000000FF1CE}_VisualWebDeveloper_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007
"{90120000-0021-0409-0000-0000000FF1CE}_VisualWebDeveloper_{E1044ED2-E4AD-4B39-B500-31109750F6B4}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_VisualWebDeveloper_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_VisualWebDeveloper_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{901E040D-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Hebrew User Interface Pack
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}" = Windows Mobile 5.0 SDK R2 for Smartphone
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.2
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B268E9A1-04A9-40D0-9866-846BE2B74BA7}" = Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
"{B32E7732-B2FB-3FD0-81AC-6025B1104C66}" = Microsoft Device Emulator version 3.0 - ENU
"{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}" = Microsoft SQL Server Compact 3.5 ENU
"{BF448A52-C83E-455D-B5D3-FD9E964C9419}" = Sygate Personal Firewall Pro
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C50EF365-2898-489A-B6C7-30DAA466E9A2}" = Nokia Connectivity Cable Driver
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CAA376AF-0DE8-4FCA-942E-C6AC579B94B3}" = Microsoft Windows SDK for Visual Studio 2008 Tools
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D105D090-E9E5-4572-A61C-01EDE7568A17}" = NI TDMS
"{D6044256-A309-43B5-9833-D3FAFE2AD24D}" = MagicTune Premium
"{D7DAD1E4-45F4-3B2B-899A-EA728167EC4F}" = Microsoft Visual Studio 2008 Professional Edition - ENU
"{DB2C5648-700D-4AEF-83E1-70C72F0C34FA}" = NI Math Kernel Libraries
"{EDDF99D9-9FE3-4871-A7DB-D1522C51EE9A}" = Microsoft .NET Compact Framework 2.0 SP2
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F28D6E4E-EA52-49F5-B5E8-EDA4F380F83A}" = NI DN 2.0 installer
"{F7D0E9F5-6025-49FA-B13C-CFA27E062062}" = NI EULA Depot
"05B59228C7E1C21DFBE89260F879BD95880548D8" = Windows Driver Package - Nokia Modem (10/05/2009 4.2)
"32fsu32_is1" = File Scavenger 3.2 (English)
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"8CDCFB95BB84DD9C0F88F22266A0CA86035E55BA" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Audacity_is1" = Audacity 1.2.6
"avast5" = avast! Free Antivirus
"AVI Splitter_is1" = AVI Splitter
"Citrix ICA Web Client" = MetaFrame Presentation Server Web Client for Win32
"CloneCD" = CloneCD
"DSMT6" = MathType 6
"ERUNT_is1" = ERUNT 1.1j
"foobar2000" = foobar2000 v0.9.6.3
"GhostMouse 2.0" = GhostMouse 2.0
"Google Desktop" = Google Desktop
"HC51 9.60PL0" = HI-TECH C51-lite V9.60PL0
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Photo & Imaging" = HP Image Zone 4.2
"ie8" = Windows Internet Explorer 8
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MatlabR2009a" = MATLAB R2009a
"MentorGraphicsJI" = Mentor Graphics Products
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2008 Professional Edition - ENU" = Microsoft Visual Studio 2008 Professional Edition - ENU
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mp3tag" = Mp3tag v2.44
"MSDN Library for Visual Studio 2008 - ENU" = MSDN Library for Visual Studio 2008 - ENU
"Musette_is1" = Musette version 2.9.9
"NetLimiter" = NetLimiter 1.30 (remove only)
"NI Uninstaller" = National Instruments Software
"Nokia PC Suite" = Nokia PC Suite
"Picasa 3" = Picasa 3
"PICC 9.60PL0" = HI-TECH PICC lite V9.60PL0
"Transcribe!_is1" = Transcribe! 7.51
"VGA USB Camera" = VGA USB Camera
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WinPcapInst" = WinPcap 4.1.1
"WinRAR archiver" = WinRAR archiver
"Wireshark" = Wireshark 1.2.6
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"Xming_is1" = Xming 6.9.0.31

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 20/04/2010 15:05:58 | Computer Name = IS | Source = VsJITDebugger | ID = 4096
Description = An unhandled win32 exception occurred in avscan.exe [1012]. Just-In-Time
debugging this exception failed with the following error: The logged in user did
not have access to debug the crashing application. Check the documentation index
for 'Just-in-time debugging, errors' for more information.

Error - 24/04/2010 12:59:25 | Computer Name = IS | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 bwg.createdatadisk.exe, P2 0.0.7.5, P3 496a4876,
P4 system.drawing, P5 2.0.0.0, P6 4889dec2, P7 184, P8 20, P9 system.argumentexception,
P10 NIL.

Error - 05/05/2010 04:39:10 | Computer Name = IS | Source = MsiInstaller | ID = 11500
Description = Product: MSVC80_x86_v2 -- Error 1500. Another installation is in progress.
You must complete that installation before continuing this one.

Error - 05/05/2010 04:44:26 | Computer Name = IS | Source = MsiInstaller | ID = 11500
Description = Product: MSVC80_x86 -- Error 1500. Another installation is in progress.
You must complete that installation before continuing this one.

[ System Events ]
Error - 05/05/2010 07:06:12 | Computer Name = IS | Source = Service Control Manager | ID = 7034
Description = The MagicTuneEngine service terminated unexpectedly. It has done
this 1 time(s).

Error - 05/05/2010 13:46:03 | Computer Name = IS | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 05/05/2010 13:46:03 | Computer Name = IS | Source = Service Control Manager | ID = 7034
Description = The MagicTuneEngine service terminated unexpectedly. It has done
this 1 time(s).

Error - 05/05/2010 13:46:03 | Computer Name = IS | Source = Service Control Manager | ID = 7034
Description = The Sygate Personal Firewall Pro service terminated unexpectedly.
It has done this 1 time(s).

Error - 05/05/2010 13:46:04 | Computer Name = IS | Source = Service Control Manager | ID = 7031
Description = The AVG Free WatchDog service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 05/05/2010 14:01:26 | Computer Name = IS | Source = Service Control Manager | ID = 7034
Description = The MagicTuneEngine service terminated unexpectedly. It has done
this 1 time(s).

Error - 05/05/2010 16:37:29 | Computer Name = IS | Source = Service Control Manager | ID = 7034
Description = The MagicTuneEngine service terminated unexpectedly. It has done
this 1 time(s).

Error - 05/05/2010 17:18:09 | Computer Name = IS | Source = System Error | ID = 1003
Description = Error code 100000d1, parameter1 00000000, parameter2 0000001c, parameter3
00000001, parameter4 873ccff1.

Error - 05/05/2010 17:40:58 | Computer Name = IS | Source = Service Control Manager | ID = 7034
Description = The MagicTuneEngine service terminated unexpectedly. It has done
this 1 time(s).

Error - 05/05/2010 18:23:41 | Computer Name = IS | Source = Service Control Manager | ID = 7034
Description = The MagicTuneEngine service terminated unexpectedly. It has done
this 1 time(s).


< End of report >

%%%%%%%%%%%%%%%%%%%% OTL EXTRAS LOG END %%%%%%%%%%%%%%%%%%%%
  • 0

Advertisements

#2
RKinner
Posted 07 May 2010 - 10:00 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Don't see anything obvious. navlot.com is a Chinese malware site so there is something there. Let's run Combofix and see if it sees anything. (Combofix has something against winpcap so you may need to reinstall it anf/or wireshark afterwards.)

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

We Need to check for Rootkits with RootRepeal
[*]Extract RootRepeal.exe from the archive.
[*]Open Posted Image on your desktop.
[*]Before you run the scan go into Settings, Options, General and move the slider to Middle Level then close the Settings box!
[*]Click the Posted Image button.
[*]Allow RootRepeal to run a scan of your system. This may take some time.
[*]Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
[/list]
Finally let's check that your DNS server hasn't been compromised. Start, Run, cmd, OK to open a new command prompt then type with an Enter after each line:

nslookup avira.com

nslookup avast.com

(Space after nslookup. Do you get the following?

Name: avira.com
Addresses: 62.146.210.52
62.146.210.54
80.190.154.30
80.190.154.32

Name: avast.com
Addresses: 174.37.192.131
174.37.192.132
174.123.201.114
209.62.2.74
67.228.147.162
74.55.40.226
74.55.48.42
74.55.78.82
74.55.78.90
74.86.245.124
174.36.159.204
174.36.159.205

Open your browser and try typing in one of the IP addresses in the URL area then Enter. Does it get blocked too? Try Opening Firefox in Safe Mode (Start, All Programs, Mozilla Firefox, Firefox (Safe Mode). Do you still get blocked when you type in the name rather than the IP address? )

Ron
  • 0

#3
igshum
Posted 09 May 2010 - 03:29 PM

igshum

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
i ran both reports.
in the combofix report, i saw that i have lots of permanent routes, i presume this is the cause to the symptoms i've been having.
i didn't remove the permanent routes yet.
is there anything but that?



%%%%%%%%%%%%%%%%%%%% COMBOFIX START %%%%%%%%%%%%%%%%%%%%
ComboFix 10-05-08.03 - Administrator 09/05/2010 23:38:34.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3293.2801 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-05 18:12 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-05 18:12 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-05 18:12 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-05 18:12 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-05 18:12 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-05 18:12 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-05 18:12 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-05 18:12 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-05 18:12 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-05 18:12 . 2010-05-05 18:12 -------- d-----w- c:\program files\Alwil Software
2010-05-05 18:12 . 2010-05-05 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-05 17:49 . 2010-05-05 17:49 -------- d-----w- c:\program files\ERUNT
2010-05-04 09:18 . 2010-05-04 09:18 1078 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_982A875D479B881E8BC3F8.exe
2010-05-04 09:18 . 2010-05-04 09:18 1078 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_6FEFF9B68218417F98F549.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_CD7A566416CB0F4732A213.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_C5D305451462776D515228.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_BAB439F85894BB68336E8C.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_B112C372C9594A1416049A.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_A43C6D9A4D2EEE69CDA890.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_8E8C856F74FE3D1033F368.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_1FA4B42724D78AE0E46F5F.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_063B20791A79389576EC68.exe
2010-05-04 09:18 . 2010-05-04 09:18 -------- d-----w- c:\program files\BwgSoftware
2010-05-01 12:53 . 2010-05-05 20:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-05-01 12:52 . 2010-05-01 12:53 -------- d-----w- c:\program files\vlc-1.0.5
2010-04-25 20:25 . 2010-04-25 20:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-25 20:25 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-25 20:25 . 2010-05-05 18:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-25 20:25 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-25 20:25 . 2010-04-25 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-24 15:58 . 2009-08-06 16:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-04-23 22:40 . 2010-04-30 00:03 -------- d-----w- C:\AVGTemp
2010-04-21 07:42 . 2010-04-21 07:42 14846 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{329A3C81-7884-4A64-B8F6-078795C31506}\EPA_Icon.914326BE_BDF9_4068_A4AF_AF1B75093799.exe
2010-04-21 07:22 . 2010-04-21 07:22 -------- d--h--w- c:\windows\PIF
2010-04-20 21:51 . 2010-04-20 21:51 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-20 20:43 . 2010-04-20 20:43 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-20 20:43 . 2010-04-20 20:43 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-20 20:16 . 2010-05-05 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 19:47 . 2010-04-20 19:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-19 17:48 . 2010-04-19 17:48 -------- d-----w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 17:59 . 2009-11-27 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-05 11:06 . 2009-03-22 10:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\foobar2000
2010-05-05 09:05 . 2010-05-05 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-05-05 09:03 . 2010-05-05 09:03 -------- d-----w- c:\program files\Common Files\PCSuite
2010-05-05 09:03 . 2010-05-05 09:03 -------- d-----w- c:\program files\Common Files\Nokia
2010-05-05 09:03 . 2010-05-05 09:03 -------- d-----w- c:\program files\Nokia
2010-05-05 09:03 . 2010-05-05 09:03 -------- d-----w- c:\program files\PC Connectivity Solution
2010-05-05 09:03 . 2010-05-05 09:03 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
2010-05-05 09:03 . 2010-05-05 09:03 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
2010-05-05 09:03 . 2010-05-05 09:03 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-05-05 09:03 . 2010-05-05 09:03 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
2010-05-05 09:02 . 2009-07-04 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-05-05 09:02 . 2010-05-05 09:03 34523600 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_heb_web.exe
2010-05-05 08:39 . 2009-07-04 14:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nokia
2010-05-01 12:46 . 2009-04-08 00:14 -------- d-----w- c:\program files\vlc-0.9.9
2010-04-26 17:37 . 2009-03-23 20:14 75808 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-25 22:24 . 2009-12-26 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-25 22:24 . 2009-12-26 17:21 934240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2010-04-25 22:20 . 2009-12-26 17:21 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2010-04-25 22:20 . 2009-04-15 15:44 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-04-20 20:06 . 2010-03-25 09:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-04-13 23:42 . 2009-04-07 21:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-08 09:13 . 2010-04-08 09:13 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-08 09:13 . 2010-04-08 09:13 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-08 09:13 . 2010-04-08 09:13 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-08 09:13 . 2010-04-08 09:13 4250976 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-08 09:13 . 2010-04-08 09:13 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-08 09:13 . 2010-04-08 09:13 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-08 09:13 . 2010-04-08 09:13 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-08 09:13 . 2010-04-08 09:13 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-08 09:13 . 2010-04-08 09:13 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-08 09:13 . 2010-04-08 09:13 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-08 09:13 . 2010-04-08 09:13 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-08 09:13 . 2010-04-08 09:13 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-08 09:12 . 2010-04-08 09:12 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-07 23:49 . 2010-03-25 09:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-03-25 09:17 . 2010-03-25 09:17 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-25 09:12 . 2010-03-25 09:12 -------- d-----w- c:\program files\VGA USB Camera
2010-03-25 09:12 . 2010-03-25 09:12 -------- d-----w- c:\program files\directx
2010-03-25 09:12 . 2009-03-20 20:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-25 08:58 . 2010-03-25 08:58 -------- d-----r- c:\program files\Skype
2010-03-25 08:58 . 2010-03-25 08:58 -------- d-----w- c:\program files\Common Files\Skype
2010-03-25 08:58 . 2010-03-25 08:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-24 15:57 . 2010-03-24 08:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\SSH
2010-03-24 08:49 . 2010-03-24 08:49 -------- d-----w- c:\program files\Xming
2010-03-21 16:28 . 2009-04-07 21:40 -------- d-----w- c:\program files\uTorrent
2010-03-20 17:00 . 2010-03-20 16:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0
2010-03-18 21:14 . 2010-03-18 21:14 -------- d-----w- c:\program files\avisplit
2010-03-10 06:15 . 2008-07-12 15:09 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2008-04-22 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 04:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2008-04-14 04:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 04:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:27 . 2008-04-14 04:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 11:36 . 2008-07-12 15:09 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2007-02-08 08:48 . 2007-02-08 08:48 133920 ----a-w- c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-24 16:03 . 2007-07-24 16:03 118784 ----a-w- c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
2009-11-27 00:33 . 2009-03-28 20:54 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[-] 2008-09-18 . 77965B76FAD83E7A5E9A90DEEC80363D . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-20 16876032]
"Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2008-07-23 5625344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-20 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-20 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-20 150040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-27 30192]
"NetLimiter"="c:\program files\NetLimiter\NetLimiter.exe" [2004-03-31 823296]
"NI Background Service"="c:\program files\National Instruments\Shared\Update Service\BackgroundService.exe" [2008-04-03 77824]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2004-12-27 57344]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-08-13 2532576]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2010-1-17 36864]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]
"128.111.48.0,255.255.255.0,192.168.1.0,1"=""
"139.91.222.0,255.255.255.0,192.168.1.0,1"=""
"128.130.56.0,255.255.255.0,192.168.1.0,1"=""
"128.130.60.0,255.255.255.0,192.168.1.0,1"=""
"141.202.248.0,255.255.255.0,192.168.1.0,1"=""
"162.40.10.0,255.255.255.0,192.168.1.0,1"=""
"193.0.6.0,255.255.255.0,192.168.1.0,1"=""
"149.101.225.0,255.255.255.0,192.168.1.0,1"=""
"165.160.15.0,255.255.255.0,192.168.1.0,1"=""
"18.85.2.0,255.255.255.0,192.168.1.0,1"=""
"193.17.85.0,255.255.255.0,192.168.1.0,1"=""
"193.1.193.0,255.255.255.0,192.168.1.0,1"=""
"155.35.248.0,255.255.255.0,192.168.1.0,1"=""
"193.24.237.0,255.255.255.0,192.168.1.0,1"=""
"204.14.90.0,255.255.255.0,192.168.1.0,1"=""
"192.150.94.0,255.255.255.0,192.168.1.0,1"=""
"150.70.93.0,255.255.255.0,192.168.1.0,1"=""
"193.66.251.0,255.255.255.0,192.168.1.0,1"=""
"166.70.98.0,255.255.255.0,192.168.1.0,1"=""
"193.110.109.0,255.255.255.0,192.168.1.0,1"=""
"194.0.200.0,255.255.255.0,192.168.1.0,1"=""
"193.69.114.0,255.255.255.0,192.168.1.0,1"=""
"194.33.180.0,255.255.255.0,192.168.1.0,1"=""
"193.71.68.0,255.255.255.0,192.168.1.0,1"=""
"194.206.126.0,255.255.255.0,192.168.1.0,1"=""
"195.210.42.0,255.255.255.0,192.168.1.0,1"=""
"188.93.8.0,255.255.255.0,192.168.1.0,1"=""
"209.51.167.0,255.255.255.0,192.168.1.0,1"=""
"194.112.106.0,255.255.255.0,192.168.1.0,1"=""
"193.193.194.0,255.255.255.0,192.168.1.0,1"=""
"195.137.160.0,255.255.255.0,192.168.1.0,1"=""
"195.146.235.0,255.255.255.0,192.168.1.0,1"=""
"198.6.49.0,255.255.255.0,192.168.1.0,1"=""
"209.157.69.0,255.255.255.0,192.168.1.0,1"=""
"195.70.37.0,255.255.255.0,192.168.1.0,1"=""
"203.160.188.0,255.255.255.0,192.168.1.0,1"=""
"205.178.145.0,255.255.255.0,192.168.1.0,1"=""
"195.64.225.0,255.255.255.0,192.168.1.0,1"=""
"195.55.72.0,255.255.255.0,192.168.1.0,1"=""
"207.46.232.0,255.255.255.0,192.168.1.0,1"=""
"206.204.52.0,255.255.255.0,192.168.1.0,1"=""
"194.109.142.0,255.255.255.0,192.168.1.0,1"=""
"205.227.136.0,255.255.255.0,192.168.1.0,1"=""
"195.2.240.0,255.255.255.0,192.168.1.0,1"=""
"207.44.154.0,255.255.255.0,192.168.1.0,1"=""
"207.46.18.0,255.255.255.0,192.168.1.0,1"=""
"199.203.243.0,255.255.255.0,192.168.1.0,1"=""
"209.124.55.0,255.255.255.0,192.168.1.0,1"=""
"207.66.0.0,255.255.255.0,192.168.1.0,1"=""
"212.67.88.0,255.255.255.0,192.168.1.0,1"=""
"207.46.20.0,255.255.255.0,192.168.1.0,1"=""
"209.87.209.0,255.255.255.0,192.168.1.0,1"=""
"209.216.46.0,255.255.255.0,192.168.1.0,1"=""
"209.160.22.0,255.255.255.0,192.168.1.0,1"=""
"213.133.34.0,255.255.255.0,192.168.1.0,1"=""
"213.171.218.0,255.255.255.0,192.168.1.0,1"=""
"209.62.112.0,255.255.255.0,192.168.1.0,1"=""
"208.79.250.0,255.255.255.0,192.168.1.0,1"=""
"212.8.79.0,255.255.255.0,192.168.1.0,1"=""
"212.47.219.0,255.255.255.0,192.168.1.0,1"=""
"209.62.68.0,255.255.255.0,192.168.1.0,1"=""
"212.72.62.0,255.255.255.0,192.168.1.0,1"=""
"213.220.100.0,255.255.255.0,192.168.1.0,1"=""
"213.198.89.0,255.255.255.0,192.168.1.0,1"=""
"216.10.192.0,255.255.255.0,192.168.1.0,1"=""
"216.12.145.0,255.255.255.0,192.168.1.0,1"=""
"216.246.90.0,255.255.255.0,192.168.1.0,1"=""
"216.239.122.0,255.255.255.0,192.168.1.0,1"=""
"216.49.94.0,255.255.255.0,192.168.1.0,1"=""
"216.49.88.0,255.255.255.0,192.168.1.0,1"=""
"213.31.172.0,255.255.255.0,192.168.1.0,1"=""
"216.55.183.0,255.255.255.0,192.168.1.0,1"=""
"216.99.133.0,255.255.255.0,192.168.1.0,1"=""
"217.106.234.0,255.255.255.0,192.168.1.0,1"=""
"217.16.16.0,255.255.255.0,192.168.1.0,1"=""
"217.170.21.0,255.255.255.0,192.168.1.0,1"=""
"38.113.1.0,255.255.255.0,192.168.1.0,1"=""
"217.174.103.0,255.255.255.0,192.168.1.0,1"=""
"62.146.210.0,255.255.255.0,192.168.1.0,1"=""
"62.14.249.0,255.255.255.0,192.168.1.0,1"=""
"62.75.163.0,255.255.255.0,192.168.1.0,1"=""
"62.189.194.0,255.255.255.0,192.168.1.0,1"=""
"63.85.36.0,255.255.255.0,192.168.1.0,1"=""
"62.146.66.0,255.255.255.0,192.168.1.0,1"=""
"62.75.216.0,255.255.255.0,192.168.1.0,1"=""
"62.213.110.0,255.255.255.0,192.168.1.0,1"=""
"64.128.133.0,255.255.255.0,192.168.1.0,1"=""
"64.13.134.0,255.255.255.0,192.168.1.0,1"=""
"65.55.184.0,255.255.255.0,192.168.1.0,1"=""
"64.246.4.0,255.255.255.0,192.168.1.0,1"=""
"64.41.151.0,255.255.255.0,192.168.1.0,1"=""
"64.78.182.0,255.255.255.0,192.168.1.0,1"=""
"64.66.190.0,255.255.255.0,192.168.1.0,1"=""
"64.202.189.0,255.255.255.0,192.168.1.0,1"=""
"65.175.38.0,255.255.255.0,192.168.1.0,1"=""
"64.41.142.0,255.255.255.0,192.168.1.0,1"=""
"66.223.50.0,255.255.255.0,192.168.1.0,1"=""
"66.249.17.0,255.255.255.0,192.168.1.0,1"=""
"66.77.70.0,255.255.255.0,192.168.1.0,1"=""
"67.15.103.0,255.255.255.0,192.168.1.0,1"=""
"65.55.240.0,255.255.255.0,192.168.1.0,1"=""
"67.15.231.0,255.255.255.0,192.168.1.0,1"=""
"67.19.34.0,255.255.255.0,192.168.1.0,1"=""
"67.134.208.0,255.255.255.0,192.168.1.0,1"=""
"69.18.148.0,255.255.255.0,192.168.1.0,1"=""
"67.227.172.0,255.255.255.0,192.168.1.0,1"=""
"67.225.206.0,255.255.255.0,192.168.1.0,1"=""
"67.192.135.0,255.255.255.0,192.168.1.0,1"=""
"69.57.142.0,255.255.255.0,192.168.1.0,1"=""
"68.177.102.0,255.255.255.0,192.168.1.0,1"=""
"69.20.104.0,255.255.255.0,192.168.1.0,1"=""
"69.162.79.0,255.255.255.0,192.168.1.0,1"=""
"72.232.246.0,255.255.255.0,192.168.1.0,1"=""
"69.93.226.0,255.255.255.0,192.168.1.0,1"=""
"72.32.149.0,255.255.255.0,192.168.1.0,1"=""
"70.84.211.0,255.255.255.0,192.168.1.0,1"=""
"72.3.254.0,255.255.255.0,192.168.1.0,1"=""
"74.125.77.0,255.255.255.0,192.168.1.0,1"=""
"72.32.125.0,255.255.255.0,192.168.1.0,1"=""
"72.32.70.0,255.255.255.0,192.168.1.0,1"=""
"74.52.233.0,255.255.255.0,192.168.1.0,1"=""
"74.50.0.0,255.255.255.0,192.168.1.0,1"=""
"74.55.40.0,255.255.255.0,192.168.1.0,1"=""
"74.208.20.0,255.255.255.0,192.168.1.0,1"=""
"74.53.201.0,255.255.255.0,192.168.1.0,1"=""
"78.137.164.0,255.255.255.0,192.168.1.0,1"=""
"74.208.158.0,255.255.255.0,192.168.1.0,1"=""
"75.125.82.0,255.255.255.0,192.168.1.0,1"=""
"78.108.86.0,255.255.255.0,192.168.1.0,1"=""
"75.125.29.0,255.255.255.0,192.168.1.0,1"=""
"78.47.87.0,255.255.255.0,192.168.1.0,1"=""
"80.153.193.0,255.255.255.0,192.168.1.0,1"=""
"79.125.5.0,255.255.255.0,192.168.1.0,1"=""
"80.86.107.0,255.255.255.0,192.168.1.0,1"=""
"80.190.130.0,255.255.255.0,192.168.1.0,1"=""
"80.237.132.0,255.255.255.0,192.168.1.0,1"=""
"80.190.154.0,255.255.255.0,192.168.1.0,1"=""
"81.176.66.0,255.255.255.0,192.168.1.0,1"=""
"81.24.35.0,255.255.255.0,192.168.1.0,1"=""
"82.151.107.0,255.255.255.0,192.168.1.0,1"=""
"81.177.31.0,255.255.255.0,192.168.1.0,1"=""
"82.165.103.0,255.255.255.0,192.168.1.0,1"=""
"82.117.238.0,255.255.255.0,192.168.1.0,1"=""
"82.98.86.0,255.255.255.0,192.168.1.0,1"=""
"83.222.23.0,255.255.255.0,192.168.1.0,1"=""
"83.223.117.0,255.255.255.0,192.168.1.0,1"=""
"83.222.31.0,255.255.255.0,192.168.1.0,1"=""
"83.202.175.0,255.255.255.0,192.168.1.0,1"=""
"84.40.30.0,255.255.255.0,192.168.1.0,1"=""
"85.214.106.0,255.255.255.0,192.168.1.0,1"=""
"85.17.210.0,255.255.255.0,192.168.1.0,1"=""
"85.31.222.0,255.255.255.0,192.168.1.0,1"=""
"85.255.19.0,255.255.255.0,192.168.1.0,1"=""
"85.12.57.0,255.255.255.0,192.168.1.0,1"=""
"87.242.74.0,255.255.255.0,192.168.1.0,1"=""
"87.238.48.0,255.255.255.0,192.168.1.0,1"=""
"87.106.254.0,255.255.255.0,192.168.1.0,1"=""
"87.106.242.0,255.255.255.0,192.168.1.0,1"=""
"87.242.72.0,255.255.255.0,192.168.1.0,1"=""
"87.230.79.0,255.255.255.0,192.168.1.0,1"=""
"89.111.176.0,255.255.255.0,192.168.1.0,1"=""
"89.202.157.0,255.255.255.0,192.168.1.0,1"=""
"92.123.155.0,255.255.255.0,192.168.1.0,1"=""
"90.156.159.0,255.255.255.0,192.168.1.0,1"=""
"88.221.119.0,255.255.255.0,192.168.1.0,1"=""
"89.202.149.0,255.255.255.0,192.168.1.0,1"=""
"87.242.79.0,255.255.255.0,192.168.1.0,1"=""
"89.108.66.0,255.255.255.0,192.168.1.0,1"=""
"91.199.212.0,255.255.255.0,192.168.1.0,1"=""
"90.183.101.0,255.255.255.0,192.168.1.0,1"=""
"94.23.206.0,255.255.255.0,192.168.1.0,1"=""
"93.184.71.0,255.255.255.0,192.168.1.0,1"=""
"74.55.74.0,255.255.255.0,192.168.1.0,1"=""
"91.121.97.0,255.255.255.0,192.168.1.0,1"=""
"91.209.196.0,255.255.255.0,192.168.1.0,1"=""
"95.140.225.0,255.255.255.0,192.168.1.0,1"=""
"93.191.13.0,255.255.255.0,192.168.1.0,1"=""
"92.53.106.0,255.255.255.0,192.168.1.0,1"=""
"208.43.71.0,255.255.255.0,192.168.1.0,1"=""
"94.236.0.0,255.255.255.0,192.168.1.0,1"=""
"75.125.185.0,255.255.255.0,192.168.1.0,1"=""
"174.133.38.0,255.255.255.0,192.168.1.0,1"=""
"74.86.232.0,255.255.255.0,192.168.1.0,1"=""
"74.53.70.0,255.255.255.0,192.168.1.0,1"=""
"174.120.186.0,255.255.255.0,192.168.1.0,1"=""
"74.54.139.0,255.255.255.0,192.168.1.0,1"=""
"74.86.125.0,255.255.255.0,192.168.1.0,1"=""
"207.44.254.0,255.255.255.0,192.168.1.0,1"=""
"174.120.185.0,255.255.255.0,192.168.1.0,1"=""
"74.54.46.0,255.255.255.0,192.168.1.0,1"=""
"75.125.189.0,255.255.255.0,192.168.1.0,1"=""
"87.242.75.0,255.255.255.0,192.168.1.0,1"=""
"174.120.184.0,255.255.255.0,192.168.1.0,1"=""
"208.43.44.0,255.255.255.0,192.168.1.0,1"=""
"74.54.130.0,255.255.255.0,192.168.1.0,1"=""
"188.40.74.0,255.255.255.0,192.168.1.0,1"=""
"81.176.67.0,255.255.255.0,192.168.1.0,1"=""
"75.125.212.0,255.255.255.0,192.168.1.0,1"=""
"75.125.43.0,255.255.255.0,192.168.1.0,1"=""
"83.102.130.0,255.255.255.0,192.168.1.0,1"=""
"62.67.184.0,255.255.255.0,192.168.1.0,1"=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-14 19:37 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\OLD_C_80gb\\Documents\\old_win\\eMule\\emule.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8256:TCP"= 8256:TCP

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/05/2010 21:12 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/05/2010 21:12 19024]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 21:19 50704]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [21/03/2009 00:22 110080]
R3 VirtDiskBus;Virtual disk Enumerator;c:\windows\system32\drivers\VirtDiskBus.sys [02/11/2008 16:11 56320]
S3 BazisVirtualCD;Virtual CD driver;c:\windows\system32\drivers\BazisVirtualCD.sys [02/11/2008 16:12 62464]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [28/03/2009 23:54 30192]
.
Contents of the 'Scheduled Tasks' folder

2010-05-09 c:\windows\Tasks\User_Feed_Synchronization-{33678BF7-0ACC-41A0-BD5B-03F8DD4BA146}.job
- c:\windows\system32\msfeedssync.exe [2008-07-12 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
LSP: c:\program files\NetLimiter\nl_lsp.dll
Trusted Zone: orange.co.il\access
TCP: {14DB00E9-A6F9-4660-9376-6FF55ACB561B} = 8.8.8.8,8.8.4.4
DPF: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} - hxxps://access.orange.co.il/CitrixLogonPoint/SampleLogonPoint/EPAClient/EPAClient.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npCtxCAO.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nplv85win32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
MSConfigStartUp-NokiaOviSuite2 - c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 23:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1482476501-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,10,2f,6d,07,35,74,cb,48,ab,22,8e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,61,39,56,6a,37,f6,4b,85,fd,6e,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,10,2f,6d,07,35,74,cb,48,ab,22,8e,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,10,2f,6d,07,35,74,cb,48,ab,22,8e,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,10,2f,6d,07,35,74,cb,48,ab,22,8e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(628)
c:\program files\NetLimiter\nl_lsp.dll
c:\windows\system32\nl_msgc.dll

- - - - - - - > 'explorer.exe'(1180)
c:\windows\system32\WININET.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_heb.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\smc.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\MagicTune Premium\MagicTune.exe
.
**************************************************************************
.
Completion time: 2010-05-09 23:45:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-09 20:45

Pre-Run: 709,773,742,080 bytes free
Post-Run: 709,650,526,208 bytes free

- - End Of File - - 95C7FB0B28AEBB5F4C3B646C9F716F22
%%%%%%%%%%%%%%%%%%%% COMBOFIX END %%%%%%%%%%%%%%%%%%%%



%%%%%%%%%%%%%%%%%%%% ROOT REPEAL START %%%%%%%%%%%%%%%%%%%%
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/05/10 00:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA0C8000 Size: 57344 File Visible: - Signed: -
Status: -

Name: Aavmker4.SYS
Image Path: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Address: 0xB5FFD000 Size: 22144 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB9F79000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xA4374000 Size: 138496 File Visible: - Signed: -
Status: -

Name: ASACPI.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ASACPI.sys
Address: 0xBA656000 Size: 5152 File Visible: - Signed: -
Status: -

Name: AsIO.sys
Image Path: C:\WINDOWS\system32\drivers\AsIO.sys
Address: 0xBA5B0000 Size: 5184 File Visible: - Signed: -
Status: -

Name: aswFsBlk.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswFsBlk.SYS
Address: 0xB6C3D000 Size: 12288 File Visible: - Signed: -
Status: -

Name: aswMon2.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Address: 0xA401A000 Size: 93696 File Visible: - Signed: -
Status: -

Name: aswRdr.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Address: 0xBA4A0000 Size: 16640 File Visible: - Signed: -
Status: -

Name: aswSP.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswSP.SYS
Address: 0xA42B2000 Size: 157312 File Visible: - Signed: -
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xB5CEB000 Size: 39936 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F0B000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xB611A000 Size: 3072 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBA66A000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xB6397000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xBA2C8000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xB65C3000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA108000 Size: 53248 File Visible: - Signed: -
Status: -

Name: cvintdrv.SYS
Image Path: C:\WINDOWS\System32\Drivers\cvintdrv.SYS
Address: 0xB5C21000 Size: 4096 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA0F8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xB9F23000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xBA5AC000 Size: 5888 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xB5D5B000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA41D9000 Size: 888832 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB615A000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBA7BF000 Size: 4096 File Visible: - Signed: -
Status: -

Name: ElbyCDFL.sys
Image Path: C:\WINDOWS\System32\Drivers\ElbyCDFL.sys
Address: 0xBA3A8000 Size: 26240 File Visible: - Signed: -
Status: -

Name: ElbyCDIO.sys
Image Path: C:\WINDOWS\System32\Drivers\ElbyCDIO.sys
Address: 0xA3C6A000 Size: 9728 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBA278000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xB9E12000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBA668000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB9F49000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB54D1000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xBA2A8000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xB68DF000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xBA574000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HPZid412.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HPZid412.sys
Address: 0xBA2E8000 Size: 50816 File Visible: - Signed: -
Status: -

Name: HPZipr12.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
Address: 0xB6C45000 Size: 16224 File Visible: - Signed: -
Status: -

Name: HPZius12.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HPZius12.sys
Address: 0xBA430000 Size: 21472 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA3722000 Size: 265728 File Visible: - Signed: -
Status: -

Name: iaStor.sys
Image Path: iaStor.sys
Address: 0xB9E32000 Size: 888832 File Visible: - Signed: -
Status: -

Name: igxpdv32.DLL
Image Path: C:\WINDOWS\System32\igxpdv32.DLL
Address: 0xBF058000 Size: 2351104 File Visible: - Signed: -
Status: -

Name: igxpdx32.DLL
Image Path: C:\WINDOWS\System32\igxpdx32.DLL
Address: 0xBF296000 Size: 3461120 File Visible: - Signed: -
Status: -

Name: igxpgd32.dll
Image Path: C:\WINDOWS\System32\igxpgd32.dll
Address: 0xBF024000 Size: 212992 File Visible: - Signed: -
Status: -

Name: igxpmp32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
Address: 0xB5531000 Size: 6048480 File Visible: - Signed: -
Status: -

Name: igxprd32.dll
Image Path: C:\WINDOWS\System32\igxprd32.dll
Address: 0xBF012000 Size: 73728 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xB65E3000 Size: 42112 File Visible: - Signed: -
Status: -

Name: IntcHdmi.sys
Image Path: C:\WINDOWS\system32\drivers\IntcHdmi.sys
Address: 0xA4470000 Size: 131072 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBA168000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xA43BE000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xA443D000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA0A8000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xB68F7000 Size: 24576 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xB9A98000 Size: 14592 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xA3354000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB54AE000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB9DE9000 Size: 92928 File Visible: - Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys
Address: 0xBA478000 Size: 20864 File Visible: No Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBA66C000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xB68EF000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xB9A94000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA0D8000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xA3C2D000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xA42D9000 Size: 455680 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xB63CF000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xB6230000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xB6699000 Size: 15488 File Visible: - Signed: -
Status: -

Name: MTiCtwl.sys
Image Path: C:\WINDOWS\system32\drivers\MTiCtwl.sys
Address: 0xA3EA6000 Size: 14080 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB9CE5000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB9D1C000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xB6C39000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xA412D000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB5484000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xB6200000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xB5CCB000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xA4396000 Size: 162816 File Visible: - Signed: -
Status: -

Name: npf.sys
Image Path: C:\WINDOWS\system32\drivers\npf.sys
Address: 0xA3CD2000 Size: 61440 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xB63C7000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9D49000 Size: 574976 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9D49000 Size: 574976 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xB5C23000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA0B8000 Size: 61696 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBA330000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB9F68000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBA670000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBA328000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xA4490000 Size: 147456 File Visible: - Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA5EC000 Size: 7872 File Visible: No Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB5473000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBA3D0000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB9CBD000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xB6260000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xB6250000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xB6240000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBA3D8000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xA4349000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBA66E000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB5443000 Size: 196224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xB65B3000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA38B3000 Size: 49152 File Visible: No Signed: -
Status: -

Name: Rtenicxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
Address: 0xA341F000 Size: 111360 File Visible: - Signed: -
Status: -

Name: RtkHDAud.sys
Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Address: 0xA44B4000 Size: 4915200 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xB6C41000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xB6270000 Size: 64512 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xB9E00000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA3A5B000 Size: 353792 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBA658000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xA3CC2000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA43E4000 Size: 361600 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA43E4000 Size: 361600 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBA3C8000 Size: 20480 File Visible: - Signed: -
Status: -

Name: Teefer.sys
Image Path: Teefer.sys
Address: 0xB9CFF000 Size: 118784 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xB6220000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB53E5000 Size: 384768 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xB68E7000 Size: 32128 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBA65A000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xB5FED000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xB6210000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB54F9000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Address: 0xBA420000 Size: 25856 File Visible: - Signed: -
Status: -

Name: usbscan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Address: 0xB9A8C000 Size: 15104 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xB5FF5000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xB63D7000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB551D000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VirtDiskBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\VirtDiskBus.sys
Address: 0xB549B000 Size: 77824 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA0E8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xB5CFB000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBA460000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA3BF0000 Size: 83072 File Visible: - Signed: -
Status: -

Name: wg3n.sys
Image Path: C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
Address: 0xBA60E000 Size: 8192 File Visible: - Signed: -
Status: -

Name: wg4n.sys
Image Path: C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys
Address: 0xBA612000 Size: 8192 File Visible: - Signed: -
Status: -

Name: wg5n.sys
Image Path: C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys
Address: 0xBA614000 Size: 8192 File Visible: - Signed: -
Status: -

Name: wg6n.sys
Image Path: C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys
Address: 0xBA616000 Size: 8192 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: wpsdrvnt.sys
Image Path: C:\WINDOWS\system32\drivers\wpsdrvnt.sys
Address: 0xB5CDB000 Size: 36864 File Visible: - Signed: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xB9CA5000 Size: 12032 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xB9DD6000 Size: 77696 File Visible: - Signed: -
Status: -
%%%%%%%%%%%%%%%%%%%% ROOT REPEAL END %%%%%%%%%%%%%%%%%%%%
  • 0

#4
RKinner
Posted 09 May 2010 - 04:17 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
As you say the persistent routes need to go plus this file is dirty:

c:\windows\system32\sfcfiles.dll

Let's see if we have a replacement handy:

# Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
# Under the Custom Scan box paste this in:

/md5start
sfcfiles.dll
/md5stop

Then hit Quick Scan. Post the log.

Do you feel comfortable removing the persistent routes?

Probably the easiest way is just to go into regedit and delete the key:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]

Then go back in and recreate it as a New Key under parameters. Safer but more tedious would be to delete each value individually.

A tcp/ip reset might also do the job for us.

Copy the next line:

netsh int ip reset reset.log

Start, Run, cmd, OK to open a command window and then right click and Paste then Enter and reboot. You can check to see if it worked by opening a command window and

route print




I suspect this might not be a good thing too:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8256:TCP"= 8256:TCP

Don't know what is using port 8256.

After you get rid of the routes rerun combofix and let it install the recovery console.

Ron

Ron
  • 0

#5
igshum
Posted 09 May 2010 - 05:08 PM

igshum

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
i've removed the persistent routes in the registry, and reset the tcp/ip using netsh (i'll need to reinstall winpcap again).
i've deleted the TCP:8256 port from the globallyOpenPorts, since i dont remember allowing it.
'route print' now looks normal.
http to the previously blocked sites now works (i was even blocked to geekstogo.com :), and now it works)


%%%%%%%%%%%%%%%%%%%% ROUTE PRINT START %%%%%%%%%%%%%%%%%%%%
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 23 54 26 9a a5 ...... Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 20
192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 20
224.0.0.0 240.0.0.0 192.168.1.100 192.168.1.100 20
255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1
Default Gateway: 192.168.1.1
===========================================================================
%%%%%%%%%%%%%%%%%%%% ROUTE PRINT END %%%%%%%%%%%%%%%%%%%%



%%%%%%%%%%%%%%%%%%%% OTL WITH MD5 sfcfiles.dll START %%%%%%%%%%%%%%%%%%%%
OTL logfile created on: 10/05/2010 01:34:29 - Run 2
OTL by OldTimer - Version 3.2.3.0 Folder = C:\tmp\vir
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 83.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.50 Gb Total Space | 660.91 Gb Free Space | 70.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 298.08 Gb Total Space | 35.01 Gb Free Space | 11.75% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IS
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/06 23:59:42 | 002,815,192 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/05/06 23:59:38 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/04/26 01:50:50 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\tmp\vir\OTL.exe
PRC - [2009/12/15 18:19:14 | 002,465,792 | ---- | M] (SEC) -- C:\Program Files\MagicTune Premium\MagicTune.exe
PRC - [2009/11/27 03:33:24 | 000,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2008/07/23 18:04:20 | 005,625,344 | ---- | M] () -- C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/23 16:05:00 | 000,045,056 | ---- | M] () -- C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
PRC - [2007/01/15 17:18:00 | 000,036,864 | ---- | M] () -- C:\Program Files\MagicTune Premium\GammaTray.exe
PRC - [2004/08/13 20:05:56 | 002,532,576 | ---- | M] (Sygate Technologies, Inc.) -- C:\Program Files\Sygate\SPF\Smc.exe
PRC - [2004/03/31 16:23:06 | 000,823,296 | ---- | M] (LockTime) -- C:\Program Files\NetLimiter\NetLimiter.exe


========== Modules (SafeList) ==========

MOD - [2010/04/26 01:50:50 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\tmp\vir\OTL.exe
MOD - [2004/08/10 18:05:30 | 000,083,096 | ---- | M] (Sygate Technologies, Inc.) -- C:\WINDOWS\system32\SSSensor.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/05/06 23:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/05/06 23:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/05/06 23:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/11/27 03:33:24 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-110309-193829)
SRV - [2009/10/27 09:26:36 | 000,657,408 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/10/20 21:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/11/27 16:38:04 | 000,695,136 | ---- | M] (National Instruments, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\system32\lkcitdl.exe -- (LkCitadelServer)
SRV - [2007/11/27 14:57:52 | 000,213,552 | ---- | M] (National Instruments Corporation) [On_Demand | Stopped] -- C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe -- (NIDomainService)
SRV - [2007/11/27 14:57:20 | 000,050,736 | ---- | M] (National Instruments Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lktsrv.exe -- (lkTimeSync)
SRV - [2007/11/27 14:56:48 | 000,040,488 | ---- | M] (National Instruments Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lkads.exe -- (lkClassAds)
SRV - [2007/11/07 09:58:18 | 003,004,416 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90)
SRV - [2007/08/23 16:05:00 | 000,045,056 | ---- | M] () [Auto | Running] -- C:\Program Files\MagicTune Premium\MagicTuneEngine.exe -- (MagicTuneEngine)
SRV - [2007/07/19 17:38:16 | 000,048,704 | ---- | M] (National Instruments Corp.) [On_Demand | Stopped] -- C:\WINDOWS\System32\nisvcloc.exe -- (niSvcLoc)
SRV - [2007/01/29 16:19:48 | 001,007,616 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe -- (NILM License Manager)
SRV - [2004/08/13 20:05:56 | 002,532,576 | ---- | M] (Sygate Technologies, Inc.) [Auto | Running] -- C:\Program Files\Sygate\SPF\Smc.exe -- (SmcService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2010/05/06 23:39:23 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/05/06 23:39:00 | 000,164,048 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/05/06 23:34:27 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/05/06 23:33:59 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/05/06 23:33:47 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/05/06 23:33:29 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/10/20 21:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/10/06 11:52:50 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009/10/06 11:52:34 | 000,022,016 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2009/10/06 11:52:34 | 000,017,664 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2009/10/06 11:52:34 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2009/06/04 14:53:04 | 000,014,080 | ---- | M] (Samsung Electronics, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MTiCtwl.sys -- (MagicTune)
DRV - [2009/03/21 00:21:31 | 000,110,080 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2009/03/21 00:21:30 | 006,048,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2009/03/21 00:19:38 | 000,111,360 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/03/21 00:18:34 | 000,012,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2009/03/21 00:15:20 | 004,745,216 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/11/02 22:55:08 | 000,062,464 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BazisVirtualCD.sys -- (BazisVirtualCD)
DRV - [2008/11/02 16:14:10 | 000,056,320 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VirtDiskBus.sys -- (VirtDiskBus)
DRV - [2008/09/18 17:49:33 | 000,324,120 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 05:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/10/23 11:00:00 | 000,004,096 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cvintdrv.sys -- (cvintdrv)
DRV - [2005/01/02 04:10:37 | 000,026,240 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys -- (ElbyCDFL)
DRV - [2005/01/02 04:07:05 | 000,009,728 | ---- | M] (Elaborate Bytes AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2004/08/13 05:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/10 18:05:44 | 000,014,240 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys -- (wg6n)
DRV - [2004/08/10 18:05:42 | 000,014,240 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys -- (wg5n)
DRV - [2004/08/10 18:05:42 | 000,014,240 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys -- (wg4n)
DRV - [2004/08/10 18:05:42 | 000,014,240 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys -- (wg3n)
DRV - [2004/08/10 17:53:14 | 000,021,075 | ---- | M] (Sygate Technologies, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\wpsdrvnt.sys -- (wpsdrvnt)
DRV - [2004/08/10 17:51:30 | 000,059,984 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\Teefer.sys -- (Teefer)
DRV - [2003/09/25 02:00:00 | 000,174,530 | ---- | M] (OmniVision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ov519vid.sys -- (ovt519)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://il.msn.com/iat/us_il.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 70 43 E1 AD C9 E0 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.8
FF - prefs.js..extensions.enabledItems: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e}:0.6.4.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/10 17:06:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/26 01:21:41 | 000,000,000 | ---D | M]

[2009/03/22 00:52:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/05/09 23:32:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions
[2009/10/07 17:18:06 | 000,000,000 | ---D | M] (Gmail Notifier) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}
[2010/04/20 22:45:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions\{a089fffd-e0cb-431b-8d3a-ebb8afb26dcf}
[2010/05/01 15:36:56 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/13 11:48:02 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/04/20 22:45:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2009/12/25 17:54:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\extensions\filtersetg@updater
[2010/05/09 23:32:47 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/25 11:58:43 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2007/02/08 11:48:16 | 000,028,448 | ---- | M] (National Instruments) -- C:\Program Files\Mozilla Firefox\plugins\NPLV82Win32.dll
[2007/07/24 19:03:42 | 000,023,040 | ---- | M] (National Instruments) -- C:\Program Files\Mozilla Firefox\plugins\nplv85win32.dll

O1 HOSTS File: ([2010/05/09 23:42:54 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [CloneCDTray] C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe (SlySoft, Inc.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe (LockTime)
O4 - HKLM..\Run: [NI Background Service] C:\Program Files\National Instruments\Shared\Update Service\BackgroundService.exe (National Instruments)
O4 - HKLM..\Run: [Six Engine] C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe ()
O4 - HKLM..\Run: [SmcService] C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk = C:\Program Files\MagicTune Premium\GammaTray.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\NetLimiter\nl_lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\NetLimiter\nl_lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\NetLimiter\nl_lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\NetLimiter\nl_lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\NetLimiter\nl_lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\NetLimiter\nl_lsp.dll ()
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Domains: orange.co.il ([access] https in Trusted sites)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} https://access.orang...ca32/wficat.cab (Citrix ICA Client)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1272040042125 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-09.su...ows-i586-jc.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} https://access.orang...t/EPAClient.exe (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.117.235.237 62.219.186.7
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/20 09:15:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/05/10 00:09:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/09 23:37:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/09 23:37:08 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/09 23:37:08 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/09 23:37:08 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/09 23:36:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/05 21:12:32 | 000,164,048 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/05/05 21:12:32 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/05/05 21:12:32 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/05/05 21:12:32 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/05/05 21:12:32 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/05/05 21:12:32 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/05/05 21:12:32 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/05/05 21:12:26 | 000,165,032 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/05/05 21:12:26 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/05/05 21:12:23 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/05/05 21:12:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/05/05 20:49:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/05 20:49:15 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/05 12:03:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2010/05/05 12:03:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PCSuite
[2010/05/05 12:03:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nokia
[2010/05/05 12:03:37 | 000,018,816 | ---- | C] (Nokia) -- C:\WINDOWS\System32\drivers\pccsmcfd.sys
[2010/05/05 12:03:33 | 000,000,000 | ---D | C] -- C:\Program Files\PC Connectivity Solution
[2010/05/05 12:03:31 | 000,007,936 | ---- | C] (Nokia) -- C:\WINDOWS\System32\drivers\usbser_lowerfltj.sys
[2010/05/05 12:03:31 | 000,007,936 | ---- | C] (Nokia) -- C:\WINDOWS\System32\drivers\usbser_lowerflt.sys
[2010/05/05 12:03:30 | 000,022,016 | ---- | C] (Nokia) -- C:\WINDOWS\System32\drivers\ccdcmbo.sys
[2010/05/05 12:03:29 | 000,660,480 | ---- | C] (Nokia) -- C:\WINDOWS\System32\nmwcdcocls.dll
[2010/05/05 12:03:29 | 000,017,664 | ---- | C] (Nokia) -- C:\WINDOWS\System32\drivers\ccdcmb.sys
[2010/05/05 12:03:27 | 000,000,000 | ---D | C] -- C:\Program Files\Nokia
[2010/05/04 12:18:01 | 000,000,000 | ---D | C] -- C:\Program Files\BwgSoftware
[2010/05/03 09:05:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\pics
[2010/05/01 15:53:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\vlc
[2010/05/01 15:52:32 | 000,000,000 | ---D | C] -- C:\Program Files\vlc-1.0.5
[2010/04/28 12:37:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/04/25 23:25:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/04/25 23:25:48 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/25 23:25:47 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/25 23:25:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/25 23:25:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/24 01:40:18 | 000,000,000 | ---D | C] -- C:\AVGTemp
[2010/04/21 10:22:34 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/04/21 00:51:17 | 000,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/04/20 23:16:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/14 17:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\VLSI
[2010/04/08 17:42:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Vinnitsa_2010
[2010/03/25 12:17:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\skypePM
[2010/03/25 12:14:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\OvtCam
[2010/03/25 12:12:25 | 000,000,000 | ---D | C] -- C:\Program Files\directx
[2010/03/25 12:12:21 | 000,174,530 | ---- | C] (OmniVision Technologies, Inc.) -- C:\WINDOWS\System32\drivers\ov519vid.sys
[2010/03/25 12:12:21 | 000,135,168 | ---- | C] (OmniVision Technologies, Inc.) -- C:\WINDOWS\ov519cap.exe
[2010/03/25 12:12:21 | 000,061,440 | ---- | C] (OmniVision Technologies, Inc.) -- C:\WINDOWS\ov519dib.dll
[2010/03/25 12:12:21 | 000,040,960 | ---- | C] (OmniVision Technologies Inc.) -- C:\WINDOWS\System32\ov519ext.dll
[2010/03/25 12:12:21 | 000,025,211 | ---- | C] (OmniVision Technologies Inc.) -- C:\WINDOWS\System32\drivers\ov519cmd.sys
[2010/03/25 12:12:21 | 000,025,099 | ---- | C] (OmniVision Technologies Inc.) -- C:\WINDOWS\System32\ov519ext.ax
[2010/03/25 12:12:21 | 000,016,426 | ---- | C] (OmniVision Technologies Inc.) -- C:\WINDOWS\System32\ov519usd.dll
[2010/03/25 12:12:21 | 000,000,000 | ---D | C] -- C:\Program Files\VGA USB Camera
[2010/03/25 12:11:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Skype
[2010/03/25 11:58:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/03/25 11:58:20 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/03/25 11:58:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/03/24 18:45:14 | 000,000,000 | ---D | C] -- C:\disk_on_key_backup
[2010/03/24 11:49:13 | 000,000,000 | ---D | C] -- C:\Program Files\Xming
[2010/03/24 11:28:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SSH
[2010/03/20 19:57:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\gtk-2.0
[2010/03/19 00:14:51 | 000,000,000 | ---D | C] -- C:\Program Files\avisplit
[2010/03/12 18:54:58 | 000,000,000 | ---D | C] -- C:\canon_downloads
[2010/02/22 14:25:37 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache

========== Files - Modified Within 90 Days ==========

[2010/05/09 23:43:05 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/09 23:43:00 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/09 23:42:54 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/09 23:42:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/09 23:41:45 | 007,147,520 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/05/09 23:41:45 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/05/09 23:33:02 | 003,684,526 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/05/09 23:24:20 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{33678BF7-0ACC-41A0-BD5B-03F8DD4BA146}.job
[2010/05/09 23:22:16 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/07 09:44:06 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/05/06 23:59:36 | 000,165,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/05/06 23:39:23 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/05/06 23:39:00 | 000,164,048 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/05/06 23:34:27 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/05/06 23:33:59 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/05/06 23:33:55 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/05/06 23:33:47 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/05/06 23:33:29 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/05/06 00:37:59 | 000,028,014 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\win_logon.reg
[2010/05/05 21:12:32 | 000,001,703 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/05/05 12:06:36 | 000,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/05 12:06:36 | 000,432,492 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/05 12:06:36 | 000,067,448 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/05 12:03:43 | 000,001,766 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Nokia PC Suite.lnk
[2010/05/04 12:18:01 | 000,002,112 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\BwgBurn.lnk
[2010/05/01 15:53:16 | 000,000,663 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\vlc.exe.lnk
[2010/04/30 02:46:15 | 000,000,063 | ---- | M] () -- C:\WINDOWS\vbaddin.ini
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 20:37:33 | 000,075,808 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/26 20:36:50 | 000,303,624 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/23 19:38:28 | 000,000,528 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/23 19:38:28 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/04/22 11:47:00 | 004,318,672 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/04/21 01:14:34 | 000,570,790 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\me.jpg
[2010/04/21 00:51:17 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/04/20 22:59:43 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/04/15 03:51:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/14 19:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/10 20:20:50 | 003,351,750 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\kefir_05_kak_na_ulitcu.mp3
[2010/03/26 16:46:11 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
[2010/03/25 12:17:46 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/20 22:07:48 | 000,000,218 | ---- | M] () -- C:\Documents and Settings\Administrator\.recently-used.xbel
[2010/03/04 01:01:44 | 000,000,519 | ---- | M] () -- C:\WINDOWS\WINCMD.INI

========== Files Created - No Company Name ==========

[2010/05/09 23:37:08 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/09 23:37:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/09 23:37:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/09 23:37:08 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/09 23:37:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/09 23:36:26 | 003,684,526 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/05/06 00:37:59 | 000,028,014 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\win_logon.reg
[2010/05/05 21:12:32 | 000,001,703 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/05/05 12:03:43 | 000,001,766 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Nokia PC Suite.lnk
[2010/05/04 12:18:01 | 000,002,112 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\BwgBurn.lnk
[2010/05/01 15:53:16 | 000,000,663 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\vlc.exe.lnk
[2010/04/21 10:35:00 | 000,000,438 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{33678BF7-0ACC-41A0-BD5B-03F8DD4BA146}.job
[2010/04/21 01:14:34 | 000,570,790 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\me.jpg
[2010/04/20 21:54:07 | 003,351,750 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\kefir_05_kak_na_ulitcu.mp3
[2010/04/16 11:59:55 | 007,147,520 | ---- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/03/26 16:46:11 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
[2010/03/25 12:17:46 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/25 12:12:21 | 000,200,704 | ---- | C] () -- C:\WINDOWS\sel3110.exe
[2010/03/25 12:12:21 | 000,040,960 | ---- | C] () -- C:\WINDOWS\CleanDev.exe
[2010/03/25 12:12:21 | 000,032,528 | ---- | C] () -- C:\WINDOWS\amcap.exe
[2010/03/25 11:58:21 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/20 22:07:48 | 000,000,218 | ---- | C] () -- C:\Documents and Settings\Administrator\.recently-used.xbel
[2010/02/06 19:17:10 | 000,000,110 | ---- | C] () -- C:\WINDOWS\GMouse.ini
[2009/10/20 21:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/03/23 01:47:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/03/21 01:12:39 | 000,000,519 | ---- | C] () -- C:\WINDOWS\WINCMD.INI
[2009/03/21 00:21:56 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v5002.dll
[2009/03/21 00:18:48 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/03/21 00:18:48 | 000,012,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/03/21 00:18:45 | 000,011,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2009/03/21 00:18:45 | 000,010,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2009/03/21 00:15:45 | 000,001,746 | ---- | C] () -- C:\WINDOWS\Language_trs.ini
[2009/03/20 23:31:56 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/03/20 23:31:50 | 000,034,642 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/03/20 23:31:50 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/11/02 16:12:02 | 000,062,464 | ---- | C] () -- C:\WINDOWS\System32\drivers\BazisVirtualCD.sys
[2008/11/02 16:11:38 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\drivers\VirtDiskBus.sys
[2007/10/23 11:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\cvintdrv.sys
[2004/08/10 21:39:04 | 000,218,264 | ---- | C] () -- C:\WINDOWS\System32\SetAid.dll
[2004/03/30 23:47:44 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\nl_msgs.dll
[2004/03/30 23:47:41 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\nl_msgc.dll

========== LOP Check ==========

[2009/12/22 18:13:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\AVG9
[2009/05/03 21:41:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BwgSoftware
[2009/06/04 13:03:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Citrix
[2009/03/24 04:07:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/03/24 02:45:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Design Science
[2010/05/05 14:06:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\foobar2000
[2010/03/20 20:00:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\gtk-2.0
[2009/05/29 16:31:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\hte
[2009/06/08 19:16:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ICAClient
[2009/04/10 15:10:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\LockTime
[2009/07/14 18:25:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mp3tag
[2009/05/25 20:54:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MuPAD
[2009/04/15 19:24:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\National Instruments
[2009/06/04 13:03:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Netscape
[2010/05/05 11:39:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nokia
[2009/12/30 01:33:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nokia Ovi Suite
[2010/01/24 15:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Notepad++
[2009/08/16 09:28:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PC Suite
[2010/03/24 18:57:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SSH
[2010/04/14 02:42:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2010/02/03 01:26:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Wireshark
[2010/05/05 21:12:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/05/05 20:59:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/05/05 12:02:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2009/04/15 18:45:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\National Instruments
[2010/05/05 12:05:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2009/12/26 20:18:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
[2010/05/09 23:24:20 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{33678BF7-0ACC-41A0-BD5B-03F8DD4BA146}.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: SFCFILES.DLL >
[2008/09/18 17:50:00 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=77965B76FAD83E7A5E9A90DEEC80363D -- C:\WINDOWS\system32\sfcfiles.dll
< End of report >
%%%%%%%%%%%%%%%%%%%% OTL WITH MD5 sfcfiles.dll END %%%%%%%%%%%%%%%%%%%%



%%%%%%%%%%%%%%%%%%%% COMBOFIX after fix START %%%%%%%%%%%%%%%%%%%%
ComboFix 10-05-08.03 - Administrator 10/05/2010 1:52.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3293.2826 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-05 18:12 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-05 18:12 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-05 18:12 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-05 18:12 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-05 18:12 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-05 18:12 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-05 18:12 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-05 18:12 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-05 18:12 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-05 18:12 . 2010-05-05 18:12 -------- d-----w- c:\program files\Alwil Software
2010-05-05 18:12 . 2010-05-05 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-05 17:49 . 2010-05-05 17:49 -------- d-----w- c:\program files\ERUNT
2010-05-04 09:18 . 2010-05-04 09:18 1078 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_982A875D479B881E8BC3F8.exe
2010-05-04 09:18 . 2010-05-04 09:18 1078 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_6FEFF9B68218417F98F549.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_CD7A566416CB0F4732A213.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_C5D305451462776D515228.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_BAB439F85894BB68336E8C.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_B112C372C9594A1416049A.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_A43C6D9A4D2EEE69CDA890.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_8E8C856F74FE3D1033F368.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_1FA4B42724D78AE0E46F5F.exe
2010-05-04 09:18 . 2010-05-04 09:18 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8AD1C907-5AA3-471C-9825-90099149D453}\_063B20791A79389576EC68.exe
2010-05-04 09:18 . 2010-05-04 09:18 -------- d-----w- c:\program files\BwgSoftware
2010-05-01 12:53 . 2010-05-05 20:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-05-01 12:52 . 2010-05-01 12:53 -------- d-----w- c:\program files\vlc-1.0.5
2010-04-25 20:25 . 2010-04-25 20:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-25 20:25 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-25 20:25 . 2010-05-05 18:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-25 20:25 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-25 20:25 . 2010-04-25 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-24 15:58 . 2009-08-06 16:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-04-23 22:40 . 2010-04-30 00:03 -------- d-----w- C:\AVGTemp
2010-04-21 07:42 . 2010-04-21 07:42 14846 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{329A3C81-7884-4A64-B8F6-078795C31506}\EPA_Icon.914326BE_BDF9_4068_A4AF_AF1B75093799.exe
2010-04-21 07:22 . 2010-04-21 07:22 -------- d--h--w- c:\windows\PIF
2010-04-20 21:51 . 2010-04-20 21:51 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-20 20:43 . 2010-04-20 20:43 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-20 20:43 . 2010-04-20 20:43 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-20 20:16 . 2010-05-05 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 19:47 . 2010-04-20 19:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-19 17:48 . 2010-04-19 17:48 -------- d-----w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 17:59 . 2009-11-27 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-05 11:06 . 2009-03-22 10:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\foobar2000
2010-05-05 09:05 . 2010-05-05 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-05-05 09:03 . 2010-05-05 09:03 -------- d-----w- c:\program files\Common Files\PCSuite
2010-05-05 09:03 . 2010-05-05 09:03 -------- d-----w- c:\program files\Common Files\Nokia
2010-05-05 09:03 . 2010-05-05 09:03 -------- d-----w- c:\program files\Nokia
2010-05-05 09:03 . 2010-05-05 09:03 -------- d-----w- c:\program files\PC Connectivity Solution
2010-05-05 09:03 . 2010-05-05 09:03 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
2010-05-05 09:03 . 2010-05-05 09:03 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
2010-05-05 09:03 . 2010-05-05 09:03 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-05-05 09:03 . 2010-05-05 09:03 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
2010-05-05 09:02 . 2009-07-04 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-05-05 09:02 . 2010-05-05 09:03 34523600 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_heb_web.exe
2010-05-05 08:39 . 2009-07-04 14:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nokia
2010-05-01 12:46 . 2009-04-08 00:14 -------- d-----w- c:\program files\vlc-0.9.9
2010-04-26 17:37 . 2009-03-23 20:14 75808 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-25 22:24 . 2009-12-26 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-25 22:24 . 2009-12-26 17:21 934240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2010-04-25 22:20 . 2009-12-26 17:21 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2010-04-25 22:20 . 2009-04-15 15:44 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-04-20 20:06 . 2010-03-25 09:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-04-13 23:42 . 2009-04-07 21:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-08 09:13 . 2010-04-08 09:13 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-08 09:13 . 2010-04-08 09:13 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-08 09:13 . 2010-04-08 09:13 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-08 09:13 . 2010-04-08 09:13 4250976 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-08 09:13 . 2010-04-08 09:13 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-08 09:13 . 2010-04-08 09:13 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-08 09:13 . 2010-04-08 09:13 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-08 09:13 . 2010-04-08 09:13 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-08 09:13 . 2010-04-08 09:13 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-08 09:13 . 2010-04-08 09:13 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-08 09:13 . 2010-04-08 09:13 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-08 09:13 . 2010-04-08 09:13 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-08 09:12 . 2010-04-08 09:12 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-07 23:49 . 2010-03-25 09:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-03-25 09:17 . 2010-03-25 09:17 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-25 09:12 . 2010-03-25 09:12 -------- d-----w- c:\program files\VGA USB Camera
2010-03-25 09:12 . 2010-03-25 09:12 -------- d-----w- c:\program files\directx
2010-03-25 09:12 . 2009-03-20 20:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-25 08:58 . 2010-03-25 08:58 -------- d-----r- c:\program files\Skype
2010-03-25 08:58 . 2010-03-25 08:58 -------- d-----w- c:\program files\Common Files\Skype
2010-03-25 08:58 . 2010-03-25 08:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-24 15:57 . 2010-03-24 08:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\SSH
2010-03-24 08:49 . 2010-03-24 08:49 -------- d-----w- c:\program files\Xming
2010-03-21 16:28 . 2009-04-07 21:40 -------- d-----w- c:\program files\uTorrent
2010-03-20 17:00 . 2010-03-20 16:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0
2010-03-18 21:14 . 2010-03-18 21:14 -------- d-----w- c:\program files\avisplit
2010-03-10 06:15 . 2008-07-12 15:09 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2008-04-22 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 04:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2008-04-14 04:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 04:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:27 . 2008-04-14 04:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 11:36 . 2008-07-12 15:09 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2007-02-08 08:48 . 2007-02-08 08:48 133920 ----a-w- c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-24 16:03 . 2007-07-24 16:03 118784 ----a-w- c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
2009-11-27 00:33 . 2009-03-28 20:54 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[-] 2008-09-18 . 77965B76FAD83E7A5E9A90DEEC80363D . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-05-09_20.42.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-09 22:47 . 2010-05-09 22:47 16384 c:\windows\Temp\Perflib_Perfdata_694.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-20 16876032]
"Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2008-07-23 5625344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-20 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-20 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-20 150040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-27 30192]
"NetLimiter"="c:\program files\NetLimiter\NetLimiter.exe" [2004-03-31 823296]
"NI Background Service"="c:\program files\National Instruments\Shared\Update Service\BackgroundService.exe" [2008-04-03 77824]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2004-12-27 57344]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-08-13 2532576]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2010-1-17 36864]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-14 19:37 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\OLD_C_80gb\\Documents\\old_win\\eMule\\emule.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/05/2010 21:12 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/05/2010 21:12 19024]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 21:19 50704]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [21/03/2009 00:22 110080]
R3 VirtDiskBus;Virtual disk Enumerator;c:\windows\system32\drivers\VirtDiskBus.sys [02/11/2008 16:11 56320]
S3 BazisVirtualCD;Virtual CD driver;c:\windows\system32\drivers\BazisVirtualCD.sys [02/11/2008 16:12 62464]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [28/03/2009 23:54 30192]
.
Contents of the 'Scheduled Tasks' folder

2010-05-09 c:\windows\Tasks\User_Feed_Synchronization-{33678BF7-0ACC-41A0-BD5B-03F8DD4BA146}.job
- c:\windows\system32\msfeedssync.exe [2008-07-12 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
LSP: c:\program files\NetLimiter\nl_lsp.dll
Trusted Zone: orange.co.il\access
DPF: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} - hxxps://access.orange.co.il/CitrixLogonPoint/SampleLogonPoint/EPAClient/EPAClient.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1kgzer79.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npCtxCAO.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nplv85win32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 01:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1482476501-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,10,2f,6d,07,35,74,cb,48,ab,22,8e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,61,39,56,6a,37,f6,4b,85,fd,6e,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,10,2f,6d,07,35,74,cb,48,ab,22,8e,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,10,2f,6d,07,35,74,cb,48,ab,22,8e,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,10,2f,6d,07,35,74,cb,48,ab,22,8e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(616)
c:\program files\NetLimiter\nl_lsp.dll
c:\windows\system32\nl_msgc.dll

- - - - - - - > 'explorer.exe'(376)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2010-05-10 01:55:08
ComboFix-quarantined-files.txt 2010-05-09 22:55
ComboFix2.txt 2010-05-09 20:45

Pre-Run: 709,612,335,104 bytes free
Post-Run: 709,571,371,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 65D8B89B22D77F4824AA52339B9ADADC
%%%%%%%%%%%%%%%%%%%% COMBOFIX after fix END %%%%%%%%%%%%%%%%%%%%
  • 0

#6
RKinner
Posted 09 May 2010 - 05:27 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Looking much better. Unfortunately there doesn't seem to be another copy of sfcfiles.dll on your PC. Do you have a friend with an XP SP3 computer you could copy from?

Ron
  • 0

#7
igshum
Posted 09 May 2010 - 05:35 PM

igshum

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
i think i can find an xp SP3 resembling mine.
how can i check that the sfcfiles.dll from the friend's computer is safe? (correct md5 hash?)
how do i overwrite the current file? (safe-mode?)
  • 0

#8
RKinner
Posted 09 May 2010 - 05:56 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
The version number should be the same as yours = 5.1.2600.5512. You can submit it to http://virustotal.com to be sure it's clean. They will give you the MD5 which should start off with 9DD07AF.

You can probably just copy it over the old one. I don't think it is in use. I think it gets run when you do a SFC /scannow

Ron
  • 0

#9
igshum
Posted 10 May 2010 - 02:13 PM

igshum

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
i got a safe sfcfiles.dll with an MD5:9dd07af82244867ca36681ea2d29ce79 as you wrote. everything seems tip-top now.

RKinner, i would like to sincerely thank you for guiding me through this virus.
your help is fast, accurate and professional.
commercial support staff do not come close to this site's effective seriousness.

:) THANK YOU :)
  • 0

#10
RKinner
Posted 10 May 2010 - 02:30 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Glad I could help.

I would open a command window and

sigverif

(then press Start and wait until it finishes. This will check for unsigned drivers. The log is a bit big but they will show you a screen with unsigned files. Check the dates on them to see if you have any newish ones. Close sigverif and return to the command window.)

sfc /scannow

(this one checks mostly system32 files for correctness. Now that we have the correct sfcfiles program it should work OK. If it asks you for a CD just hit Skip. Most of the time it can pull a replacement from the dllcache.)

We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f

I usually recommend a free BitDefender online scan as a final check to see if we missed anything. http://www.bitdefend...nline/free.html


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You do not have the latest Java. Get the latest (6 Update 20) at:

http://www.java.com/...nload/index.jsp


Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.4.
http://oldmcdonald.w...orun-eater-v24/
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on.

If your current antivirus is not a paid up subscription you should dump it and install the free Avast
http://www.avast.com...avast-home.html

Ron
  • 0

#11
igshum
Posted 10 May 2010 - 06:16 PM

igshum

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
first sigverif run showed:
uxtheme.dll NOT SIGNED
virtdiskbus.sys NOT SIGNED

after sfc /scannow i saw in system log that "uxtheme.dll has a bad signature This file was restored to the original version 6.0.2900.5512"

second run of sigverif only one file was not signed, so uxtheme.dll was "fixed" too:
File Modified Version Status Catalog Signed By
virtdiskbus.sys 02/11/2008 None Not Signed N/A

the rest went well.

thank you.
  • 0

#12
RKinner
Posted 10 May 2010 - 06:47 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Seems you are probably the first one on GeeksToGo with this infection. I hadn't seen the route trick before so I posted in our internal forum and apparently this trick was first reported by Symantec less than a month ago.

http://www.symantec....routing-entries

Yours is probably a different critter but it wouldn't hurt to check for the files and registry entries they mention in the writeup:

http://www.symantec..../...-99&tabid=2

Since sfc is happy I think we got it all. The virtdiskbus.sys file comes from someone besides Microsoft so it's not surprising that it is unsigned. You can submit it to http://virustotal.com and make sure but I expect it's OK.

Ron
  • 0

#13
igshum
Posted 11 May 2010 - 02:41 AM

igshum

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
i went over the symantec report. the behavior does resemble greatly:

1) the file AGV kept finding and deleting at first was [random_number].exe and x25[dont_remember].exe.
2) the UserInit registry had HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"userinit" = "%Windir%\system32\userinit.exe,%SystemDrive%\system32\x25[dont_remember].exe
3) the malicious connections were from services.exe, so it was infected. other exe's listed there didnt show that behavior though
4) i too had a GloballyOpenPort (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\) though a different port number.
5) i had two "option_#" entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\"option_4" = "[DWORD VALUE]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\"option_8" = "[DWORD VALUE]"

and while checking these entries i found Win32/Simda traces:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\"m1131"

6) and of course the static routes. the symantec route list is bigger than the one i had.

i've followed symantecs registry removal procedure.

virtdiskbus.sys is virustotal safe.
  • 0

#14
RKinner
Posted 11 May 2010 - 07:59 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Symantec has this thing about turning off System Restore. Don't know why they do that. It's like a tightrope walker discarding the net because there might be a thorn in it somewhere.

Sounds like it was worth the effort to check the registry entries tho. I assume everything is still OK?

Ron
  • 0

#15
igshum
Posted 13 May 2010 - 07:18 PM

igshum

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I don't get disabling system restore, either. but i'm no expert on reincarnating malware from restore points.
it was worth checking the registry - because there were traces left, and none of the tools detected (removed) them.

so far its all been working well. i've re-checked all the location the malware has infected, it all seems ok.

i thinks its a closed case.

thank you again for all the help, guidance and advice.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP