Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sluggish Firefox + recently removed rootkit using avast

Started by arifzub , Apr 24 2012 03:55 PM

Please log in to reply

#1
arifzub

Posted 24 April 2012 - 03:55 PM

New Member

Member
6 posts

Hi,

I am experiencing sluggishness with Firefox, which I use as primary browser. Loading pages, switching between tabs causes freezes.

Besides this I removed a rootkit using avast last week. Without reboot and scanning it didn't fix completely and reported the problem again. So on second time, I allowed it to reboot and do a full scan. It hasn't reported the rootkit after that. Avast logs show Win32:MBRoot-J[Trj] and Win32:Sinowal-IK[Trj] as deleted.

But the browser problem is still there so I guess it's some kind of malware (?). Please see OTL quick scan log below.

Thank you for checking!

Best regards,
Arif

----------
OTL logfile created on: 24/04/2012 23:38:26 - Run 3
OTL by OldTimer - Version 3.2.41.0 Folder = C:\Documents and Settings\auser\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.25 Gb Total Physical Memory | 0.59 Gb Available Physical Memory | 47.58% Memory free
1.47 Gb Paging File | 0.99 Gb Available in Paging File | 67.48% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.90 Gb Total Space | 0.46 Gb Free Space | 3.10% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive F: | 5.21 Gb Total Space | 3.30 Gb Free Space | 63.35% Space Free | Partition Type: FAT32
Drive G: | 5.13 Gb Total Space | 1.32 Gb Free Space | 25.75% Space Free | Partition Type: NTFS
Drive H: | 12.01 Gb Total Space | 3.54 Gb Free Space | 29.46% Space Free | Partition Type: FAT32

Computer Name: CHEETAH | User Name: auser | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/24 23:37:43 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\auser\Desktop\OTL.exe
PRC - [2012/03/07 02:15:17 | 004,241,512 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2012/03/07 02:15:14 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2011/11/11 15:08:06 | 000,205,336 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
PRC - [2011/07/13 22:25:51 | 000,947,056 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe
PRC - [2011/06/22 22:31:34 | 001,353,232 | ---- | M] (Logitech, Inc.) -- C:\Documents and Settings\auser\Local Settings\Application Data\Logitech® Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe
PRC - [2008/04/14 03:12:32 | 000,062,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
PRC - [2008/04/14 03:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/06 21:25:02 | 001,003,520 | ---- | M] (www.IslamicFinder.org) -- C:\Program Files\Athan\Athan.exe
PRC - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (No Company Name) ==========

MOD - [2012/04/24 23:02:56 | 008,797,344 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll
MOD - [2012/04/24 10:42:43 | 001,773,056 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\12042400\algo.dll
MOD - [2011/11/03 18:28:36 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2011/08/12 13:18:56 | 000,342,552 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTXml4.dll
MOD - [2011/08/12 13:18:56 | 000,128,536 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QJpeg4.dll
MOD - [2011/08/12 13:18:56 | 000,029,208 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QGif4.dll
MOD - [2011/08/12 13:18:54 | 007,956,504 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTGui4.dll
MOD - [2011/08/12 13:18:54 | 002,145,304 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTCore4.dll
MOD - [2009/11/04 03:14:04 | 000,054,272 | ---- | M] () -- C:\Program Files\Notepad++\NppShell_01.dll
MOD - [2009/01/20 15:20:00 | 000,102,400 | ---- | M] () -- C:\Program Files\IDM Computer Solutions\UltraEdit\ue32ctmn.dll
MOD - [2008/04/14 03:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 03:11:52 | 000,498,742 | ---- | M] () -- C:\WINDOWS\system32\dxmasf.dll
MOD - [2008/04/14 03:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2008/04/14 03:10:08 | 000,844,314 | ---- | M] () -- C:\WINDOWS\system32\msdxm.ocx
MOD - [2007/09/17 02:07:00 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2007/09/11 12:24:28 | 002,842,624 | ---- | M] () -- C:\WINDOWS\system32\btwicons.dll
MOD - [2006/10/28 19:11:16 | 000,516,096 | ---- | M] () -- C:\WINDOWS\system32\ac3filter.ax
MOD - [2004/12/25 17:37:22 | 000,258,121 | ---- | M] () -- C:\Program Files\Athan\vbh.dll
MOD - [2004/11/25 13:03:52 | 000,282,689 | ---- | M] () -- C:\Program Files\Athan\vbp.dll
MOD - [2004/03/20 18:49:40 | 000,229,444 | ---- | M] () -- C:\Program Files\Athan\vbq.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Unknown] -- C:\Program Files\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\TEMP\geut\setup.exe run -- (AMService)
SRV - [2012/04/24 23:02:56 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/03/07 02:15:14 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/02/15 14:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/01/25 08:47:04 | 008,176,640 | ---- | M] () [On_Demand | Stopped] -- f:\wamp\bin\mysql\mysql5.5.20\bin\mysqld.exe -- (wampmysqld)
SRV - [2012/01/18 09:44:52 | 000,450,848 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2011/09/26 07:50:40 | 000,018,432 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- f:\wamp\bin\apache\Apache2.2.21\bin\httpd.exe -- (wampapache)
SRV - [2010/11/11 14:31:54 | 000,334,448 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2010/11/11 14:31:50 | 000,404,080 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service)
SRV - [2010/11/11 14:30:44 | 000,113,264 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Program Files\VMware\VMware Player\vmware-authd.exe -- (VMAuthdService)
SRV - [2010/11/11 13:31:44 | 000,539,248 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
SRV - [2010/08/19 14:57:14 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Program Files\VMware\VMware Player\vmware-ufad.exe -- (ufad-ws60)
SRV - [2010/06/25 20:07:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2010/03/18 12:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/01/26 12:41:08 | 000,652,800 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/09/23 17:37:30 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) [On_Demand | Stopped] -- C:\Program Files\RealVNC\VNC4\winvnc4.exe -- (WinVNC4)
SRV - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbVM31b.sys -- (ZSMC301b)
DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xpsec.sys -- (xpsec)
DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xcpip.sys -- (xcpip)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/03/07 02:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/03/07 02:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/03/07 02:02:00 | 000,035,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2012/03/07 02:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/03/07 02:01:39 | 000,095,704 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/03/07 02:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/03/07 01:58:29 | 000,024,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2012/01/18 09:44:52 | 004,332,960 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech HD Webcam C270(UVC)
DRV - [2012/01/18 09:44:28 | 000,312,096 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2010/11/11 14:32:10 | 000,070,768 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmci.sys -- (vmci)
DRV - [2010/11/11 14:32:08 | 000,854,128 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmx86.sys -- (vmx86)
DRV - [2010/11/11 14:31:34 | 000,023,792 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmparport.sys -- (VMparport)
DRV - [2010/11/11 14:30:34 | 000,024,688 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2010/11/11 14:29:30 | 000,032,752 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2010/11/11 14:29:26 | 000,026,352 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2010/11/11 13:31:28 | 000,032,368 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hcmon.sys -- (hcmon)
DRV - [2010/11/11 11:04:52 | 000,016,560 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2010/08/19 14:56:38 | 000,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Program Files\VMware\VMware Player\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2010/06/25 20:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2010/01/21 14:53:16 | 000,018,048 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2009/12/30 11:30:56 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009/12/30 11:30:48 | 000,022,016 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2009/12/30 11:30:48 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2009/08/05 23:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/07/13 17:51:12 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/09/12 07:01:44 | 000,879,496 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2007/08/30 09:02:20 | 000,539,432 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2007/08/27 08:58:18 | 000,074,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2007/06/29 07:38:30 | 000,156,392 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2007/03/31 08:02:40 | 000,055,352 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2007/03/23 05:50:08 | 000,037,424 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2004/05/05 22:48:40 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\PQNTDRV.sys -- (PQNTDrv)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT1605787
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {33FB10DC-E0F1-4187-BA0C-4C47BA62A98B}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{24A360E8-4F58-4941-972C-6BEBF1B91EFA}: "URL" = http://www.bing.com/...ferrer:source?}
IE - HKCU\..\SearchScopes\{33FB10DC-E0F1-4187-BA0C-4C47BA62A98B}: "URL" = http://www.google.co...&rlz=1I7SKPB_en
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...q={searchTerms}
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT1605787
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaultthis.engineName: "mobilewitch Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Duck Duck Go"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.dawn.com/"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 48
FF - prefs.js..extensions.enabledItems: [email protected]:0.3.3
FF - prefs.js..extensions.enabledItems: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}:1.4.2b
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:4.0.12.11
FF - prefs.js..extensions.enabledItems: {bee6eb20-01e0-ebd1-da83-080329fb9a3a}:0.2
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.2
FF - prefs.js..keyword.URL: "http://www.bing.com/...?FORM=IEFM1&q="
FF - prefs.js..network.proxy.type: 4

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX OVS Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.633: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.633: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.633: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.633: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ [2010/04/11 15:08:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/01/29 23:36:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/01/29 23:36:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/03/19 15:08:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Alwil Software\Avast5\WebRep\FF [2012/03/26 21:31:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/18 02:08:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/04/13 12:00:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/01/17 22:55:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012/04/13 12:00:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2010/04/11 15:09:01 | 000,000,000 | ---D | M]

[2011/02/20 20:47:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\auser\Application Data\Mozilla\Extensions
[2011/02/20 20:47:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\auser\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012/04/16 22:22:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions
[2010/06/27 19:46:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/03/29 19:16:40 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012/04/16 22:22:45 | 000,000,000 | ---D | M] (Flash and Video Download) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
[2011/01/07 23:02:52 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/10/21 21:50:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2010/10/21 21:50:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2009/11/07 13:27:05 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/10/10 19:42:40 | 000,000,000 | ---D | M] (AnyColor) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\[email protected]
[2010/06/27 19:45:47 | 000,000,000 | ---D | M] (Fast Youtube Downloader) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\[email protected]
[2011/12/20 23:28:56 | 000,000,000 | ---D | M] (Nokia Maps 3D browser plugin) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\[email protected]
[2008/11/29 01:26:26 | 000,000,000 | ---D | M] (translator) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\[email protected]
[2010/08/04 20:09:23 | 000,000,000 | ---D | M] (1-Click YouTube Video Downloader) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\[email protected]
[2010/04/01 00:47:20 | 000,000,869 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\altavista.xml
[2009/10/28 17:07:18 | 000,002,171 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\bing.xml
[2011/05/29 14:37:50 | 000,000,925 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\conduit.xml
[2010/07/19 21:30:10 | 000,001,973 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\duck-duck-go.xml
[2011/05/26 00:01:48 | 000,001,982 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\duckduckgo-ssl.xml
[2008/11/26 23:03:48 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\mozilla-add-ons.xml
[2011/12/16 12:59:38 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/02/28 13:23:37 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\auser\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\XC00J5W5.DEFAULT\EXTENSIONS\[email protected]
[2012/03/18 02:08:50 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/02/13 19:01:21 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/02/13 19:01:21 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/13 19:01:21 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/02/13 19:01:21 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/02/13 19:01:21 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

Hosts file not found
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll File not found
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [Athan] C:\Program Files\Athan\Athan.exe (www.IslamicFinder.org)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - C:\Program Files\Fiddler2\Fiddler.exe (Eric Lawrence)
O9 - Extra 'Tools' menuitem : Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - C:\Program Files\Fiddler2\Fiddler.exe (Eric Lawrence)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 89.106.32.20 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{617BC9E3-A113-45DE-80E4-4AD0918AB2EF}: DhcpNameServer = 89.106.32.20 192.168.0.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\auser\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\auser\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/30 18:19:15 | 000,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\Explore\command - "" = Flash.10.Setup.exe
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\Open\command - "" = Flash.10.Setup.exe
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\Scan for Viruses\command - "" = Scanner.exe
O33 - MountPoints2\{3a9fe0fe-83b4-11df-b2f9-000802acc6c1}\Shell - "" = Autorun
O33 - MountPoints2\{3a9fe0fe-83b4-11df-b2f9-000802acc6c1}\Shell\AutoRun\command - "" = E:\Install_Nokia_Ovi_Suite.exe
O33 - MountPoints2\{c68fd1d8-0a39-11dc-8467-000802acc6c1}\Shell\Auto\command - "" = I:\Ghost.pif
O33 - MountPoints2\{c68fd1d8-0a39-11dc-8467-000802acc6c1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c68fd1d8-0a39-11dc-8467-000802acc6c1}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Ghost.pif
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/24 23:37:43 | 000,594,944 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\auser\Desktop\OTL.exe
[2012/04/24 23:07:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/04/13 11:59:08 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/04/13 11:58:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2012/03/26 19:40:18 | 000,000,000 | ---D | C] -- C:\For Sync
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/24 23:37:43 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\auser\Desktop\OTL.exe
[2012/04/24 23:32:32 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2012/04/24 23:28:02 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/24 23:23:03 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/24 23:02:58 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/24 23:02:05 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/22 17:30:54 | 000,000,994 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/22 17:30:53 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1844237615-1060284298-682003330-1003.job
[2012/04/22 17:30:49 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-18.job
[2012/04/22 17:30:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/13 11:03:09 | 000,436,156 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/04/13 11:03:08 | 000,069,528 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/04/13 10:40:33 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/04/11 22:25:06 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1844237615-1060284298-682003330-1003.job
[2012/04/11 22:10:00 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-18.job
[2012/04/07 00:43:03 | 000,072,392 | ---- | M] () -- C:\Documents and Settings\auser\Desktop\421280_225532984200639_153961341357804_489581_983268483_n.jpg
[2012/03/30 19:35:17 | 000,294,119 | ---- | M] () -- C:\Documents and Settings\auser\My Documents\300320121035.jpg
[2012/03/30 19:34:23 | 000,344,396 | ---- | M] () -- C:\Documents and Settings\auser\My Documents\300320121040.jpg
[2012/03/30 19:33:24 | 000,318,898 | ---- | M] () -- C:\Documents and Settings\auser\My Documents\300320121038.jpg
[2012/03/30 19:32:12 | 000,351,037 | ---- | M] () -- C:\Documents and Settings\auser\My Documents\300320121037.jpg
[2012/03/26 21:31:08 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/24 23:23:02 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/09 14:41:54 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/07 00:42:57 | 000,072,392 | ---- | C] () -- C:\Documents and Settings\auser\Desktop\421280_225532984200639_153961341357804_489581_983268483_n.jpg
[2012/03/30 19:34:56 | 000,294,119 | ---- | C] () -- C:\Documents and Settings\auser\My Documents\300320121035.jpg
[2012/03/30 19:34:00 | 000,344,396 | ---- | C] () -- C:\Documents and Settings\auser\My Documents\300320121040.jpg
[2012/03/30 19:33:01 | 000,318,898 | ---- | C] () -- C:\Documents and Settings\auser\My Documents\300320121038.jpg
[2012/03/30 19:31:39 | 000,351,037 | ---- | C] () -- C:\Documents and Settings\auser\My Documents\300320121037.jpg
[2012/02/15 13:09:20 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/08/19 12:26:20 | 010,920,984 | ---- | C] () -- C:\WINDOWS\System32\LogiDPP.dll
[2011/08/19 12:26:20 | 000,336,408 | ---- | C] () -- C:\WINDOWS\System32\DevManagerCore.dll
[2011/08/19 12:26:20 | 000,104,472 | ---- | C] () -- C:\WINDOWS\System32\LogiDPPApp.exe
[2011/08/12 13:20:14 | 000,015,896 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2011/07/26 09:48:54 | 000,028,418 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2010/06/25 20:03:12 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll

========== LOP Check ==========

[2010/03/18 20:06:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2012/02/24 23:46:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EventGhost
[2012/03/21 19:34:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2010/06/30 00:36:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2010/04/11 22:03:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
[2008/01/23 00:27:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2011/06/10 22:31:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Team MediaPortal
[2010/01/14 02:24:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/09 00:46:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Aptana
[2009/10/10 13:50:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\EuroTalk
[2012/02/25 01:21:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\EventGhost
[2012/03/21 19:34:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\f-secure
[2011/01/22 04:15:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\gtk-2.0
[2012/01/23 19:27:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Jumblo
[2012/01/21 01:26:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Leadertech
[2011/01/29 23:36:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Local
[2012/01/01 04:37:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\LowRateVoip
[2011/05/06 01:19:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Nokia
[2007/03/12 22:42:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Nokia Multimedia Player
[2010/08/31 00:53:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Nokia Ovi Suite
[2010/06/03 00:08:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Notepad++
[2009/02/10 02:11:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\OpenOffice.org
[2009/12/16 20:27:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Opera
[2011/03/03 22:36:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\PC Suite
[2010/04/10 14:27:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\SSH
[2011/02/25 23:39:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Subversion
[2011/02/20 20:47:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Thunderbird
[2011/09/20 00:27:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Wireshark
[2012/04/17 21:04:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\XBMC
[2008/03/11 23:08:52 | 000,000,110 | ---- | M] () -- C:\WINDOWS\Tasks\SesamTVMC.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

#2
Gammo

Posted 27 April 2012 - 08:16 AM

Member 2k

Malware Removal
2,299 posts

Hello and welcome to Geekstogo!

We apologize for the delay in responding to your request for help.
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

If you haven't done so yet, please go to Malware and Spyware Cleaning Guide and follow the steps instructed there. If you have already done this, we still need a new log to see what has changed since you originally posted your problem.

We need to create an OTL Report
Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Check the box that says Scan All Users.
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

#3
arifzub

Posted 01 May 2012 - 09:56 PM

New Member

Topic Starter
Member
6 posts

Hi,

Thanks for your reply. avast reported rootkit again, perhaps some malware is still there. Here's the new log. There's no extras.log, only otl.log was generated.

OTL logfile created on: 02/05/2012 05:59:45 - Run 4
OTL by OldTimer - Version 3.2.42.2 Folder = C:\Documents and Settings\auser\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.25 Gb Total Physical Memory | 0.80 Gb Available Physical Memory | 64.28% Memory free
1.47 Gb Paging File | 1.22 Gb Available in Paging File | 82.60% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.90 Gb Total Space | 0.34 Gb Free Space | 2.31% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive F: | 5.21 Gb Total Space | 3.30 Gb Free Space | 63.35% Space Free | Partition Type: FAT32
Drive G: | 5.13 Gb Total Space | 1.32 Gb Free Space | 25.75% Space Free | Partition Type: NTFS
Drive H: | 12.01 Gb Total Space | 3.43 Gb Free Space | 28.59% Space Free | Partition Type: FAT32

Computer Name: CHEETAH | User Name: auser | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/01 22:55:11 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\auser\Desktop\OTL.exe
PRC - [2012/03/07 02:15:17 | 004,241,512 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2012/03/07 02:15:14 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2012/01/18 09:44:52 | 000,450,848 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe
PRC - [2011/08/12 02:38:08 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- H:\Program Files\SuperAntiSpyware\SASCore.exe
PRC - [2008/04/14 03:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/06 21:25:02 | 001,003,520 | ---- | M] (www.IslamicFinder.org) -- C:\Program Files\Athan\Athan.exe
PRC - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (No Company Name) ==========

MOD - [2012/05/01 20:24:32 | 001,771,520 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\12050101\algo.dll
MOD - [2011/11/03 18:28:36 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2008/04/14 03:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 03:11:52 | 000,498,742 | ---- | M] () -- C:\WINDOWS\system32\dxmasf.dll
MOD - [2008/04/14 03:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2008/04/14 03:10:08 | 000,844,314 | ---- | M] () -- C:\WINDOWS\system32\msdxm.ocx
MOD - [2006/10/28 19:11:16 | 000,516,096 | ---- | M] () -- C:\WINDOWS\system32\ac3filter.ax
MOD - [2004/12/25 17:37:22 | 000,258,121 | ---- | M] () -- C:\Program Files\Athan\vbh.dll
MOD - [2004/11/25 13:03:52 | 000,282,689 | ---- | M] () -- C:\Program Files\Athan\vbp.dll
MOD - [2004/03/20 18:49:40 | 000,229,444 | ---- | M] () -- C:\Program Files\Athan\vbq.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Unknown] -- C:\Program Files\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\TEMP\geut\setup.exe run -- (AMService)
SRV - [2012/04/27 01:36:29 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/04/24 23:02:56 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/03/07 02:15:14 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/02/15 14:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/01/25 08:47:04 | 008,176,640 | ---- | M] () [On_Demand | Stopped] -- f:\wamp\bin\mysql\mysql5.5.20\bin\mysqld.exe -- (wampmysqld)
SRV - [2012/01/18 09:44:52 | 000,450,848 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2011/09/26 07:50:40 | 000,018,432 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- f:\wamp\bin\apache\Apache2.2.21\bin\httpd.exe -- (wampapache)
SRV - [2011/08/12 02:38:08 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- H:\Program Files\SuperAntiSpyware\SASCore.exe -- (!SASCORE)
SRV - [2010/11/11 14:31:54 | 000,334,448 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2010/11/11 14:31:50 | 000,404,080 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service)
SRV - [2010/11/11 14:30:44 | 000,113,264 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Program Files\VMware\VMware Player\vmware-authd.exe -- (VMAuthdService)
SRV - [2010/11/11 13:31:44 | 000,539,248 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
SRV - [2010/08/19 14:57:14 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Program Files\VMware\VMware Player\vmware-ufad.exe -- (ufad-ws60)
SRV - [2010/06/25 20:07:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2010/03/18 12:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/01/26 12:41:08 | 000,652,800 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/09/23 17:37:30 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) [On_Demand | Stopped] -- C:\Program Files\RealVNC\VNC4\winvnc4.exe -- (WinVNC4)
SRV - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbVM31b.sys -- (ZSMC301b)
DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xpsec.sys -- (xpsec)
DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xcpip.sys -- (xcpip)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/03/07 02:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/03/07 02:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/03/07 02:02:00 | 000,035,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2012/03/07 02:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/03/07 02:01:39 | 000,095,704 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/03/07 02:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/03/07 01:58:29 | 000,024,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2012/01/18 09:44:52 | 004,332,960 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech HD Webcam C270(UVC)
DRV - [2012/01/18 09:44:28 | 000,312,096 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2011/07/22 19:27:04 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- H:\Program Files\SuperAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/13 00:55:24 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- H:\Program Files\SuperAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/11/11 14:32:10 | 000,070,768 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmci.sys -- (vmci)
DRV - [2010/11/11 14:32:08 | 000,854,128 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmx86.sys -- (vmx86)
DRV - [2010/11/11 14:31:34 | 000,023,792 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmparport.sys -- (VMparport)
DRV - [2010/11/11 14:30:34 | 000,024,688 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2010/11/11 14:29:30 | 000,032,752 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2010/11/11 14:29:26 | 000,026,352 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2010/11/11 13:31:28 | 000,032,368 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hcmon.sys -- (hcmon)
DRV - [2010/11/11 11:04:52 | 000,016,560 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2010/08/19 14:56:38 | 000,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Program Files\VMware\VMware Player\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2010/06/25 20:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2010/01/21 14:53:16 | 000,018,048 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2009/12/30 11:30:56 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009/12/30 11:30:48 | 000,022,016 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2009/12/30 11:30:48 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2009/12/30 11:25:12 | 000,137,344 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys -- (nmwcdnsu)
DRV - [2009/08/05 23:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/07/13 17:51:12 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/09/12 07:01:44 | 000,879,496 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2007/08/30 09:02:20 | 000,539,432 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2007/08/27 08:58:18 | 000,074,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2007/06/29 07:38:30 | 000,156,392 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2007/03/31 08:02:40 | 000,055,352 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2007/03/23 05:50:08 | 000,037,424 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2004/05/05 22:48:40 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\PQNTDRV.sys -- (PQNTDrv)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\.DEFAULT\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT1605787
IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\..\SearchScopes,DefaultScope = {33FB10DC-E0F1-4187-BA0C-4C47BA62A98B}
IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\..\SearchScopes\{24A360E8-4F58-4941-972C-6BEBF1B91EFA}: "URL" = http://www.bing.com/...ferrer:source?}
IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\..\SearchScopes\{33FB10DC-E0F1-4187-BA0C-4C47BA62A98B}: "URL" = http://www.google.co...&rlz=1I7SKPB_en
IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...q={searchTerms}
IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT1605787
IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaultthis.engineName: "mobilewitch Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.dawn.com/"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 48
FF - prefs.js..extensions.enabledItems: [email protected]:0.3.3
FF - prefs.js..extensions.enabledItems: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}:1.4.2b
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:4.0.12.11
FF - prefs.js..extensions.enabledItems: {bee6eb20-01e0-ebd1-da83-080329fb9a3a}:0.2
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.2
FF - prefs.js..keyword.URL: "http://www.bing.com/...?FORM=IEFM1&q="
FF - prefs.js..network.proxy.type: 4

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX OVS Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.633: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.633: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.633: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.633: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ [2010/04/11 15:08:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/01/29 23:36:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/01/29 23:36:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/03/19 15:08:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Alwil Software\Avast5\WebRep\FF [2012/03/26 21:31:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/04/27 01:36:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/04/13 12:00:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/01/17 22:55:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012/04/13 12:00:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2010/04/11 15:09:01 | 000,000,000 | ---D | M]

[2011/02/20 20:47:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\auser\Application Data\Mozilla\Extensions
[2011/02/20 20:47:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\auser\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012/04/29 20:35:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions
[2010/06/27 19:46:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/03/29 19:16:40 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012/04/25 18:25:03 | 000,000,000 | ---D | M] (Flash and Video Download) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
[2011/01/07 23:02:52 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/10/21 21:50:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2010/10/21 21:50:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2009/11/07 13:27:05 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/10/10 19:42:40 | 000,000,000 | ---D | M] (AnyColor) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\[email protected]
[2010/06/27 19:45:47 | 000,000,000 | ---D | M] (Fast Youtube Downloader) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\[email protected]
[2012/04/25 18:24:52 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\[email protected]
[2011/12/20 23:28:56 | 000,000,000 | ---D | M] (Nokia Maps 3D browser plugin) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\[email protected]
[2008/11/29 01:26:26 | 000,000,000 | ---D | M] (translator) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\[email protected]
[2010/08/04 20:09:23 | 000,000,000 | ---D | M] (1-Click YouTube Video Downloader) -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\extensions\[email protected]
[2010/04/01 00:47:20 | 000,000,869 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\altavista.xml
[2009/10/28 17:07:18 | 000,002,171 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\bing.xml
[2011/05/29 14:37:50 | 000,000,925 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\conduit.xml
[2010/07/19 21:30:10 | 000,001,973 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\duck-duck-go.xml
[2011/05/26 00:01:48 | 000,001,982 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\duckduckgo-ssl.xml
[2008/11/26 23:03:48 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\mozilla-add-ons.xml
[2011/12/16 12:59:38 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/02/28 13:23:37 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\auser\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\XC00J5W5.DEFAULT\EXTENSIONS\[email protected]
[2012/04/27 01:36:29 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/04/27 01:36:22 | 000,001,525 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/02/13 19:01:21 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/04/27 01:36:22 | 000,000,935 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/04/27 01:36:22 | 000,001,166 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/04/27 01:36:29 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
[2012/04/27 01:36:22 | 000,001,121 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

Hosts file not found
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll File not found
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [Athan] C:\Program Files\Athan\Athan.exe (www.IslamicFinder.org)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKU\.DEFAULT..\Run: [LKGGOPABUH] C:\WINDOWS\TEMP\Ljl.exe File not found
O4 - HKU\.DEFAULT..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\.DEFAULT..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe File not found
O4 - HKU\S-1-5-18..\Run: [LKGGOPABUH] C:\WINDOWS\TEMP\Ljl.exe File not found
O4 - HKU\S-1-5-18..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-18..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe File not found
O4 - HKU\.DEFAULT..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe ()
O4 - HKU\S-1-5-18..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - C:\Program Files\Fiddler2\Fiddler.exe (Eric Lawrence)
O9 - Extra 'Tools' menuitem : Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - C:\Program Files\Fiddler2\Fiddler.exe (Eric Lawrence)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 89.106.32.20 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{617BC9E3-A113-45DE-80E4-4AD0918AB2EF}: DhcpNameServer = 89.106.32.20 192.168.0.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (H:\Program Files\SuperAntiSpyware\SASWINLO.DLL) - H:\Program Files\SuperAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\auser\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\auser\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - H:\Program Files\SuperAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/30 18:19:15 | 000,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\Explore\command - "" = Flash.10.Setup.exe
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\Open\command - "" = Flash.10.Setup.exe
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\Scan for Viruses\command - "" = Scanner.exe
O33 - MountPoints2\{3a9fe0fe-83b4-11df-b2f9-000802acc6c1}\Shell - "" = Autorun
O33 - MountPoints2\{3a9fe0fe-83b4-11df-b2f9-000802acc6c1}\Shell\AutoRun\command - "" = E:\Install_Nokia_Ovi_Suite.exe
O33 - MountPoints2\{c68fd1d8-0a39-11dc-8467-000802acc6c1}\Shell\Auto\command - "" = I:\Ghost.pif
O33 - MountPoints2\{c68fd1d8-0a39-11dc-8467-000802acc6c1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c68fd1d8-0a39-11dc-8467-000802acc6c1}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Ghost.pif
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/04/27 01:36:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2012/04/27 01:36:48 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/04/25 02:26:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\auser\Application Data\SUPERAntiSpyware.com
[2012/04/25 02:26:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2012/04/25 02:25:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2012/04/25 01:44:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\auser\Application Data\Malwarebytes
[2012/04/25 01:44:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/04/25 01:44:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/04/25 01:44:09 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/04/25 01:44:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/04/13 11:59:08 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/04/13 11:58:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/02 05:51:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/05/02 01:28:00 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/30 19:27:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/30 19:25:45 | 000,000,994 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/30 19:25:44 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1844237615-1060284298-682003330-1003.job
[2012/04/30 19:25:41 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-18.job
[2012/04/30 19:24:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/26 10:29:33 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1844237615-1060284298-682003330-1003.job
[2012/04/25 22:10:00 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-18.job
[2012/04/25 02:26:00 | 000,000,656 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/04/25 01:44:16 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/04/24 23:32:32 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2012/04/24 23:23:03 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/13 11:03:09 | 000,436,156 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/04/13 11:03:08 | 000,069,528 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/04/13 10:40:33 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/25 02:26:00 | 000,000,656 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/04/25 01:44:16 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\auser\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/04/24 23:23:02 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/09 14:41:54 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/02/15 13:09:20 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/08/19 12:26:20 | 010,920,984 | ---- | C] () -- C:\WINDOWS\System32\LogiDPP.dll
[2011/08/19 12:26:20 | 000,336,408 | ---- | C] () -- C:\WINDOWS\System32\DevManagerCore.dll
[2011/08/19 12:26:20 | 000,104,472 | ---- | C] () -- C:\WINDOWS\System32\LogiDPPApp.exe
[2011/08/12 13:20:14 | 000,015,896 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2011/07/26 09:48:54 | 000,028,418 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2010/06/25 20:03:12 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll

========== LOP Check ==========

[2010/03/18 20:06:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2012/02/24 23:46:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EventGhost
[2012/03/21 19:34:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2010/06/30 00:36:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2010/04/11 22:03:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
[2008/01/23 00:27:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2011/06/10 22:31:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Team MediaPortal
[2010/01/14 02:24:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/01/11 23:44:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Subversion
[2009/10/09 00:46:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Aptana
[2009/10/10 13:50:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\EuroTalk
[2012/02/25 01:21:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\EventGhost
[2012/03/21 19:34:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\f-secure
[2011/01/22 04:15:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\gtk-2.0
[2012/01/23 19:27:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Jumblo
[2012/01/21 01:26:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Leadertech
[2011/01/29 23:36:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Local
[2012/01/01 04:37:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\LowRateVoip
[2011/05/06 01:19:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Nokia
[2007/03/12 22:42:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Nokia Multimedia Player
[2010/08/31 00:53:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Nokia Ovi Suite
[2010/06/03 00:08:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Notepad++
[2009/02/10 02:11:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\OpenOffice.org
[2009/12/16 20:27:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Opera
[2011/03/03 22:36:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\PC Suite
[2010/04/10 14:27:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\SSH
[2011/02/25 23:39:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Subversion
[2011/02/20 20:47:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Thunderbird
[2011/09/20 00:27:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\Wireshark
[2012/04/27 18:28:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\auser\Application Data\XBMC
[2008/06/18 22:34:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buser\Application Data\jamse
[2008/04/21 13:49:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buser\Application Data\LowRateVoip
[2012/03/15 21:03:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buser\Application Data\Opera
[2009/02/20 23:28:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buser\Application Data\PoivY
[2008/06/02 22:55:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buser\Application Data\SSH
[2012/03/15 21:07:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\buser\Application Data\Thunderbird
[2008/03/11 23:08:52 | 000,000,110 | ---- | M] () -- C:\WINDOWS\Tasks\SesamTVMC.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

#4
Gammo

Posted 02 May 2012 - 04:42 AM

Member 2k

Malware Removal
2,299 posts

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
SRV - File not found [Disabled | Unknown] -- C:\Program Files\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\TEMP\geut\setup.exe run -- (AMService)
IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT1605787
IE - HKU\S-1-5-21-1844237615-1060284298-682003330-1003\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT1605787
FF - prefs.js..browser.search.defaultthis.engineName: "mobilewitch Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT1605787&SearchSource=3&q={searchTerms}"
[2011/05/29 14:37:50 | 000,000,925 | ---- | M] () -- C:\Documents and Settings\auser\Application Data\Mozilla\Firefox\Profiles\xc00j5w5.default\searchplugins\conduit.xml
O4 - HKU\.DEFAULT..\Run: [LKGGOPABUH] C:\WINDOWS\TEMP\Ljl.exe File not found
O4 - HKU\S-1-5-18..\Run: [LKGGOPABUH] C:\WINDOWS\TEMP\Ljl.exe File not found
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\Explore\command - "" = Flash.10.Setup.exe
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\Open\command - "" = Flash.10.Setup.exe
O33 - MountPoints2\{1ee50cf2-978e-11dc-a2b1-000802acc6c1}\Shell\Scan for Viruses\command - "" = Scanner.exe
O33 - MountPoints2\{3a9fe0fe-83b4-11df-b2f9-000802acc6c1}\Shell - "" = Autorun
O33 - MountPoints2\{3a9fe0fe-83b4-11df-b2f9-000802acc6c1}\Shell\AutoRun\command - "" = E:\Install_Nokia_Ovi_Suite.exe
O33 - MountPoints2\{c68fd1d8-0a39-11dc-8467-000802acc6c1}\Shell\Auto\command - "" = I:\Ghost.pif
O33 - MountPoints2\{c68fd1d8-0a39-11dc-8467-000802acc6c1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c68fd1d8-0a39-11dc-8467-000802acc6c1}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Ghost.pif
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

:Services

:Reg

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[emptyflash]
[createrestorepoint]
[reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
Click the Start Scan button.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

#5
arifzub

Posted 04 May 2012 - 02:53 PM

New Member

Topic Starter
Member
6 posts

Thank you for the detailed instructions. I ran the fixes and here are the logs from OTL, TDSSKiller and ComboFix.

ComboFix.txt 18.52KB 81 downloads

TDSSKiller.2.7.34.0_04.05.2012_22.51.24_log.txt 103.34KB 65 downloads

05042012_223825.txt 14.32KB 67 downloads

Before applying these fixes, my network admin told me that my machine showed signs of torpig botnet like traffic. Please check if it is clean now. Thanks!

#6
Gammo

Posted 04 May 2012 - 03:29 PM

Member 2k

Malware Removal
2,299 posts

my network admin told me that my machine showed signs of torpig botnet like traffic.

Yes, he's right. The main part of it is gone now. The instructions below take care of the remains.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:Services
xpsec
xcpip

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-

:Files
C:\WINDOWS\system32\drivers\xpsec.sys
C:\WINDOWS\system32\drivers\xcpip.sys

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

How is your PC running now? :thumbsup:

#7
arifzub

Posted 05 May 2012 - 12:17 PM

New Member

Topic Starter
Member
6 posts

Hi Gammo,

Thanks for all the help with removal of this dangerous rootkit / bot. The system seems to be working fine now, but now I am not sure anymore after seeing all the infections reported by those tools.

I feel pretty compromised in terms of all my internet usage (email accounts, all form data, passwords etc.) probably went through some man-in-the-browser attack

!!! I need to change all my passwords. Would that be correct understanding of the scale of attack ? Any other recommendations about this.

Also does this malware affect Windows 7 machines ? I am not sure how it spreads around.

Thanks again for all the help.

#8
Gammo

Posted 05 May 2012 - 04:38 PM

Member 2k

Malware Removal
2,299 posts

I feel pretty compromised in terms of all my internet usage (email accounts, all form data, passwords etc.) probably went through some man-in-the-browser attack !!! I need to change all my passwords. Would that be correct understanding of the scale of attack ? Any other recommendations about this.

It's most definitely a good idea to change your passwords with this infection.