Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google redirect and friends, + Black Screen of Death [Closed]

Started by chupata , Dec 04 2009 02:38 AM

  • This topic is locked This topic is locked

#16
Rorschach112
Posted 06 December 2009 - 05:23 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
delete combofix, re-download it and run it again
  • 0

Advertisements

#17
chupata
Posted 06 December 2009 - 06:07 PM

chupata

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
ComboFix started running normally, but then there was a crash and the system restarted. I got the "Windows has recovered from an unexpected shutdown" message when I logged back into windows. Here's a copy of the details:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 1000007e
BCP1: C0000005
BCP2: 85744DEE
BCP3: 8B15B780
BCP4: 8B15B47C
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini120609-01.dmp
C:\Users\carlo\AppData\Local\temp\WER-150977-0.sysdata.xml
C:\Users\carlo\AppData\Local\temp\WERB173.tmp.version.txt

Read our privacy statement:
http://go.microsoft....mp;clcid=0x0409


Also, Combofix didn't generate a log.
  • 0

#18
Rorschach112
Posted 07 December 2009 - 07:45 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
can you rename it to svchost.com and run it in safe mode
  • 0

#19
chupata
Posted 07 December 2009 - 11:30 AM

chupata

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
retry was successful, here's the log:

ComboFix 09-12-06.A3 - SYSTEM 12/07/2009 9:15.4.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2593 [GMT -8:00]
Running from: c:\users\carlo\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-11-07 to 2009-12-07 )))))))))))))))))))))))))))))))
.

2009-12-07 17:24 . 2009-12-07 17:25 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2009-12-07 17:24 . 2009-12-07 17:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-07 17:24 . 2009-12-07 17:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-07 17:24 . 2009-12-07 17:24 -------- d-----w- c:\users\carlo\AppData\Local\temp
2009-12-07 17:24 . 2009-12-07 17:24 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-12-07 17:12 . 2009-12-07 17:12 49152 d-----w- C:\32788R22FWJFW
2009-12-04 08:10 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 08:10 . 2009-12-05 11:33 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 08:10 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-04 07:14 . 2009-12-04 07:14 14122 ----a-w- C:\MGlogs.zip
2009-12-04 07:14 . 2009-12-04 07:14 8192 d-----w- C:\MGtools
2009-12-04 05:59 . 2009-12-04 05:59 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Malwarebytes
2009-12-03 18:44 . 2009-12-03 18:44 117760 ----a-w- c:\windows\System32\config\systemprofile\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-03 18:44 . 2009-12-03 18:44 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\SUPERAntiSpyware.com
2009-12-01 10:07 . 2009-12-01 10:07 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-01 10:07 . 2009-12-05 12:06 -------- d-----w- c:\users\carlo\AppData\Roaming\SUPERAntiSpyware.com
2009-12-01 10:07 . 2009-12-05 12:06 4096 d-----w- c:\program files\SUPERAntiSpyware
2009-12-01 03:07 . 2009-12-01 03:07 70 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
2009-12-01 03:07 . 2009-12-01 03:07 11 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\CLSV.drv
2009-12-01 03:07 . 2009-12-01 03:07 75 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\pal.exe
2009-12-01 03:07 . 2009-12-01 03:07 59 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll
2009-12-01 03:07 . 2009-12-01 03:07 67 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\PE.exe
2009-12-01 03:07 . 2009-12-01 03:07 77 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\sld.sys
2009-12-01 03:07 . 2009-12-01 03:07 51 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\ppal.dll
2009-12-01 03:07 . 2009-12-01 03:07 70 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\std.drv
2009-12-01 03:07 . 2009-12-01 03:07 3 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\grid.exe
2009-12-01 03:07 . 2009-12-01 03:07 2 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
2009-12-01 03:07 . 2009-12-01 03:07 74 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
2009-12-01 03:07 . 2009-12-01 03:07 67 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\energy.sys
2009-12-01 03:06 . 2009-12-01 03:06 -------- d-sh--w- c:\programdata\WSGSHUD_APDM
2009-12-01 03:01 . 2009-12-01 03:21 -------- d-sh--w- c:\users\carlo\AppData\Roaming\System
2009-12-01 03:01 . 2009-12-01 03:01 -------- d-----w- c:\users\carlo\AppData\Roaming\Mozilla Firefox
2009-12-01 02:44 . 2009-09-30 18:41 361472 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\FgPhotofitDll.dll
2009-12-01 02:44 . 2009-09-21 19:14 8192 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\OpenGLCheck.dll
2009-12-01 02:44 . 2009-08-19 19:40 655872 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\msvcr90.dll
2009-12-01 02:44 . 2009-08-19 19:40 572928 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\msvcp90.dll
2009-12-01 02:44 . 2009-10-08 18:30 13312 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\PhotoFaceConsole.exe
2009-12-01 02:44 . 2009-09-30 04:29 6144 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\DetectOpenGLConsole.exe
2009-12-01 02:44 . 2009-09-30 04:29 5120 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\DownloadSourcePhotoConsole.exe
2009-12-01 02:44 . 2009-09-30 04:29 9216 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\UploadPhotofitConsole.exe
2009-12-01 02:44 . 2009-08-19 19:40 4178264 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\D3DX9_41.dll
2009-12-01 02:44 . 2009-10-01 03:14 15872 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\PhotoFaceConsole.XmlSerializers.dll
2009-12-01 02:43 . 2009-12-01 02:43 175616 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\unrar64_nocrypt.dll
2009-12-01 02:43 . 2009-12-01 02:43 150528 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\unrar_nocrypt.dll
2009-12-01 02:43 . 2009-12-01 02:43 30208 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\FileDownloadConsole.exe
2009-12-01 02:43 . 2009-12-01 02:43 -------- d-----w- c:\users\carlo\AppData\Roaming\EA
2009-12-01 02:43 . 2009-12-01 02:43 -------- d-----w- c:\users\carlo\AppData\Local\Deployment
2009-12-01 02:43 . 2009-12-01 02:43 -------- d-----w- c:\users\carlo\AppData\Local\Apps
2009-11-28 07:55 . 2009-11-28 07:55 -------- d-----w- c:\users\carlo\AppData\Local\Unity
2009-11-27 23:05 . 2008-03-05 23:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2009-11-27 23:05 . 2007-07-20 02:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-11-27 23:05 . 2007-05-17 00:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2009-11-27 23:05 . 2007-04-05 02:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2009-11-27 23:05 . 2007-03-13 00:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2009-11-27 23:05 . 2006-11-29 21:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-27 23:05 . 2006-09-29 00:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-11-27 23:04 . 2005-05-26 23:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-11-25 10:29 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 07:24 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 07:24 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-24 07:41 . 2009-11-24 07:41 -------- d-----w- C:\AeriaGames
2009-11-24 07:20 . 2009-12-07 16:48 4096 d-----w- c:\program files\Common Files\Akamai
2009-11-16 07:03 . 2009-11-16 07:03 4096 d-----w- c:\program files\DivX
2009-11-16 07:03 . 2009-11-16 07:03 4096 d-----w- c:\program files\Common Files\DivX Shared
2009-11-11 17:03 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 17:03 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 16:50 . 2008-04-18 18:31 12 ----a-w- c:\windows\bthservsdp.dat
2009-12-07 00:00 . 2008-07-30 04:54 -------- d-----w- c:\users\carlo\AppData\Roaming\OpenOffice.org2
2009-12-06 17:57 . 2008-07-25 03:55 83616 ----a-w- c:\users\carlo\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-05 08:37 . 2009-08-10 04:42 -------- d-----w- c:\programdata\Roxio
2009-12-05 07:08 . 2009-03-26 00:34 4096 d-----w- c:\program files\Google
2009-12-05 06:08 . 2006-11-02 13:02 1356 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\d3d9caps.dat
2009-12-04 08:02 . 2009-08-13 23:39 4096 d-----w- c:\program files\ERUNT
2009-12-03 18:35 . 2008-07-25 05:44 49152 d-----w- c:\users\carlo\AppData\Roaming\uTorrent
2009-12-03 16:30 . 2008-07-30 04:54 1 ----a-w- c:\users\carlo\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-01 04:17 . 2008-08-02 05:34 -------- d-----w- c:\users\carlo\AppData\Roaming\gtk-2.0
2009-11-25 17:41 . 2009-08-15 17:21 -------- d-----w- c:\program files\McAfee
2009-11-03 04:42 . 2009-10-03 13:47 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-28 04:51 . 2009-10-28 04:51 -------- d-----w- c:\program files\Veetle
2009-10-27 09:43 . 2008-08-02 05:33 4096 d-----w- c:\users\carlo\AppData\Roaming\.purple
2009-10-14 06:54 . 2009-10-14 06:16 4096 d-----w- c:\program files\Pazera MP4 to AVI converter
2009-10-09 02:27 . 2009-10-14 06:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-09-14 09:29 . 2009-10-14 21:14 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 16:48 . 2009-10-14 21:14 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-03-28 01:42 . 2009-08-11 06:04 889856 ----a-w- c:\program files\mozilla firefox\components\pbgk1_9.dll
2008-09-24 06:30 . 2008-08-04 06:15 88 --sh--r- c:\windows\System32\8DDB2614FF.sys
2008-09-24 06:31 . 2008-08-04 06:15 2828 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-06-06 06:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-06-06 06:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-28 4915200]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-10 835584]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"atwtusb"="atwtusb.exe" [2007-03-21 315392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\carlo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoHotkey.ahk - Shortcut.lnk - c:\users\carlo\Documents\AutoHotkey.ahk [2008-7-30 1656]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-10-30 748072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-06 06:03 90112 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-02-21 17:26 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):b0,0d,e9,6e,f9,1d,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-18]
"EnableNotifications\\Ref"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-82084531-1568399576-1305024956-1000]
"EnableNotificationsRef"=dword:00000001

R1 Ext2fs;Ext2fs;c:\windows\System32\drivers\ext2fs.sys [7/29/2008 7:23 PM 187840]
R1 IfsMount;IfsMount;c:\windows\System32\drivers\ifsmount.sys [7/29/2008 7:23 PM 58816]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [4/18/2008 10:34 AM 9344]
S1 aiptektp;Pen Pad;c:\windows\System32\drivers\aiptektp.sys [8/29/2008 3:13 PM 22528]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [1/20/2008 6:23 PM 21504]
S2 gupdate1c9adaa9861fac1;Google Update Service (gupdate1c9adaa9861fac1);c:\program files\Google\Update\GoogleUpdate.exe [3/25/2009 4:34 PM 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/15/2009 9:22 AM 93320]
S2 regi;regi;c:\windows\System32\drivers\regi.sys [4/17/2007 7:09 PM 11032]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [4/18/2008 12:18 PM 28464]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\System32\drivers\R5U870FLx86.sys [4/18/2008 10:33 AM 73472]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\System32\drivers\R5U870FUx86.sys [4/18/2008 10:33 AM 43904]
S3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [4/18/2008 10:34 AM 818688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Akamai REG_MULTI_SZ Akamai
.
------- Supplementary Scan -------
.
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\windows\System32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\h48m1j8c.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\pbgk1_9.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-07 09:25
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

[0] 0x30003800

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84F58618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82fa2d24
\Driver\ACPI -> acpi.sys @ 0x80699d68
\Driver\atapi -> ataport.SYS @ 0x807e2a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3612.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3612.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(528)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'Explorer.exe'(1452)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
Completion time: 2009-12-07 09:28
ComboFix-quarantined-files.txt 2009-12-07 17:27

Pre-Run: 109,551,697,920 bytes free
Post-Run: 109,432,053,760 bytes free

- - End Of File - - 73B3822830342F7E8C83CCB7B47FEC4E
  • 0

#20
Rorschach112
Posted 07 December 2009 - 11:55 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
update mbam run a quick scan post that log

open OTL paste this under the custom scan box

/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
explorer.exe
svchost.exe
userinit.exe
qmgr.dll
ws2_32.dll
proquota.exe
imm32.dll
kernel32.dll
ndis.sys
autochk.exe
spoolsv.exe
xmlprov.dll
ntmssvc.dll
mswsock.dll
Beep.SYS
ntfs.sys
termsrv.dll
sfcfiles.dll
st3shark.sys
ahcix86.sys
srsvc.dll
logonui.exe
KR10N.sys
mspmsnsv.dll
comres.dll
msgsvc.dll
nvstor32.sys
/md5stop


click run scan post that log
  • 0

#21
chupata
Posted 07 December 2009 - 12:43 PM

chupata

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
MBAM log:

Malwarebytes' Anti-Malware 1.42
Database version: 3310
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

12/7/2009 10:26:12 AM
mbam-log-2009-12-07 (10-26-12).txt

Scan type: Quick Scan
Objects scanned: 96966
Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



OTL log:

OTL logfile created on: 12/7/2009 10:28:26 AM - Run 2
OTL by OldTimer - Version 3.1.11.7 Folder = C:\Users\carlo\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 225.10 Gb Total Space | 99.04 Gb Free Space | 44.00% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CATERPILLAR
Current User Name: carlo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/06 10:09:16 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\carlo\Desktop\OTL.exe
PRC - [2009/11/12 17:06:04 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/04/10 22:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/04/10 09:29:08 | 00,037,888 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2008/05/29 21:43:38 | 02,580,480 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
PRC - [2008/05/29 21:43:36 | 02,363,392 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
PRC - [2008/03/09 07:12:24 | 00,240,640 | ---- | M] () -- C:\Program Files\AutoHotkey\AutoHotkey.exe
PRC - [2008/03/07 10:48:38 | 00,921,600 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
PRC - [2008/02/21 09:26:20 | 00,182,392 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
PRC - [2008/02/21 09:26:20 | 00,100,472 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
PRC - [2008/02/04 16:09:00 | 00,252,440 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxsrvc.exe
PRC - [2008/02/04 16:08:48 | 00,166,424 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxext.exe
PRC - [2008/02/04 16:08:48 | 00,137,752 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxpers.exe
PRC - [2008/02/04 16:08:30 | 00,154,136 | ---- | M] (Intel Corporation) -- C:\Windows\System32\hkcmd.exe
PRC - [2008/01/20 18:25:32 | 00,198,656 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
PRC - [2008/01/20 18:24:59 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe
PRC - [2007/11/21 11:38:28 | 00,311,296 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\ISB Utility\ISBMgr.exe
PRC - [2007/10/30 10:04:08 | 01,804,840 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2007/10/30 10:04:08 | 00,748,072 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/06/05 22:04:42 | 00,021,504 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\upeksvr.exe
PRC - [2007/06/05 21:46:52 | 00,053,776 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\psqltray.exe
PRC - [2007/06/05 12:20:32 | 00,177,704 | ---- | M] () -- C:\Windows\System32\PSIService.exe
PRC - [2007/03/20 16:43:50 | 00,315,392 | ---- | M] () -- C:\Windows\System32\ATWTUSB.EXE
PRC - [2007/03/09 17:58:22 | 00,835,584 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


========== Modules (SafeList) ==========

MOD - [2009/12/06 10:09:16 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\carlo\Desktop\OTL.exe
MOD - [2009/11/23 10:38:10 | 00,014,544 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2009/04/10 22:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2007/10/30 10:03:22 | 00,208,896 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\BtMmHook.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/23 23:20:48 | 02,309,520 | ---- | M] () -- C:/Program Files/Common Files/Akamai/rswin_3612.dll -- (Akamai)
SRV - [2009/11/12 17:06:04 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/03/25 16:34:08 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9adaa9861fac1) Google Update Service (gupdate1c9adaa9861fac1)
SRV - [2008/11/20 11:18:52 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/07/22 08:59:42 | 00,794,624 | ---- | M] () -- C:\Program Files\TVersity\Media Server\MediaServer.exe -- (TVersityMediaServer)
SRV - [2008/02/21 09:26:20 | 00,182,392 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2008/01/20 18:23:32 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/11/28 01:08:02 | 00,077,824 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2007/11/28 01:02:20 | 00,053,248 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2007/11/28 00:43:44 | 00,053,248 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2007/06/05 12:20:32 | 00,177,704 | ---- | M] () -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)
SRV - [2007/01/04 18:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/11/02 04:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)


========== Driver Services (SafeList) ==========

DRV - [2009/04/10 20:42:54 | 00,073,216 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/06/10 09:54:36 | 00,123,904 | ---- | M] (Realtek Corporation ) -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/02/27 16:32:02 | 02,059,416 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/02/12 16:01:28 | 00,073,472 | ---- | M] (Ricoh) -- C:\Windows\System32\drivers\R5U870FLx86.sys -- (R5U870FLx86)
DRV - [2008/02/12 16:01:28 | 00,043,904 | ---- | M] (Ricoh) -- C:\Windows\System32\drivers\R5U870FUx86.sys -- (R5U870FUx86)
DRV - [2008/02/05 16:48:53 | 00,017,448 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwrchid.sys -- (btwrchid)
DRV - [2008/02/05 16:48:52 | 00,099,880 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwavdt.sys -- (btwavdt)
DRV - [2008/02/05 16:48:52 | 00,081,448 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwaudio.sys -- (btwaudio)
DRV - [2008/02/05 16:48:33 | 00,028,464 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwl2cap.sys -- (btwl2cap)
DRV - [2008/02/04 16:08:42 | 01,776,128 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2008/01/20 18:23:27 | 00,386,616 | ---- | M] (LSI Corporation, Inc.) -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 18:23:27 | 00,149,560 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 18:23:27 | 00,031,288 | ---- | M] (LSI Corporation) -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 18:23:26 | 00,101,432 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 18:23:26 | 00,074,808 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 18:23:26 | 00,040,504 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 18:23:25 | 00,300,600 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 18:23:25 | 00,089,656 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 18:23:24 | 01,122,360 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 18:23:24 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 18:23:24 | 00,079,928 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 18:23:23 | 00,654,336 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (winachsf)
DRV - [2008/01/20 18:23:23 | 00,235,064 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 18:23:23 | 00,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 18:23:23 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 18:23:23 | 00,096,312 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 18:23:23 | 00,096,312 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 18:23:23 | 00,079,416 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 18:23:22 | 00,987,648 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (HSF_DPV)
DRV - [2008/01/20 18:23:22 | 00,342,584 | ---- | M] (Emulex) -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 18:23:22 | 00,200,704 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2008/01/20 18:23:21 | 00,422,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 18:23:21 | 00,102,968 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 18:23:21 | 00,045,112 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 18:23:20 | 00,238,648 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 18:23:00 | 00,020,024 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 18:23:00 | 00,019,000 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 18:23:00 | 00,017,464 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/01/20 16:56:12 | 00,187,840 | ---- | M] (Stephan Schreiber) -- C:\Windows\System32\drivers\ext2fs.sys -- (Ext2fs)
DRV - [2007/12/29 18:50:42 | 00,058,816 | ---- | M] (Stephan Schreiber) -- C:\Windows\System32\drivers\ifsmount.sys -- (IfsMount)
DRV - [2007/12/20 02:00:00 | 00,044,608 | ---- | M] (Sonic Solutions) -- C:\Windows\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/12/16 17:57:23 | 00,009,344 | ---- | M] (Sony Corporation) -- C:\Windows\System32\drivers\SFEP.sys -- (SFEP)
DRV - [2007/12/13 16:40:06 | 00,010,216 | ---- | M] (Sony Corporation) -- C:\Windows\System32\drivers\DMICall.sys -- (DMICall)
DRV - [2007/11/15 16:29:22 | 00,818,688 | ---- | M] (Texas Instruments) -- C:\Windows\System32\drivers\ti21sony.sys -- (ti21sony)
DRV - [2007/10/02 16:04:29 | 00,047,376 | ---- | M] (UPEK Inc.) -- C:\Windows\System32\drivers\tcusb.sys -- (TcUsb)
DRV - [2007/09/26 12:12:22 | 02,251,776 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2007/05/26 00:03:06 | 00,128,104 | R--- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\WimFltr.sys -- (WimFltr)
DRV - [2007/04/17 19:09:28 | 00,011,032 | ---- | M] (InterVideo) -- C:\Windows\System32\drivers\regi.sys -- (regi)
DRV - [2007/03/09 17:58:05 | 00,181,560 | ---- | M] (Synaptics, Inc.) -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/11/02 01:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 01:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 01:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 01:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 01:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 01:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 01:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 01:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 01:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 01:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 01:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 00:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 00:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 00:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 00:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 00:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 00:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/01 23:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/01 22:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)
DRV - [2006/06/06 08:51:06 | 00,022,528 | ---- | M] (WALTOP International Corp.) -- C:\Windows\System32\drivers\aiptektp.sys -- (aiptektp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.9.3
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: {1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}:2.7

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/11/25 09:40:15 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/20 18:56:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/20 18:54:53 | 00,000,000 | ---D | M]

[2008/07/24 20:02:38 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Mozilla\Extensions
[2009/12/06 10:17:45 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\extensions
[2009/11/27 10:02:14 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\extensions\{1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}
[2009/10/10 09:51:05 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\extensions\[email protected]
[2009/04/10 20:56:00 | 00,000,945 | ---- | M] () -- C:\Users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\searchplugins\youtube-video-search.xml
[2009/12/06 10:17:45 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/03/27 17:42:45 | 00,889,856 | ---- | M] (UPEK Inc.) -- C:\Program Files\Mozilla Firefox\components\pbgk1_9.dll

O1 HOSTS File: (27 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [atwtusb] C:\Windows\System32\ATWTUSB.EXE ()
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [PSQLLauncher] C:\Program Files\Protector Suite QL\launcher.exe (UPEK Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Users\carlo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_04)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) - C:\Windows\System32\vrlogon.dll (UPEK Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\psfus: DllName - C:\Windows\system32\psqlpwd.dll - C:\Windows\System32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\Windows\System32\VESWinlogon.dll (Sony Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 13:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/07 09:28:05 | 00,000,000 | ---D | C] -- C:\Windows\temp
[2009/12/07 09:28:05 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Local\temp
[2009/12/07 09:26:59 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2009/12/07 09:12:06 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/12/06 15:40:45 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2009/12/06 15:40:45 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2009/12/06 15:40:45 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2009/12/06 15:40:45 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2009/12/06 15:39:51 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/06 15:12:51 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/12/06 15:11:14 | 00,000,000 | ---D | C] -- C:\Users\carlo\Desktop\avenger
[2009/12/06 13:35:38 | 00,000,000 | ---D | C] -- C:\Users\carlo\Desktop\GooredFix Backups
[2009/12/06 13:34:58 | 00,071,848 | ---- | C] (jpshortstuff) -- C:\Users\carlo\Desktop\GooredFix.exe
[2009/12/06 10:09:14 | 00,536,576 | ---- | C] (OldTimer Tools) -- C:\Users\carlo\Desktop\OTL.exe
[2009/12/05 03:30:28 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\carlo\Desktop\mbam-setup.exe
[2009/12/05 03:25:41 | 00,343,040 | ---- | C] (OldTimer Tools) -- C:\Users\carlo\Desktop\TFC.exe
[2009/12/04 00:10:23 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/04 00:10:21 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/04 00:10:21 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/03 23:14:33 | 00,000,000 | ---D | C] -- C:\MGtools
[2009/12/01 02:07:11 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2009/12/01 02:07:04 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Roaming\SUPERAntiSpyware.com
[2009/12/01 02:07:04 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/11/30 19:06:51 | 00,000,000 | -HSD | C] -- C:\ProgramData\WSGSHUD_APDM
[2009/11/30 19:01:36 | 00,000,000 | -HSD | C] -- C:\Users\carlo\AppData\Roaming\System
[2009/11/30 19:01:35 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Roaming\Mozilla Firefox
[2009/11/30 18:43:42 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Roaming\EA
[2009/11/30 18:43:28 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Local\Deployment
[2009/11/30 18:43:25 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Local\Apps
[2009/11/27 23:55:31 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Local\Unity
[2009/11/27 15:13:48 | 00,000,000 | ---D | C] -- C:\Users\carlo\Documents\FIFA 10 - Demo
[2009/11/27 15:05:07 | 03,786,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_37.dll
[2009/11/27 15:05:07 | 03,727,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_35.dll
[2009/11/27 15:05:06 | 03,497,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_34.dll
[2009/11/27 15:05:05 | 03,495,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_33.dll
[2009/11/27 15:05:05 | 00,081,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_3.dll
[2009/11/27 15:05:04 | 03,426,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_32.dll
[2009/11/27 15:05:02 | 02,414,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_31.dll
[2009/11/27 15:04:42 | 02,388,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_30.dll
[2009/11/27 15:04:41 | 02,332,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_29.dll
[2009/11/27 15:04:40 | 02,323,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_28.dll
[2009/11/27 15:04:39 | 02,319,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_27.dll
[2009/11/27 15:04:38 | 02,297,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_26.dll
[2009/11/27 15:04:36 | 02,337,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_25.dll
[2009/11/27 15:04:34 | 02,222,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_24.dll
[2009/11/25 02:29:11 | 00,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2009/11/23 23:41:32 | 00,000,000 | ---D | C] -- C:\AeriaGames
[2009/11/23 23:20:40 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Akamai
[2009/11/15 23:03:25 | 00,000,000 | ---D | C] -- C:\Program Files\DivX
[2009/11/15 23:03:03 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2009/11/11 09:03:37 | 02,036,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2009/11/11 09:03:34 | 00,355,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSDApi.dll

========== Files - Modified Within 30 Days ==========

[2009/12/07 10:28:24 | 03,145,728 | -HS- | M] () -- C:\Users\carlo\NTUSER.DAT
[2009/12/07 10:26:24 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/12/07 10:26:24 | 00,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/12/07 10:26:24 | 00,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/12/07 10:19:05 | 00,000,202 | ---- | M] () -- C:\Windows\win.ini
[2009/12/07 10:18:58 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2009/12/07 10:18:49 | 00,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/12/07 10:18:48 | 00,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/12/07 10:18:44 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/12/07 10:18:23 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/12/07 10:18:13 | 32,111,90272 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/07 09:25:20 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2009/12/07 09:03:14 | 00,524,288 | -HS- | M] () -- C:\Users\carlo\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2009/12/07 09:03:14 | 00,065,536 | -HS- | M] () -- C:\Users\carlo\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2009/12/07 09:01:29 | 03,583,346 | R--- | M] () -- C:\Users\carlo\Desktop\ComboFix.exe
[2009/12/07 08:50:55 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2009/12/07 08:50:44 | 04,022,734 | -H-- | M] () -- C:\Users\carlo\AppData\Local\IconCache.db
[2009/12/06 17:07:00 | 00,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2009/12/06 15:57:25 | 31,833,5270 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/12/06 15:10:52 | 00,724,952 | ---- | M] () -- C:\Users\carlo\Desktop\avenger.zip
[2009/12/06 13:36:22 | 00,284,153 | ---- | M] () -- C:\Users\carlo\Desktop\gmer.zip
[2009/12/06 13:34:58 | 00,071,848 | ---- | M] (jpshortstuff) -- C:\Users\carlo\Desktop\GooredFix.exe
[2009/12/06 10:09:16 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\carlo\Desktop\OTL.exe
[2009/12/06 09:57:44 | 00,083,616 | ---- | M] () -- C:\Users\carlo\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/12/06 09:56:54 | 00,340,240 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/12/05 03:32:42 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\carlo\Desktop\mbam-setup.exe
[2009/12/05 03:25:42 | 00,343,040 | ---- | M] (OldTimer Tools) -- C:\Users\carlo\Desktop\TFC.exe
[2009/12/05 00:30:49 | 00,002,176 | ---- | M] () -- C:\Users\carlo\Documents\pop58.ROXIO
[2009/12/04 23:08:44 | 00,002,078 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2009/12/04 22:28:11 | 00,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2009/12/03 23:14:35 | 00,014,122 | ---- | M] () -- C:\MGlogs.zip
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/03 09:15:58 | 00,100,864 | ---- | M] () -- C:\Users\carlo\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/03 09:15:53 | 96,228,4122 | ---- | M] () -- C:\Users\carlo\Desktop\091202 AKBINGO!.avi
[2009/11/30 21:15:31 | 54,241,790 | ---- | M] () -- C:\Users\carlo\Desktop\[ems]Noel_no_Kimochi_V01.zip
[2009/11/30 20:17:54 | 00,005,256 | ---- | M] () -- C:\Users\carlo\.recently-used.xbel
[2009/11/23 23:42:20 | 00,001,635 | ---- | M] () -- C:\Users\carlo\Desktop\Grand Fantasia.lnk
[2009/11/21 12:17:18 | 00,292,352 | ---- | M] () -- C:\Users\carlo\Desktop\gmer.exe
[2009/11/17 02:17:27 | 00,193,024 | ---- | M] () -- C:\Users\carlo\Documents\proof.mswmm
[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\Windows\PEV.exe

========== Files Created - No Company Name ==========

[2009/12/07 10:18:13 | 32,111,90272 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/06 15:40:45 | 00,260,608 | ---- | C] () -- C:\Windows\PEV.exe
[2009/12/06 15:40:45 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2009/12/06 15:40:45 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2009/12/06 15:40:45 | 00,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2009/12/06 15:40:45 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2009/12/06 15:35:45 | 03,583,346 | R--- | C] () -- C:\Users\carlo\Desktop\ComboFix.exe
[2009/12/06 15:10:49 | 00,724,952 | ---- | C] () -- C:\Users\carlo\Desktop\avenger.zip
[2009/12/06 13:36:33 | 00,292,352 | ---- | C] () -- C:\Users\carlo\Desktop\gmer.exe
[2009/12/06 13:36:21 | 00,284,153 | ---- | C] () -- C:\Users\carlo\Desktop\gmer.zip
[2009/12/05 00:28:29 | 00,002,176 | ---- | C] () -- C:\Users\carlo\Documents\pop58.ROXIO
[2009/12/04 23:08:44 | 00,002,078 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2009/12/03 23:14:35 | 00,014,122 | ---- | C] () -- C:\MGlogs.zip
[2009/12/03 08:58:15 | 96,228,4122 | ---- | C] () -- C:\Users\carlo\Desktop\091202 AKBINGO!.avi
[2009/11/30 21:08:16 | 54,241,790 | ---- | C] () -- C:\Users\carlo\Desktop\[ems]Noel_no_Kimochi_V01.zip
[2009/11/30 20:17:54 | 00,005,256 | ---- | C] () -- C:\Users\carlo\.recently-used.xbel
[2009/11/23 23:42:20 | 00,001,635 | ---- | C] () -- C:\Users\carlo\Desktop\Grand Fantasia.lnk
[2009/11/17 02:10:55 | 00,193,024 | ---- | C] () -- C:\Users\carlo\Documents\proof.mswmm
[2009/10/15 01:01:35 | 00,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2009/10/13 22:11:06 | 00,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/08/15 09:35:43 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/15 09:10:42 | 00,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/06/16 22:17:04 | 00,006,404 | ---- | C] () -- C:\Users\carlo\AppData\Roaming\PrimoPDFSet.xml
[2009/06/16 22:14:34 | 00,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2009/04/26 20:13:36 | 00,000,314 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/12/31 13:57:40 | 00,000,022 | -H-- | C] () -- C:\Users\carlo\AppData\Local\xftredahs.dat
[2008/08/29 15:13:54 | 00,005,511 | ---- | C] () -- C:\Windows\aiptbl.ini
[2008/08/03 22:15:21 | 00,002,828 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2008/08/03 22:15:21 | 00,000,088 | RHS- | C] () -- C:\Windows\System32\8DDB2614FF.sys
[2008/07/29 20:04:23 | 00,000,680 | ---- | C] () -- C:\Users\carlo\AppData\Local\d3d9caps.dat
[2008/07/24 21:52:48 | 00,100,864 | ---- | C] () -- C:\Users\carlo\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/24 20:01:13 | 00,000,394 | ---- | C] () -- C:\Users\carlo\AppData\Roaming\wklnhst.dat
[2008/04/18 12:52:44 | 00,000,000 | ---- | C] () -- C:\Windows\VAIOUpdt.INI
[2008/04/18 11:25:16 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/04/18 10:34:04 | 00,910,464 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2008/04/18 10:34:04 | 00,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2008/04/18 10:34:04 | 00,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1295.dll
[2007/10/30 09:44:52 | 00,393,216 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 04:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/01 23:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001/11/14 12:56:00 | 01,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

========== Custom Scans ==========



< MD5 for: AGP440.SYS >
[2008/01/20 18:23:01 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\ERDNT\cache\AGP440.sys
[2008/01/20 18:23:01 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/20 18:23:01 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/20 18:23:01 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/20 18:23:01 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/20 18:23:01 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 01:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/10 22:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys
[2009/04/10 22:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/10 22:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/10 22:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/20 18:23:00 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 18:23:00 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 01:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: AUTOCHK.EXE >
[2009/04/10 22:27:20 | 00,643,072 | ---- | M] (Microsoft Corporation) MD5=10761177A6EBE45843F443E99509F5E7 -- C:\Windows\System32\autochk.exe
[2009/04/10 22:27:20 | 00,643,072 | ---- | M] (Microsoft Corporation) MD5=10761177A6EBE45843F443E99509F5E7 -- C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6002.18005_none_e3df6655bee2ee3b\autochk.exe
[2008/01/20 18:24:45 | 00,642,560 | ---- | M] (Microsoft Corporation) MD5=2FC5BE79B51714B479809358E4908FC3 -- C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6001.18000_none_e1f3ed49c1c122ef\autochk.exe

< MD5 for: BEEP.SYS >
[2008/01/20 18:23:44 | 00,006,144 | ---- | M] (Microsoft Corporation) MD5=67E506B75BD5326A3EC7B70BD014DFB6 -- C:\Windows\ERDNT\cache\beep.sys
[2008/01/20 18:23:44 | 00,006,144 | ---- | M] (Microsoft Corporation) MD5=67E506B75BD5326A3EC7B70BD014DFB6 -- C:\Windows\System32\drivers\beep.sys
[2008/01/20 18:23:44 | 00,006,144 | ---- | M] (Microsoft Corporation) MD5=67E506B75BD5326A3EC7B70BD014DFB6 -- C:\Windows\winsxs\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6001.18000_none_c420a153079d485b\beep.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 01:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/02 01:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 01:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: COMRES.DLL >
[2008/01/20 18:24:55 | 01,291,264 | ---- | M] (Microsoft Corporation) MD5=4211249955AF9133E2E357CC92B54DFD -- C:\Windows\System32\comres.dll
[2008/01/20 18:24:55 | 01,291,264 | ---- | M] (Microsoft Corporation) MD5=4211249955AF9133E2E357CC92B54DFD -- C:\Windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll

< MD5 for: EVENTLOG.DLL >
[2007/06/05 22:06:16 | 00,033,280 | ---- | M] (UPEK Inc.) MD5=98E10163017B71CF8B804B6624EA3767 -- C:\Program Files\Protector Suite QL\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2008/10/28 22:20:29 | 02,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008/10/28 22:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008/10/29 19:59:17 | 02,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009/04/10 22:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\ERDNT\cache\explorer.exe
[2009/04/10 22:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009/04/10 22:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009/04/10 22:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008/10/27 18:15:02 | 02,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008/01/20 18:24:24 | 02,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: IASTORV.SYS >
[2008/01/20 18:23:23 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/20 18:23:23 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/20 18:23:23 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 01:51:25 | 00,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: IMM32.DLL >
[2009/04/10 22:28:20 | 00,114,688 | ---- | M] (Microsoft Corporation) MD5=C8BDCECEE082B54F0BAC838BF0A34597 -- C:\Windows\ERDNT\cache\imm32.dll
[2008/01/20 18:24:24 | 00,114,688 | ---- | M] (Microsoft Corporation) MD5=EC17194A193CD8E90D27CFB93DFA9A2E -- C:\Windows\winsxs\x86_microsoft-windows-imm32_31bf3856ad364e35_6.0.6001.18000_none_5c561e167a6afd02\imm32.dll
[2009/04/10 22:28:20 | 00,114,688 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\imm32.dll
[2009/04/10 22:28:20 | 00,114,688 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\winsxs\x86_microsoft-windows-imm32_31bf3856ad364e35_6.0.6002.18005_none_5e419722778cc84e\imm32.dll

< MD5 for: KERNEL32.DLL >
[2009/02/13 00:21:09 | 00,890,880 | ---- | M] (Microsoft Corporation) MD5=1987D817D08F5EAF0B7F334026FDDB79 -- C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6001.22376_none_9401d8206f9c7e67\kernel32.dll
[2009/02/12 23:26:37 | 00,875,520 | ---- | M] (Microsoft Corporation) MD5=B82C7AC1D559F0FD088792171D64C7F3 -- C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6000.16820_none_91c20a8f593529ed\kernel32.dll
[2009/02/12 23:13:01 | 00,875,520 | ---- | M] (Microsoft Corporation) MD5=BB792054BD990EC05D9E260D50FEAD39 -- C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6000.21010_none_92564f68724ae108\kernel32.dll
[2009/04/10 22:28:20 | 00,891,392 | ---- | M] (Microsoft Corporation) MD5=BB8509089E7DF514310814E1B2593FFC -- C:\Windows\ERDNT\cache\kernel32.dll
[2009/02/13 00:49:05 | 00,888,832 | ---- | M] (Microsoft Corporation) MD5=DB6E3731E6F5C8AE2843F80B5787F7C6 -- C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6001.18215_none_93b81a93564f1da0\kernel32.dll
[2008/01/20 18:24:13 | 00,888,320 | ---- | M] (Microsoft Corporation) MD5=DC2338093F91BA4E0512208E60206DDD -- C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6001.18000_none_93bde541564b88ae\kernel32.dll
[2009/04/10 22:28:20 | 00,891,392 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\kernel32.dll
[2009/04/10 22:28:20 | 00,891,392 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6002.18005_none_95a95e4d536d53fa\kernel32.dll

< MD5 for: LOGONUI.EXE >
[2008/01/20 18:24:22 | 00,009,216 | ---- | M] (Microsoft Corporation) MD5=62D577288B48998FC6667BF22DC5B690 -- C:\Windows\System32\LogonUI.exe
[2008/01/20 18:24:22 | 00,009,216 | ---- | M] (Microsoft Corporation) MD5=62D577288B48998FC6667BF22DC5B690 -- C:\Windows\winsxs\x86_microsoft-windows-authentication-logonui_31bf3856ad364e35_6.0.6001.18000_none_6593128e7338aab2\LogonUI.exe

< MD5 for: MSWSOCK.DLL >
[2009/04/10 22:28:22 | 00,223,232 | ---- | M] (Microsoft Corporation) MD5=8617350C9B590B63E620881092751BCB -- C:\Windows\ERDNT\cache\mswsock.dll
[2009/04/10 22:28:22 | 00,223,232 | ---- | M] (Microsoft Corporation) MD5=8617350C9B590B63E620881092751BCB -- C:\Windows\System32\mswsock.dll
[2009/04/10 22:28:22 | 00,223,232 | ---- | M] (Microsoft Corporation) MD5=8617350C9B590B63E620881092751BCB -- C:\Windows\winsxs\x86_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.0.6002.18005_none_ba3ed0122a6d89da\mswsock.dll
[2008/01/20 18:24:02 | 00,223,232 | ---- | M] (Microsoft Corporation) MD5=89FD0595EEA4E505CABEFCF7008F2612 -- C:\Windows\winsxs\x86_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.0.6001.18000_none_b85357062d4bbe8e\mswsock.dll

< MD5 for: NDIS.SYS >
[2009/04/10 22:32:49 | 00,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\ERDNT\cache\ndis.sys
[2009/04/10 22:32:49 | 00,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\System32\drivers\ndis.sys
[2009/04/10 22:32:49 | 00,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6002.18005_none_a9b2a4d31930d864\ndis.sys
[2008/01/20 18:23:50 | 00,529,464 | ---- | M] (Microsoft Corporation) MD5=9BDC71790FA08F0A0B5F10462B1BD0B1 -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.18000_none_a7c72bc71c0f0d18\ndis.sys

< MD5 for: NETLOGON.DLL >
[2009/04/10 22:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/04/10 22:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/10 22:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/20 18:24:05 | 00,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NTFS.SYS >
[2009/04/10 22:32:49 | 01,083,880 | ---- | M] (Microsoft Corporation) MD5=6A4A98CEE84CF9E99564510DDA4BAA47 -- C:\Windows\ERDNT\cache\ntfs.sys
[2009/04/10 22:32:49 | 01,083,880 | ---- | M] (Microsoft Corporation) MD5=6A4A98CEE84CF9E99564510DDA4BAA47 -- C:\Windows\System32\drivers\ntfs.sys
[2009/04/10 22:32:49 | 01,083,880 | ---- | M] (Microsoft Corporation) MD5=6A4A98CEE84CF9E99564510DDA4BAA47 -- C:\Windows\winsxs\x86_microsoft-windows-ntfs_31bf3856ad364e35_6.0.6002.18005_none_a85ca2c91a0d64df\ntfs.sys
[2008/01/20 18:23:51 | 01,081,912 | ---- | M] (Microsoft Corporation) MD5=B4EFFE29EB4F15538FD8A9681108492D -- C:\Windows\winsxs\x86_microsoft-windows-ntfs_31bf3856ad364e35_6.0.6001.18000_none_a67129bd1ceb9993\ntfs.sys

< MD5 for: NTMSSVC.DLL >
[2008/01/20 18:25:28 | 00,460,288 | ---- | M] (Microsoft Corporation) MD5=A7DFF9642D510BE1EEC6664CD0369953 -- C:\Windows\winsxs\x86_microsoft-windows-r..emanagement-service_31bf3856ad364e35_6.0.6001.18000_none_0e3e31f00e12b007\ntmssvc.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 01:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/20 18:23:21 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/20 18:23:21 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/20 18:23:21 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: PROQUOTA.EXE >
[2006/11/02 01:45:33 | 00,027,648 | ---- | M] (Microsoft Corporation) MD5=C31AE90F24870B9A51655C36A9EB4BF3 -- C:\Windows\System32\proquota.exe
[2006/11/02 01:45:33 | 00,027,648 | ---- | M] (Microsoft Corporation) MD5=C31AE90F24870B9A51655C36A9EB4BF3 -- C:\Windows\winsxs\x86_microsoft-windows-proquota_31bf3856ad364e35_6.0.6000.16386_none_259035db957a1715\proquota.exe

< MD5 for: QMGR.DLL >
[2008/01/20 18:25:00 | 00,758,272 | ---- | M] (Microsoft Corporation) MD5=02ED7B4DBC2A3232A389106DA7515C3D -- C:\Windows\winsxs\x86_microsoft-windows-bits-client_31bf3856ad364e35_6.0.6001.18000_none_2390c4ecf9720b8c\qmgr.dll
[2009/04/10 22:28:23 | 00,758,784 | ---- | M] (Microsoft Corporation) MD5=93952506C6D67330367F7E7934B6A02F -- C:\Windows\ERDNT\cache\qmgr.dll
[2009/04/10 22:28:23 | 00,758,784 | ---- | M] (Microsoft Corporation) MD5=93952506C6D67330367F7E7934B6A02F -- C:\Windows\System32\qmgr.dll
[2009/04/10 22:28:23 | 00,758,784 | ---- | M] (Microsoft Corporation) MD5=93952506C6D67330367F7E7934B6A02F -- C:\Windows\winsxs\x86_microsoft-windows-bits-client_31bf3856ad364e35_6.0.6002.18005_none_257c3df8f693d6d8\qmgr.dll

< MD5 for: SCECLI.DLL >
[2008/01/20 18:24:50 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/10 22:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/04/10 22:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/10 22:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< MD5 for: SPOOLSV.EXE >
[2009/04/10 22:28:05 | 00,127,488 | ---- | M] (Microsoft Corporation) MD5=524BFBEA40E6E404737CCBC754647A2E -- C:\Windows\ERDNT\cache\spoolsv.exe
[2009/04/10 22:28:05 | 00,127,488 | ---- | M] (Microsoft Corporation) MD5=524BFBEA40E6E404737CCBC754647A2E -- C:\Windows\System32\spoolsv.exe
[2009/04/10 22:28:05 | 00,127,488 | ---- | M] (Microsoft Corporation) MD5=524BFBEA40E6E404737CCBC754647A2E -- C:\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6002.18005_none_d8371c2dbeaa9062\spoolsv.exe
[2008/01/20 18:24:45 | 00,125,952 | ---- | M] (Microsoft Corporation) MD5=846CDF9A3CF4DA9B306ADFB7D55EE4C2 -- C:\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6001.18000_none_d64ba321c188c516\spoolsv.exe

< MD5 for: SVCHOST.EXE >
[2008/01/20 18:23:43 | 00,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\ERDNT\cache\svchost.exe
[2008/01/20 18:23:43 | 00,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008/01/20 18:23:43 | 00,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe

< MD5 for: TERMSRV.DLL >
[2009/04/10 22:28:24 | 00,449,024 | ---- | M] (Microsoft Corporation) MD5=BB95DA09BEF6E7A131BFF3BA5032090D -- C:\Windows\ERDNT\cache\termsrv.dll
[2009/04/10 22:28:24 | 00,449,024 | ---- | M] (Microsoft Corporation) MD5=BB95DA09BEF6E7A131BFF3BA5032090D -- C:\Windows\System32\termsrv.dll
[2009/04/10 22:28:24 | 00,449,024 | ---- | M] (Microsoft Corporation) MD5=BB95DA09BEF6E7A131BFF3BA5032090D -- C:\Windows\winsxs\x86_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.0.6002.18005_none_908abad45165e2ae\termsrv.dll
[2008/01/20 18:24:12 | 00,448,512 | ---- | M] (Microsoft Corporation) MD5=D605031E225AACCBCEB5B76A4F1603A6 -- C:\Windows\winsxs\x86_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.0.6001.18000_none_8e9f41c854441762\termsrv.dll

< MD5 for: USERINIT.EXE >
[2008/01/20 18:24:49 | 00,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe
[2008/01/20 18:24:49 | 00,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/20 18:24:49 | 00,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< MD5 for: WS2_32.DLL >
[2008/01/20 18:24:48 | 00,179,200 | ---- | M] (Microsoft Corporation) MD5=B304D47D5744BA20FCB99FB8B2C07B0B -- C:\Windows\ERDNT\cache\ws2_32.dll
[2008/01/20 18:24:48 | 00,179,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\ws2_32.dll
[2008/01/20 18:24:48 | 00,179,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.0.6001.18000_none_f2b7b0c2ce5605c4\ws2_32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 64 bytes -> C:\Users\carlo\Desktop\AKB48 - River (1280x720).avi:TOC.WMV
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:8CE646EE
< End of report >


(btw, another popup appeared right as I was opening the browser to post this.)
  • 0

#22
Rorschach112
Posted 07 December 2009 - 01:10 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes

:Services

:Reg

:Files
C:\Windows\System32\imm32.dll|C:\Windows\ERDNT\cache\imm32.dll /replace
C:\Windows\System32\kernel32.dll|C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6001.18000_none_93bde541564b88ae\kernel32.dll /replace
C:\Windows\System32\ws2_32.dll|C:\Windows\ERDNT\cache\ws2_32.dll /replace


:Commands
[purity]
[emptytemp]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done



also tell me how its running
  • 0

#23
chupata
Posted 08 December 2009 - 12:01 AM

chupata

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
After running those fixes, my browser was running OK at first, but I did one more reboot to re-activate my Windows Security settings and the google redirects started happening again. I think I may have reinfected it ...

OTM Log:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
Unable to replace file: C:\Windows\System32\imm32.dll with C:\Windows\ERDNT\cache\imm32.dll without a reboot.
Unable to replace file: C:\Windows\System32\kernel32.dll with C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6001.18000_none_93bde541564b88ae\kernel32.dll without a reboot.
Unable to replace file: C:\Windows\System32\ws2_32.dll with C:\Windows\ERDNT\cache\ws2_32.dll without a reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: carlo
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3476495 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 41148488 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 42.62 mb


OTM by OldTimer - Version 3.1.2.2 log created on 12072009_211125

Files moved on Reboot...

Registry entries deleted on Reboot...


OTL Log:


All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: carlo
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 3457586 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 3.33 mb


OTL by OldTimer - Version 3.1.11.7 log created on 12072009_211528

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#24
Rorschach112
Posted 08 December 2009 - 05:31 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.


Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.



Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#25
chupata
Posted 08 December 2009 - 12:59 PM

chupata

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I woke my machine from hibernation this morning and it gave me a Blue Screen of Death. Windows automatically restarted but it went to another BSOD again. I let it go through "Startup Repair" mode about 5 times before it said, "Startup Repair cannot repair this computer automatically."

Basically I can't get into Windows in normal mode or safe mode now because it BSOD's on startup.

I was able to get into Recovery Console though and I was able to access programs from the command prompt. Here is the GMER log when I ran it in Recovery Console (I copied it to USB drive and am posting from my spare laptop):

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-08 10:42:35
Windows 6.0.6000
Running: gmer.exe; Driver: X:\windows\TEMP\pgloypob.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 897B5AC4
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 897B50E8
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 897B53D8
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 897A3C64
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 897A3F08
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 897B51C0
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 897B5934
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 897B56D4
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 897B5EDC
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 897B6148

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000002 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \FileSystem\cdfs \Cdfs 9040B067

---- Services - GMER 1.0.15 ----

Service X:\windows\System32\svchost.exe (*** hidden *** ) [AUTO] lmhosts <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB@CurrentConfig 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management@PhysicalAddressExtension 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Dhcp@DependOnService nsi?tcpip?NetBT?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lmhosts@ImagePath %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
Reg HKLM\SYSTEM\Setup@SetupType 1

---- EOF - GMER 1.0.15 ----


I also tried running ComboFix from Recovery Console command prompt but when it gets to the blue screen it says "You need Administrative privileges to run this tool" and stops.

Now I can't get into Windows at all. I can only run Recovery Console.

Edited by chupata, 08 December 2009 - 01:00 PM.

  • 0

Advertisements

#26
Rorschach112
Posted 08 December 2009 - 01:06 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
going to need to send you over to the windows vista forum to fix that
  • 0

#27
Rorschach112
Posted 16 December 2009 - 03:25 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP