Foldername.exe / virus that disable anti virus

BullGuard Antivirus Forum > Virus Removal > Removal Help > Foldername.exe / virus that disable anti virus

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

kair
New Member

Date Joined Nov 2009
Total Posts : 11

Posted 11-1-2009 3:08 (GMT +1)

Hi,

im kair

im operating windows exp

and i need help

my pc is infected with foldername.exe virus, that copies folder name

and some virus that i dont know, it disables my antivirus

the end task manager bar ( ctrl+alt +del ), the hidden folder name,

online game crash, also lan game crash, etc

i tried to use CCleaner but it automatically close, i use malwarebytes but some error occur

and it cant detect the main source of the problem

i need help.. my friend use diff. kind of ways to get rid of this virus but when he do something unsual

my pc get crash / automatic restart and i cant turn my pc into safe mode.. when i try to put my pc into safe mode

it will automatically restart

now i dont have any antivirus

my last antivirus was kaspersky

please i need help..

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 11-1-2009 5:59 (GMT +1)

Hello kair and welcome to BG smile

Download RSIT (random's system information tool) from http://images.malwareremoval.com/random/RSIT.exe

to your desktop, then click on the RSIT.exe to start the scan.

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.

--------------
Click http://www.gmer.net/download.php and download the installer for Gmer to your desktop, then click that file to run Gmer.

If on it's opening scan Gmer locates items shown in red or indicates "hidden" or "rootkit", stop there, and click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. We don't want any crashes just from taking an initial look at things.

If not, then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

kair
New Member

Date Joined Nov 2009
Total Posts : 11

Posted 11-1-2009 7:01 (GMT +1)

first one

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-11-01 13:45:32
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 1 GB (2%) free of 76 GB
Total RAM: 1023 MB (33% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:57 PM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\utorrent.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BullGuard Ltd\BullGuard\BGScan.exe
C:\Program Files\IDA\ida.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garena.com/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: IDA Bar - {C70E30C7-140A-4166-A2E8-43557E62B41A} - C:\Program Files\IDA\idabar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Owner\Desktop\RRT50010.exe auto
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SCVVHSOT.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\Owner\Desktop\utorrent.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Be!!!eled 2\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Be!!!eled 2\Images\armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9C8F4B4-0A7C-4A6E-AEEB-BF0A059F41E8}: NameServer = 192.168.1.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BGRaSvc - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 8498 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1757981266-725345543-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1757981266-725345543-1003UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll [2009-03-14 908528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A646672-9C3A-4C28-9A7A-1FB0F63F28B6}]
IE 4.x-6.x BHO for Internet Download Accelerator - C:\PROGRA~1\IDA\idaiehlp.dll [2009-02-13 158720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ADECBED6-0366-4377-A739-E69DFBA04663}]
Catcher Class - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll [2007-12-05 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-21 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-08-21 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll [2009-03-14 165616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C70E30C7-140A-4166-A2E8-43557E62B41A} - IDA Bar - C:\Program Files\IDA\idabar.dll [2007-10-17 180224]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll [2009-03-14 908528]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVP"=C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe [2009-08-10 278248]
"BigDog303"=C:\WINDOWS\VM303_STI.EXE [2009-11-01 61440]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-11-01 180224]
"RRT-Auto"=C:\Documents and Settings\Owner\Desktop\RRT50010.exe [2009-11-01 1722880]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2009-07-24 304464]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Internet Download Accelerator"=C:\Program Files\IDA\ida.exe [2009-02-13 2415104]
"Yahoo Messengger"=C:\WINDOWS\system32\SCVVHSOT.exe []
"uTorrent"=C:\Documents and Settings\Owner\Desktop\utorrent.exe [2009-07-27 288048]
"Google Update"=C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-01 127488]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2009-07-24 304464]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\34808407]
C:\WINDOWS\system32\nvxbmvrh.dll,b []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 116592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe [2008-10-08 4608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe [2009-08-10 278248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303]
C:\WINDOWS\VM303_STI.EXE [2009-11-01 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM37b3b79b]
C:\WINDOWS\system32\seyqnjej.dll,s []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Caffe-Client]
C:\Program Files\Caffe\Client.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Caffe-ICUpdater]
C:\Program Files\Caffe\ICUpdater.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FG_Monitor]
C:\Program Files\Folder Guard Pro\FGKey.exe [2009-11-01 126976]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InternetCaffeUpdater]
ICUpdater.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kamsoft]
C:\WINDOWS\system32\ckvo.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2009-11-01 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\protect_autorun]
\\Server\wa\Installer\AutoRunKiller172\CPE17AntiAutorun1330.exe /start []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-01-06 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBAMTray]
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartDefrag]
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2008-04-18 1870592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-17 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-21 231200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-11-01 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tozaycfq.exe]
C:\WINDOWS\tozaycfq.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TransBar]
C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-02 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
TWEAKUI.CPL,TweakMeUp []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UberIcon]
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
C:\Documents and Settings\Owner\Desktop\utorrent.exe [2009-07-27 288048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messengger]
C:\WINDOWS\system32\SCVVHSOT.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Internet Download Accelerator.lnk]
C:\PROGRA~1\IDA\ida.exe [2009-02-13 2415104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
C:\WINDOWS\Installer\{C1EDC38F-2760-4A4E-9CED-95B53024134C}\New_Shortcut_S1699_A8EB5A2133B04A97AEEFDFB17E2E701D.exe /hide []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Shortcut to 29.lnk]
C:\DOCUME~1\Owner\MYDOCU~1\MYMUSI~1\ILMARE~1\ost\29.mp3 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Shortcut to f3.lnk]
C:\DOCUME~1\Owner\MYDOCU~1\f3.gif []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Shortcut to ismak32.lnk]
C:\WINDOWS\system32\ismak32.exe [2001-11-17 208896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^UberIcon.lnk]
C:\WINDOWS\BRICOP~1\VISTAI~1\UberIcon\UBERIC~1.EXE [2006-05-21 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^uTorrent Turbo Booster.lnk]
C:\PROGRA~1\UTORRE~1\UTORRE~1.EXE [2008-09-19 371712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Y'z Shadow.lnk]
C:\WINDOWS\BRICOP~1\VISTAI~1\YzShadow\YzShadow.exe [2006-05-21 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-12-12 47104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
C:\WINDOWS\system32\klogon.dll [2008-07-30 218376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{21D48921-6AC2-4907-99C3-B98F17E17993}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgLiveSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgMainSvc]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1
"DisableTaskMgr"=1
"NoDispCPL"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0
"NoDispCPL"=0
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=1
"NoFolderOptions"=1
"NoTrayContextMenu"=0
"NoFind"=0
"NoRun"=0
"EditLevel"=0
"NoClose"=0
"NoCommonGroups"=0
"NoSetFolders"=0
"NoLogoff"=0
"StartMenuLogOff"=0
"NoWindowsUpdate"=0
"NoDrives"=0
"NoViewOnDrive"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoRun"=
"NoResolveSearch"=
"NoDriveTypeAutoRun"=
"HonorAutoRunSetting"=
"NoClose"=
"NoSetFolders"=
"NoTrayContextMenu"=
"NoLogoff"=
"StartMenuLogOff"=
"NoWindowsUpdate"=
"NoDrives"=
"NoViewOnDrive"=
"NoFind"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\All Users\Documents\SIERRA\Half-Life\hl.exe"="C:\Documents and Settings\All Users\Documents\SIERRA\Half-Life\hl.exe:*:Disabled:Half-Life Launcher"
"C:\Program Files\Garena\Garena.exe"="C:\Program Files\Garena\Garena.exe:*:Enabled:Garena"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Documents and Settings\Owner\Desktop\utorrent.exe"="C:\Documents and Settings\Owner\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Caffe\Client.exe"="C:\Program Files\Caffe\Client.exe:*:Enabled:Internet Caffe Client"
"C:\Program Files\Caffe\ICUpdater.exe"="C:\Program Files\Caffe\ICUpdater.exe:*:Enabled:ICUpdater"
"C:\Program Files\Gameforge4D\AirRivals\Launcher.atm"="C:\Program Files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2"
"C:\Program Files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"="C:\Program Files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Netimo\Netimo Manager\netimo.exe"="C:\Program Files\Netimo\Netimo Manager\netimo.exe:*:Enabled:netimo"
"C:\Program Files\Netimo\Netimo Manager\Ftpsvr.exe"="C:\Program Files\Netimo\Netimo Manager\Ftpsvr.exe:*:Enabled:Ftpsvr"
"C:\WINDOWS\system32\ismak32.exe"="C:\WINDOWS\system32\ismak32.exe:*:Enabled:ismak32"
"C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\game.dat"="C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\game.dat:*:Enabled:game"
"C:\Program Files\Dragonfly\Special Force\specialforce.exe"="C:\Program Files\Dragonfly\Special Force\specialforce.exe:*:Enabled:specialforce"
"C:\Program Files\Super Internet TV\OnlineTV.exe"="C:\Program Files\Super Internet TV\OnlineTV.exe:*:Enabled:Super Internet TV"
"C:\Counter-Strike Source\hl2.exe"="C:\Counter-Strike Source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Kaiba Corp VDS\KCVDS.exe"="C:\Program Files\Kaiba Corp VDS\KCVDS.exe:*:Enabled:KCVDS"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\HighStreet 5\5street\film.exe"="C:\Program Files\HighStreet 5\5street\film.exe:*:Enabled:film.exe"
"C:\Program Files\NCsoft\Exteel\System\Exteel.exe"="C:\Program Files\NCsoft\Exteel\System\Exteel.exe:*:Enabled:Exteel"
"C:\Program Files\Left 4 Dead\left4dead.exe"="C:\Program Files\Left 4 Dead\left4dead.exe:*:Enabled:left4dead"
"C:\Program Files\Xfire\xfire.exe"="C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire"
"C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe"="C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:left4dead"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:ipsec"
"C:\Documents and Settings\Owner\My Documents\Granary\Granary.exe"="C:\Documents and Settings\Owner\My Documents\Granary\Granary.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winstukeb.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winstukeb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\wineiexge.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\wineiexge.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\vxyig.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\vxyig.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\lejmxv.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\lejmxv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winxcipit.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winxcipit.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winypgmac.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winypgmac.exe:*:Enabled:ipsec"
"C:\Program Files\Real\RealPlayer\RealPlay.exe"="C:\Program Files\Real\RealPlayer\RealPlay.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\riplvi.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\riplvi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winoqrx.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winoqrx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winwexjh.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winwexjh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\cnpbul.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\cnpbul.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\tsisux.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\tsisux.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\windoxeyf.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\windoxeyf.exe:*:Enabled:ipsec"
"c:\warcraft iii\war3.exe"="c:\warcraft iii\war3.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winarxtsx.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winarxtsx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\uwlrv.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\uwlrv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\anubd.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\anubd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\mmhfai.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\mmhfai.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winiwuw.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winiwuw.exe:*:Enabled:ipsec"
"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winxdvbm.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winxdvbm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\qxjhb.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\qxjhb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\kowuy.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\kowuy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\tfaqk.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\tfaqk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winwnsgy.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winwnsgy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winanvhr.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winanvhr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\anenot.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\anenot.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\kbjs.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\kbjs.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winqqmm.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winqqmm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\best.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\best.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\vanl.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\vanl.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\wscntfy.exe"="C:\WINDOWS\system32\wscntfy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winrameoi.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winrameoi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\wincghi.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\wincghi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\tqlm.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\tqlm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winnfmsg.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winnfmsg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winatud.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winatud.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\ahrvv.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\ahrvv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winiiyp.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winiiyp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\owsvrh.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\owsvrh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\windhofs.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\windhofs.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\wingdtije.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\wingdtije.exe:*:Enabled:ipsec"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\ptdqd.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\ptdqd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winwkjd.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winwkjd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\ldgir.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\ldgir.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\hniflg.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\hniflg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winjsct.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winjsct.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\eextee.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\eextee.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\mgnog.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\mgnog.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\vevyp.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\vevyp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winmkgkdm.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winmkgkdm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winlxgk.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winlxgk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winuwsbjn.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winuwsbjn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winfxap.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winfxap.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\fmdt.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\fmdt.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\jxjqip.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\jxjqip.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winhyvh.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winhyvh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winahbjs.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winahbjs.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winsxcnl.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winsxcnl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winqlrha.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winqlrha.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\qjbg.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\qjbg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\wintkhlk.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\wintkhlk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winjwxbm.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winjwxbm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\mgvprx.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\mgvprx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\ckrky.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\ckrky.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\bbjx.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\bbjx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winyshke.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winyshke.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\winkhuexf.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winkhuexf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\windtqo.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\windtqo.exe:*:Enabled:ipsec"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\NCsoft\Exteel\System\Exteel.exe"="C:\Program Files\NCsoft\Exteel\System\Exteel.exe:*:Enabled:Exteel"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e22b425-5f0d-11de-b177-001921eb9bd9}]
shell\AutoRun\command - lad.bat
shell\open\command - lad.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f9a34f8-faef-11dd-add9-001921eb9bd9}]
shell\AutoRun\command - E:\gi2ky.exe
shell\open\command - E:\gi2ky.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16405368-9149-11dd-aa66-001921eb9bd9}]
shell\AutoRun\command - E:\68.exe
shell\explore\command - E:\68.exe
shell\open\command - E:\68.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bb58360-8599-11de-b01a-001921eb9bd9}]
shell\AutoRun\command - My Pictures.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dc99d69-0ef6-11de-ae94-001921eb9bd9}]
shell\auto\command - E:\Scrap
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Scrap
shell\explore\command - E:\Scrap
shell\open\command - E:\Scrap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d130f03-730f-11dd-a48f-806d6172696f}]
shell\AutoRun\command - D:\Nvsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{533debd8-6155-11de-b18e-001921eb9bd9}]
shell\1\command - E:\Recycled.exe
shell\2\command - E:\Recycled.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5740298e-d071-11dd-ac7d-001921eb9bd9}]
shell\AutoRun\command - E:\2u.com
shell\explore\command - E:\2u.com
shell\open\command - E:\2u.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57e9100c-7c91-11de-b253-001921eb9bd9}]
shell\AutoRun\command - E:\dhrhyje.bat
shell\open\command - E:\dhrhyje.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64f9f510-5d3b-11de-aebc-001921eb9bd9}]
shell\AuTOplAy\command - E:\wydk.pif
shell\AutoRun\command - E:\wydk.pif
shell\ExplORe\command - E:\wydk.pif
shell\OPen\command - E:\wydk.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8004caef-74c2-11de-b215-001921eb9bd9}]
shell\AutoRun\command - E:\dhrhyje.bat
shell\open\command - E:\dhrhyje.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{810464a8-0295-11de-ae2b-001921eb9bd9}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Notepad.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86224612-5fc6-11de-aed0-001921eb9bd9}]
shell\AutoRun\command - wscript.exe auto.vbs
shell\Open\command - wscript.exe auto.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88721b62-0cd7-11de-ae7e-001921eb9bd9}]
shell\AutoRun\command - wscript.exe sowar.vbs
shell\Open\command - wscript.exe sowar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{959e8ae8-0177-11de-ae20-001921eb9bd9}]
shell\Autoplay\command - E:\cacvgh.exe
shell\AutoRun\command - E:\cacvgh.exe
shell\EXplore\command - E:\cacvgh.exe
shell\opEn\command - E:\cacvgh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95a2744c-b729-11de-b437-001921eb9bd9}]
shell\auToplay\command - E:\sgffc.cmd
shell\AutoRun\command - E:\sgffc.cmd
shell\exploRe\command - E:\sgffc.cmd
shell\opEN\command - E:\sgffc.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98ee91f0-657e-11de-b1a6-001921eb9bd9}]
shell\AutoRun\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe
shell\open\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b8a9482-62b7-11de-aee5-001921eb9bd9}]
shell\AutoRun\command - E:\winlogon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a27376b6-9885-11dd-aab0-001921eb9bd9}]
shell\AutoRun\command - E:\USBVAULT\us.exe
shell\explore\command - E:\USBVAULT/us.exe
shell\open\command - E:\USBVAULT/us.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5a27723-87e8-11dd-a9f4-001921eb9bd9}]
shell\AutoRun\command - E:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\RemovableDrive.exe
shell\open\command - E:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\RemovableDrive.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8078af7-6706-11de-af07-001921eb9bd9}]
shell\AutoRun\command - RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe
shell\open\command - RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e92fdf90-803e-11de-b264-001921eb9bd9}]
shell\AutoRun\command - password_viewer.exe %1
shell\Explore\command - password_viewer.exe %1
shell\Open\command - password_viewer.exe %1

======File associations======

.bat - edit - C:\WINDOWS\System32\NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-11-01 13:45:32 ----D---- C:\rsit
2009-11-01 10:47:54 ----D---- C:\Documents and Settings\All Users\Application Data\BullGuard
2009-11-01 10:47:46 ----D---- C:\Documents and Settings\Owner\Application Data\BullGuard
2009-11-01 10:43:52 ----D---- C:\Program Files\BullGuard Ltd
2009-10-29 21:28:44 ----D---- C:\Netts
2009-10-29 18:37:13 ----D---- C:\Program Files\Common Files\Akamai
2009-10-29 17:18:39 ----D---- C:\Program Files\Guild Wars
2009-10-27 13:44:31 ----D---- C:\Program Files\e-Games
2009-10-15 18:52:45 ----HDC---- C:\WINDOWS\$NtUninstallKB974455$
2009-10-15 18:52:37 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-10-15 18:52:33 ----HDC---- C:\WINDOWS\$NtUninstallKB969878_WM9L$
2009-10-15 18:52:27 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2009-10-15 18:52:23 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2009-10-15 18:52:18 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2009-10-15 18:52:13 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2009-10-15 18:51:24 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2009-10-15 18:51:15 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2009-10-15 13:58:52 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2009-10-15 13:58:49 ----A---- C:\WINDOWS\imsins.BAK
2009-10-15 13:58:42 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$

======List of files/folders modified in the last 1 months======

2009-11-01 13:45:57 ----D---- C:\Program Files\Trend Micro
2009-11-01 13:45:55 ----D---- C:\Program Files\PC Connectivity Solution
2009-11-01 13:42:03 ----D---- C:\Program Files\Folder Guard Pro
2009-11-01 13:41:59 ----D---- C:\Program Files\Pokemon World Online
2009-11-01 13:41:47 ----D---- C:\Program Files\Messenger
2009-11-01 13:41:39 ----D---- C:\Program Files\Hamachi
2009-11-01 13:41:38 ----D---- C:\Program Files\Garena
2009-11-01 13:41:28 ----D---- C:\Program Files\DivX
2009-11-01 13:41:24 ----D---- C:\Program Files\Combined Community Codec Pack
2009-11-01 13:41:20 ----D---- C:\Program Files\CCleaner
2009-11-01 13:41:16 ----D---- C:\Program Files\7-Zip
2009-11-01 13:39:15 ----D---- C:\Program Files\Mozilla Firefox
2009-11-01 13:38:49 ----D---- C:\WINDOWS
2009-11-01 13:38:46 ----D---- C:\WINDOWS\Temp
2009-11-01 13:38:45 ----D---- C:\WINDOWS\system32\config
2009-11-01 13:38:31 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-01 13:32:25 ----D---- C:\WINDOWS\system32\export
2009-11-01 13:32:04 ----D---- C:\WINDOWS\system32\Events
2009-11-01 13:25:22 ----D---- C:\WINDOWS\system32\drivers
2009-11-01 13:21:36 ----D---- C:\WINDOWS\system32\bits
2009-11-01 13:20:52 ----SD---- C:\Program Files\Xfire
2009-11-01 13:02:22 ----D---- C:\Documents and Settings\Owner\Application Data\Yahoo!
2009-11-01 13:00:32 ----D---- C:\Documents and Settings\Owner\Application Data\Xfire
2009-11-01 12:59:29 ----D---- C:\Documents and Settings\Owner\Application Data\Vso
2009-11-01 12:59:19 ----D---- C:\Program Files\GALA-NET
2009-11-01 12:58:47 ----D---- C:\Documents and Settings\Owner\Application Data\vlc
2009-11-01 12:58:21 ----D---- C:\Documents and Settings\Owner\Application Data\uTorrent
2009-11-01 12:57:29 ----D---- C:\Documents and Settings\Owner\Application Data\Sun
2009-11-01 12:56:07 ----D---- C:\WINDOWS\system32\wbem
2009-11-01 12:54:47 ----D---- C:\WINDOWS\system32\Temp
2009-11-01 12:54:38 ----D---- C:\WINDOWS\system32\ShellExt
2009-11-01 12:54:27 ----D---- C:\WINDOWS\system32\recover
2009-11-01 12:53:24 ----D---- C:\WINDOWS\system32\PreInstall
2009-11-01 12:52:29 ----SD---- C:\WINDOWS\system32\Microsoft
2009-11-01 12:51:48 ----D---- C:\WINDOWS\system32\Macromed
2009-11-01 12:51:40 ----D---- C:\Program Files\Windows Media Player
2009-11-01 12:50:30 ----D---- C:\Program Files\Microsoft Silverlight
2009-11-01 12:44:33 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-11-01 12:43:10 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-11-01 12:40:07 ----D---- C:\SAVE
2009-11-01 12:39:50 ----SHD---- C:\RECYCLER
2009-11-01 12:39:23 ----RD---- C:\Program Files
2009-11-01 12:35:08 ----D---- C:\Documents and Settings\Owner\Application Data\SpinTop
2009-11-01 12:34:22 ----RHD---- C:\Documents and Settings\Owner\Application Data\SecuROM
2009-11-01 12:34:02 ----D---- C:\Documents and Settings\Owner\Application Data\Red Alert 3
2009-11-01 12:30:13 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-01 12:20:53 ----D---- C:\Documents and Settings\Owner\Application Data\Real
2009-11-01 12:19:16 ----D---- C:\WINDOWS\system32\oobe
2009-11-01 12:18:25 ----D---- C:\WINDOWS\system32\IME
2009-11-01 12:18:19 ----D---- C:\WINDOWS\system32\3com_dmi
2009-11-01 12:18:11 ----D---- C:\WINDOWS\system32\3076
2009-11-01 12:18:04 ----D---- C:\WINDOWS\system32\2052
2009-11-01 12:17:55 ----D---- C:\WINDOWS\system32\1054
2009-11-01 12:17:48 ----D---- C:\WINDOWS\system32\1042
2009-11-01 12:17:40 ----D---- C:\WINDOWS\system32\1041
2009-11-01 12:17:32 ----D---- C:\WINDOWS\system32\1037
2009-11-01 12:17:19 ----D---- C:\WINDOWS\system32\1033
2009-11-01 12:17:12 ----D---- C:\WINDOWS\system32\1031
2009-11-01 12:17:01 ----D---- C:\WINDOWS\system32\1028
2009-11-01 12:16:47 ----D---- C:\WINDOWS\system32\1025
2009-11-01 12:16:40 ----D---- C:\Documents and Settings\Owner\Application Data\PC Suite
2009-11-01 12:15:39 ----D---- C:\Documents and Settings\Owner\Application Data\Nokia
2009-11-01 12:14:39 ----D---- C:\Documents and Settings\Owner\Application Data\My Games
2009-11-01 12:14:23 ----D---- C:\Documents and Settings\Owner\Application Data\Mozilla
2009-11-01 12:10:22 ----D---- C:\WINDOWS\system32
2009-11-01 11:49:26 ----D---- C:\Downloads
2009-11-01 11:48:57 ----RHD---- C:\MSOCache
2009-11-01 11:48:48 ----D---- C:\fb753e57718e5939d69c9292
2009-11-01 11:35:47 ----D---- C:\Program Files\AsiaSoft Online
2009-11-01 11:32:09 ----D---- C:\Documents and Settings\Owner\Application Data\Moyea
2009-11-01 11:23:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-01 11:23:46 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft
2009-11-01 11:22:57 ----D---- C:\Program Files\Heroes of Newerth
2009-11-01 11:18:38 ----D---- C:\WINDOWS\Resources
2009-11-01 11:18:28 ----D---- C:\WINDOWS\repair
2009-11-01 11:18:08 ----D---- C:\WINDOWS\Registration
2009-11-01 11:16:15 ----D---- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2009-11-01 11:15:53 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-11-01 11:13:33 ----D---- C:\Documents and Settings\Owner\Application Data\Macromedia
2009-11-01 11:07:30 ----D---- C:\WINDOWS\RegisteredPackages
2009-11-01 11:07:20 ----D---- C:\WINDOWS\pss
2009-11-01 11:06:59 ----D---- C:\WINDOWS\Provisioning
2009-11-01 11:06:47 ----D---- C:\WINDOWS\Prefetch
2009-11-01 11:06:28 ----HD---- C:\WINDOWS\PIF
2009-11-01 11:06:22 ----D---- C:\WINDOWS\PeerNet
2009-11-01 11:05:47 ----D---- C:\Documents and Settings
2009-11-01 11:05:46 ----SHD---- C:\Config.Msi
2009-11-01 11:05:42 ----D---- C:\a985dc2a6353b8bdcb04
2009-11-01 11:03:43 ----D---- C:\WINDOWS\WinSxS
2009-11-01 11:03:36 ----RD---- C:\WINDOWS\Web
2009-11-01 11:03:35 ----A---- C:\WINDOWS\amcap.exe
2009-11-01 11:03:30 ----D---- C:\Program Files\WinZip
2009-11-01 11:01:57 ----D---- C:\Program Files\QuickTime
2009-11-01 10:59:18 ----D---- C:\Warcraft III
2009-11-01 10:59:13 ----N---- C:\WINDOWS\VM303_STI.EXE
2009-11-01 10:57:56 ----D---- C:\Program Files\Total Video Converter
2009-11-01 10:57:13 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-11-01 10:56:59 ----D---- C:\Program Files\softendo.com
2009-11-01 10:56:56 ----D---- C:\Program Files\SnailWeb
2009-11-01 10:56:09 ----D---- C:\Program Files\Silkroad
2009-11-01 10:55:35 ----D---- C:\Program Files\Reference Assemblies
2009-11-01 10:55:34 ----D---- C:\Program Files\Realtek Sound Manager
2009-11-01 10:55:29 ----D---- C:\Program Files\Realtek AC97
2009-11-01 10:46:23 ----HD---- C:\WINDOWS\inf
2009-11-01 10:45:25 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-01 09:00:01 ----SD---- C:\WINDOWS\Tasks
2009-10-31 11:18:22 ----D---- C:\WINDOWS\system32\LogFiles
2009-10-31 11:17:44 ----D---- C:\WINDOWS\system32\DirectX
2009-10-31 11:17:44 ----D---- C:\WINDOWS\system32\dhcp
2009-10-31 11:17:34 ----D---- C:\WINDOWS\system32\Com
2009-10-31 11:17:28 ----D---- C:\WINDOWS\system32\CatRoot
2009-10-31 11:17:25 ----D---- C:\WINDOWS\system32\AGEIA
2009-10-31 11:17:23 ----D---- C:\WINDOWS\system
2009-10-31 11:17:22 ----D---- C:\WINDOWS\Sun
2009-10-31 11:17:21 ----D---- C:\WINDOWS\srchasst
2009-10-31 11:17:19 ----D---- C:\WINDOWS\SoftwareDistribution
2009-10-31 11:17:19 ----D---- C:\WINDOWS\SHELLNEW
2009-10-31 11:16:35 ----D---- C:\WINDOWS\ServicePackFiles
2009-10-31 11:16:35 ----D---- C:\WINDOWS\security
2009-10-31 11:15:47 ----D---- C:\WINDOWS\Left 4 Dead
2009-10-30 15:29:35 ----D---- C:\WINDOWS\Help
2009-10-29 18:37:13 ----D---- C:\Program Files\Common Files
2009-10-28 20:50:04 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2009-10-27 14:01:07 ----D---- C:\Program Files\IDA
2009-10-15 20:20:22 ----D---- C:\WINDOWS\Microsoft.NET
2009-10-15 20:20:18 ----RSD---- C:\WINDOWS\assembly
2009-10-15 18:55:11 ----SHD---- C:\WINDOWS\Installer
2009-10-15 18:55:04 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-15 18:51:22 ----HD---- C:\WINDOWS\$hf_mig$
2009-10-10 08:44:23 ----D---- C:\WINDOWS\system32\Restore
2009-10-08 13:12:25 ----A---- C:\WINDOWS\system.ini
2009-10-03 11:33:58 ----A---- C:\WINDOWS\win.ini
2009-10-03 02:01:57 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2008-12-14 278984]
R2 BdFileSpy;BullGuard File Monitor Driver; \??\C:\WINDOWS\system32\drivers\BdFileSpy.sys []
R2 EIO;EIO; \??\C:\WINDOWS\system32\drivers\EIO.sys []
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2008-11-13 25416]
R3 afw;Agnitum firewall driver; C:\WINDOWS\system32\DRIVERS\afw.sys [2009-03-23 31128]
R3 afwcore;afwcore; C:\WINDOWS\system32\DRIVERS\afwcore.sys [2009-03-23 257304]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2006-05-19 3965056]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-12-12 1414656]
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2009-06-11 25280]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-05-01 24592]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-14 12288]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 adjahof6;adjahof6; C:\WINDOWS\system32\drivers\adjahof6.sys []
S3 asc3360pr;asc3360pr; \??\C:\WINDOWS\system32\drivers\tmlql.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []
S3 FGUARD32;FGUARD32; \??\C:\Program Files\Folder Guard Pro\FGUARD32.SYS []
S3 GarenaPEngine;GarenaPEngine; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\WCQ1B.tmp []
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2009-02-09 17664]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2009-02-09 22016]
S3 npkcrypt;npkcrypt; \??\C:\Program Files\Kair\Level Up! Games\RagnarokOnline\npkcrypt.sys []
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2009-07-05 47360]
S3 Profos;Profos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys []
S3 SBRE;SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 tap0801;TAP-Win32 Adapter V8; C:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
S3 tapvpn;TAP VPN Adapter; C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-24 27136]
S3 Trufos;Trufos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys []
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2009-02-09 7808]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\drivers\usbser.sys [2008-04-13 26112]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2009-02-09 7808]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-29 18944]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 ZSMC303;A4 TECH PC Camera H; C:\WINDOWS\System32\Drivers\usbVM303.sys [2005-10-28 390849]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 Akamai;Akamai NetSession Interface; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-12-12 393216]
R2 BgMainSvc;BullGuard Main Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 BsFileScan;BullGuard File Scan Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 BsFire;BullGuard Firewall Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 BsMailProxy;BullGuard Email Monitoring Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-21 153376]
R2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-29 275968]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-29 38912]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 BGRaSvc;BGRaSvc; C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe [2009-06-01 79184]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2009-11-01 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 npggsvc;nProtect GameGuard Service; C:\WINDOWS\system32\GameMon.des [2009-02-17 2761466]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2009-11-01 82432]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2009-11-01 637952]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-12-18 66872]
S4 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2008-12-18 107832]

-----------------EOF-----------------

kair
New Member

Date Joined Nov 2009
Total Posts : 11

Posted 11-1-2009 7:02 (GMT +1)

2nd one

info.txt logfile of random's system information tool 1.06 2009-11-01 13:46:05

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->MsiExec /X{E4D15328-8C89-484B-B9AA-F5BE9EA6D01C}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.57-->"C:\Program Files\7-Zip\Uninstall.exe"
A4 TECH USB PC Camera H-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE3B8E96-B0AF-4871-9178-1519B58E3A93}\setup.exe" -l0x9
Acrobat.com-->msiexec /qb /x {77DCDCE3-2DED-62F3-8154-05E745472D07}
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Akamai NetSession Interface-->C:\Program Files\Common Files\Akamai\uninstall.exe
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BullGuard 8.7-->C:\Program Files\BullGuard Ltd\BullGuard\uninst.exe
Camfrog Video Chat 5.2-->"C:\Program Files\Camfrog\Camfrog Video Chat\uninstall.exe"
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Cheat Engine 5.5-->"C:\Program Files\Cheat Engine\unins000.exe"
Combined Community Codec Pack 2008-09-21 16:18-->"C:\Program Files\Combined Community Codec Pack\unins000.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
FlashWAmp 1.1-->"C:\Program Files\Fun SoundPlayer\unins001.exe"
FlorensiaEU 1.08.17-->C:\Netts\uninst.exe
Folder Guard-->"C:\Program Files\Folder Guard Pro\Setup.exe" /U
Fun SoundPlayer Maker 2.3-->"C:\Program Files\Fun SoundPlayer\unins000.exe"
Garena-->C:\Program Files\Garena\uninst.exe
Garena-->C:\Program Files\InstallShield Installation Information\{89C89156-A70F-4C6D-9CAE-2EA71F1396FE}\setup.exe -runfromtemp -l0x0009 -removeonly
Guild Wars-->"C:\Program Files\Guild Wars\Gw.exe" -uninstall
Hamachi 1.0.3.0-->C:\Program Files\Hamachi\uninstall.exe
Heroes of Newerth-->C:\Program Files\Heroes of Newerth\uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Internet Download Accelerator version 5.7-->"C:\Program Files\IDA\unins000.exe"
IObit SmartDefrag-->"C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
Java(TM) 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216015FF}
Kaspersky Anti-Virus 2009-->MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
Kaspersky Anti-Virus 2009-->MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
K-Lite Mega Codec Pack 4.1.7-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Magic ISO Maker v5.5 (build 0272)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft AppLocale-->MsiExec.exe /I{394BE3D9-7F57-4638-A8D1-1D88671913B7}
Microsoft DirectX SDK (June 2008)-->C:\WINDOWS\dxsdkuninst.exe "C:\Program Files\Microsoft DirectX SDK (June 2008)" "Microsoft DirectX SDK (June 2008)"
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Windows Application Compatibility Database-->C:\WINDOWS\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb"
Moyea FLV Downloader version 1.15.0.15-->"C:\Program Files\Moyea\FLV Downloader\unins000.exe"
Moyea FLV Player version 1.5.2.7-->"C:\Program Files\Moyea\FLV Player\unins000.exe"
Moyea FLV to Video Converter Pro version 1.29.2.11-->"C:\Program Files\Moyea\FLV to Video Pro\unins000.exe"
Mozilla Firefox (3.0.15)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 Player Utilities 4.05-->MsiExec.exe /I{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSVC80_x86-->MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
muvee autoProducer 3.5 magicMoments-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{68AD6F25-07A0-4CFE-9555-A30633329B08}\Setup.exe" -l0x9
Netimo Client-->C:\WINDOWS\system32\uninst74.exe
Nokia Connectivity Cable Driver-->MsiExec.exe /I{52D02A2B-03D2-4E34-A358-DC5D951FD296}
NVIDIA PhysX v8.10.17-->MsiExec.exe /X{E4D15328-8C89-484B-B9AA-F5BE9EA6D01C}
NVIDIA WDM Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B023185F-F1EF-4F97-B0BD-AE6D802226D1}\SETUP.EXE"
Pack Vista Inspirat 2 1.0-->C:\WINDOWS\BricoPacks\Vista Inspirat 2\Remove.exe
Paint.NET v3.36-->MsiExec.exe /X{43602F34-1AA3-44FB-AEB2-D08C2C73743F}
Pando Media Booster-->C:\Program Files\Pando Networks\Media Booster\uninst.exe
PC Connectivity Solution-->MsiExec.exe /I{0C973594-7DDF-4BD0-84ED-3517F7622037}
Pokemon Word Online 1.0-->"C:\Program Files\Pokemon World Online\unins000.exe"
PunkBuster Services-->C:\WINDOWS\system32\pbsvc.exe -u
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
RGSS-RTP Standard-->MsiExec.exe /I{5A9FE525-8B8F-4701-A937-7F6745A4E9C7}
RPG Maker VX RTP-->"C:\Program Files\Common Files\Enterbrain\RGSS2\RPGVX\unins000.exe"
RPG Maker VX-->"C:\Program Files\Enterbrain\RPGVX\unins000.exe"
RPGXP-->MsiExec.exe /I{9B34CAC6-738F-4A20-B428-A115C3E3474C}
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 Series (KB969878)-->"C:\WINDOWS\$NtUninstallKB969878_WM9L$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974455)-->"C:\WINDOWS\$NtUninstallKB974455$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Silkroad-->C:\Program Files\Silkroad\Remove.Exe
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Subtitle Workshop 2.51-->"C:\Program Files\URUSoft\Subtitle Workshop\uninstall.exe"
SuddenAttack-->MsiExec.exe /I{1066A058-970B-4E0E-AC64-471C18A5847A}
Total Video Converter 3.14 080930-->"C:\Program Files\Total Video Converter\unins000.exe"
TubeHunter Ultra-->MsiExec.exe /I{4572F220-0A56-402E-90F1-4D36DD22F108}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
uTorrent Turbo Booster-->C:\Program Files\uTorrent Turbo Booster\uninstall.exe
Visual C++ 8.0 CRT (x86) WinSXS MSM-->MsiExec.exe /I{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM-->MsiExec.exe /I{63E949F6-03BC-5C40-FF1F-C8B3B9A1E18E}
VLC media player 0.9.9-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Warkeys 1.14.1.0b-->C:\Program Files\Warkeys\uninst.exe
Window Hide Tool 2.0-->"C:\Program Files\Window Hide Tool\unins000.exe"
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)-->C:\PROGRA~1\DIFX\B4723E9A0713E5B1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccsmcfd_A3B3916E5D8138F59EE218321B27B044D3B18294\pccsmcfd.inf
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Resource Kit Tools - SubInAcl.exe-->MsiExec.exe /X{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}
Windows Resource Kit Tools-->MsiExec.exe /I{FA237125-51FF-408C-8BB8-30C2B3DFFF9C}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinZip 11.1-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Search Protection-->C:\PROGRA~1\Yahoo!\SEARCH~1\UNINST~1.EXE
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: BullGuard Antivirus (outdated)
AV: Kaspersky Anti-Virus (disabled) (outdated)
FW: BullGuard Firewall

======System event log======

Computer Name: PC11
Event Code: 2511
Message: The server service was unable to recreate the share Fiesta because the directory C:\Fiesta no longer exists. Please run "net share Fiesta /delete" to delete the share, or recreate the directory C:\Fiesta.

Record Number: 27802
Source Name: Server
Time Written: 20091015185830.000000+480
Event Type: warning
User:

Computer Name: PC11
Event Code: 2511
Message: The server service was unable to recreate the share Fiesta because the directory C:\Fiesta no longer exists. Please run "net share Fiesta /delete" to delete the share, or recreate the directory C:\Fiesta.

Record Number: 27750
Source Name: Server
Time Written: 20091015181643.000000+480
Event Type: warning
User:

Computer Name: PC11
Event Code: 2511
Message: The server service was unable to recreate the share Fiesta because the directory C:\Fiesta no longer exists. Please run "net share Fiesta /delete" to delete the share, or recreate the directory C:\Fiesta.

Record Number: 27721
Source Name: Server
Time Written: 20091015171128.000000+480
Event Type: warning
User:

Computer Name: PC11
Event Code: 2511
Message: The server service was unable to recreate the share Fiesta because the directory C:\Fiesta no longer exists. Please run "net share Fiesta /delete" to delete the share, or recreate the directory C:\Fiesta.

Record Number: 27693
Source Name: Server
Time Written: 20091015155926.000000+480
Event Type: warning
User:

Computer Name: PC11
Event Code: 2511
Message: The server service was unable to recreate the share Fiesta because the directory C:\Fiesta no longer exists. Please run "net share Fiesta /delete" to delete the share, or recreate the directory C:\Fiesta.

Record Number: 27660
Source Name: Server
Time Written: 20091015133454.000000+480
Event Type: warning
User:

=====Application event log=====

Computer Name: PC11
Event Code: 1517
Message: Windows saved user PC11\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 2484
Source Name: Userenv
Time Written: 20090621210607.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: PC11
Event Code: 1517
Message: Windows saved user PC11\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 2482
Source Name: Userenv
Time Written: 20090621194725.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: PC11
Event Code: 1517
Message: Windows saved user PC11\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 2480
Source Name: Userenv
Time Written: 20090621163102.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: PC11
Event Code: 1000
Message: Faulting application sframe.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.

Record Number: 2479
Source Name: Application Error
Time Written: 20090621135055.000000+480
Event Type: error
User:

Computer Name: PC11
Event Code: 1000
Message: Faulting application launch.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x2f421e30.

Record Number: 2471
Source Name: Application Error
Time Written: 20090620161111.000000+480
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\PC Connectivity Solution\;C:\Program Files\Windows Resource Kits\Tools\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 6 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0604
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"DXSDK_DIR"=C:\Program Files\Microsoft DirectX SDK (June 2008)\

-----------------EOF-----------------

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 11-1-2009 7:31 (GMT +1)

Please download http://swandog46.geekstogo.com/avenger2/download.php

by Swandog46 to your Desktop.

Click on Avenger.zip to open the file

Extract avenger2.exe to your desktop

Start Avenger

Begin copying here:
Files to delete:
C:\Documents and Settings\Owner\Desktop\RRT50010.exe
C:\WINDOWS\system32\SCVVHSOT.exe
C:\Documents and Settings\Owner\Desktop\utorrent.exe
Folders to delete:
C:\DOCUME~1\Owner\LOCALS~1\Temp

Copy/Paste all the text in the above codebox into the main window

Click Execute

The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)

On reboot, it will briefly open a black command window on your desktop, this is normal.

After the restart, it creates a log file that should open with the results of Avenger’s actions.

This log file will be located at C:\avenger.txt

Post C:\avenger.txt in next reply, along with a combofix log ->

Please download Combofix from:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply

The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.

NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

kair
New Member

Date Joined Nov 2009
Total Posts : 11

Posted 11-1-2009 9:27 (GMT +1)

from gmer

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-01 16:11:14
Windows 5.1.2600 Service Pack 3
Running: 3h309w02.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdapog.sys

---- System - GMER 1.0.15 ----

SSDT spic.sys ZwCreateKey [0xF73910E0]
SSDT spic.sys ZwEnumerateKey [0xF73AECA2]
SSDT spic.sys ZwEnumerateValueKey [0xF73AF030]
SSDT kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) Z!!!enFile [0xF6CC8080]
SSDT spic.sys Z!!!enKey [0xF73910C0]
SSDT spic.sys ZwQueryKey [0xF73AF108]
SSDT spic.sys ZwQueryValueKey [0xF73AEF88]
SSDT spic.sys ZwSetValueKey [0xF73AF19A]

INT 0x62 ? 87366BF8
INT 0x63 ? 871E7F00
INT 0x63 ? 871E7F00
INT 0x63 ? 871E7F00
INT 0x63 ? 871E7F00
INT 0x63 ? 871E7F00
INT 0x63 ? 871E7F00
INT 0x82 ? 87366BF8
INT 0x83 ? 87366BF8

---- Kernel code sections - GMER 1.0.15 ----

? spic.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F60278AC 5 Bytes JMP 871E74E0
.text ae7ipt56.SYS F5B86384 1 Byte [20]
.text ae7ipt56.SYS F5B86384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text ae7ipt56.SYS F5B863AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text ae7ipt56.SYS F5B863C4 3 Bytes [00, 00, 00]
.text ae7ipt56.SYS F5B863C9 1 Byte [00]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2992] USER32.dll!SetScrollInfo 7E419056 5 Bytes JMP 00DCE144 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2992] USER32.dll!GetScrollInfo 7E42DFE2 5 Bytes JMP 00DCE0C0 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2992] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 00DCE1C8 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2992] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 00DCE0EC C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2992] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 00DCE170 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2992] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 00DCE118 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2992] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 00DCE19C C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2992] USER32.dll!EnableScrollBar 7E468005 5 Bytes JMP 00DCE094 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 873682D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F73C193C] spic.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73C1990] spic.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7392040] spic.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F739213C] spic.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73920BE] spic.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73927FC] spic.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73926D2] spic.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 871E75E0
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73A1D92] spic.sys
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlInitUnicodeString] 000000A5
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!swprintf] 000000E5
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeSetEvent] 000000F1
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 00000071
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 000000D8
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00000031
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmFreeMappingAddress] 00000015
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 00000004
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 000000C7
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmUnmapIoSpace] 00000023
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 000000C3
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IofCompleteRequest] 00000018
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 00000096
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IofCallDriver] 00000005
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 0000009A
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 00000007
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoConnectInterrupt] 00000012
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoDetachDevice] 00000080
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeWaitForSingleObject] 000000E2
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeInitializeEvent] 000000EB
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeCancelTimer] 00000027
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 000000B2
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlInitAnsiString] 00000075
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 00000009
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoQueueWorkItem] 00000083
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmMapIoSpace] 0000002C
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 0000001A
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoReportDetectedDevice] 0000001B
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoReportResourceForDetection] 0000006E
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 0000005A
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!NlsMbCodePageTag] 000000A0
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!PoRequestPowerIrp] 00000052
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 0000003B
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 000000D6
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!sprintf] 000000B3
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 00000029
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!ObfDereferenceObject] 000000E3
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 0000002F
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 00000084
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!ZwClose] 00000053
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 000000D1
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 00000000
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 000000ED
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 00000020
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoCreateDevice] 000000FC
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 000000B1
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0000005B
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 0000006A
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!Z!!!enKey] 000000CB
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 000000BE
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoStartTimer] 00000039
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeInitializeTimer] 0000004A
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoInitializeTimer] 0000004C
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeInitializeDpc] 00000058
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeInitializeSpinLock] 000000CF
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoInitializeIrp] 000000D0
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!ZwCreateKey] 000000EF
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 000000AA
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 000000FB
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!ZwSetValueKey] 00000043
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeInsertQueueDpc] 0000004D
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 00000033
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoStartPacket] 00000085
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 00000045
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 000000F9
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoFreeMdl] 00000002
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmUnlockPages] 0000007F
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 00000050
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 0000003C
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 0000009F
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 000000A8
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeSynchronizeExecution] 00000051
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoStartNextPacket] 000000A3
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeBugCheckEx] 00000040
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 0000008F
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeSetTimer] 00000092
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!_allmul] 0000009D
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000038
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!_except_handler3] 000000F5
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!PoSetPowerState] 000000BC
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 000000B6
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 000000DA
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 00000021
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!_aulldiv] 00000010
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!strstr] 000000FF
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!_strupr] 000000F3
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeQuerySystemTime] 000000D2
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 000000CD
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!KeTickCount] 0000000C
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 00000013
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoDeleteDevice] 000000EC
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 0000005F
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00000097
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoAllocateIrp] 00000044
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoAllocateMdl] 00000017
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 000000C4
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmLockPagableDataSection] 000000A7
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 0000007E
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 0000003D
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!ExFreePoolWithTag] 00000064
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoFreeIrp] 0000005D
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!IoFreeWorkItem] 00000019
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!InitSafeBootMode] 00000073
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!RtlCompareMemory] 00000060
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!PoCallDriver] 00000081
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!memmove] 0000004F
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[ntoskrnl.exe!MmHighestUserAddress] 000000DC
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\ae7ipt56.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F5B518DE] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F5B518DE] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F5B518DE] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F5B518DE] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F5B518DE] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F6D007B0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F6D007B0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F5B518DE] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[TDI.SYS!TdiRegisterDeviceObject] [F6D007B0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisOpenAdapter] [F5B518DE] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\System32\drivers\ws2ifsl.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\ip6fw.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F5B518DE] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] [F6D00660] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 873651F8

AttachedDevice \FileSystem\Ntfs \Ntfs BdFileSpy.sys (BullGuard File Monitor (x86)/BullGuard Ltd.)

Device \FileSystem\Fastfat \FatCdrom 8621F1F8
Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Tcpip6 \Device\Ip6 afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\usbuhci \Device\USBPDO-0 871E9500
Device \Driver\usbuhci \Device\USBPDO-1 871E9500
Device \Driver\usbuhci \Device\USBPDO-2 871E9500
Device \Driver\usbuhci \Device\USBPDO-3 871E9500
Device \Driver\PCI_PNP6380 \Device\00000054 spic.sys
Device \Driver\usbehci \Device\USBPDO-4 871F11F8
Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Ftdisk \Device\HarddiskVolume1 873D91F8
Device \Driver\Cdrom \Device\CdRom0 86F2E1F8
Device \Driver\Tcpip6 \Device\RawIp6 afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\atapi \Device\Ide\IdePort0 [F730BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F730BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [F730BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [F730BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-9 [F730BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBT_Tcpip_{D9C8F4B4-0A7C-4A6E-AEEB-BF0A059F41E8} 86BEF500
Device \Driver\Tcpip6 \Device\Tcp6 afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\NetBT \Device\NetBt_Wins_Export 86BEF500
Device \Driver\NetBT \Device\NetbiosSmb 86BEF500
Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\sptd \Device\3888017630 spic.sys
Device \Driver\usbuhci \Device\USBFDO-0 871E9500
Device \Driver\usbuhci \Device\USBFDO-1 871E9500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86C46500
Device \Driver\Tcpip6 \Device\Udp6 afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\IPMULTICAST afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\usbuhci \Device\USBFDO-2 871E9500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86C46500
Device \Driver\usbuhci \Device\USBFDO-3 871E9500
Device \Driver\usbehci \Device\USBFDO-4 871F11F8
Device \Driver\Ftdisk \Device\FtControl 873D91F8
Device \Driver\ae7ipt56 \Device\Scsi\ae7ipt561 8717D1F8
Device \Driver\ae7ipt56 \Device\Scsi\ae7ipt561Port4Path0Target0Lun0 8717D1F8
Device \FileSystem\Fastfat \Fat 8621F1F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat BdFileSpy.sys (BullGuard File Monitor (x86)/BullGuard Ltd.)

Device \FileSystem\Cdfs \Cdfs 86F7D500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x53 0x06 0x1E 0xF5 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xB4 0xA3 0xD3 0xE7 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x00 0x2D 0x7F 0x56 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xE8 0x59 0xBD 0x90 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BsFileScan\Statistics@UiTotalScans 3577
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB8 0xD9 0x25 0xC5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xB4 0xA3 0xD3 0xE7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0x1F 0x33 0x05 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xE8 0x59 0xBD 0x90 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x74 0xA6 0x70 0x16 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xB4 0xA3 0xD3 0xE7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xBD 0x09 0xBF 0xF8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xE8 0x59 0xBD 0x90 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x12 0xD5 0x37 0xBA ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xB4 0xA3 0xD3 0xE7 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x82 0x5D 0x94 0xF6 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xE8 0x59 0xBD 0x90 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFC 0x08 0xBF 0xC5 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xB4 0xA3 0xD3 0xE7 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0x1F 0x33 0x05 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xE8 0x59 0xBD 0x90 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB8 0xD9 0x25 0xC5 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xB4 0xA3 0xD3 0xE7 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0x1F 0x33 0x05 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xE8 0x59 0xBD 0x90 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5491D9EB-8059-2C1E-F770-F0D2343490FF}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5491D9EB-8059-2C1E-F770-F0D2343490FF}@fadmdmgekeae 0x66 0x61 0x67 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5491D9EB-8059-2C1E-F770-F0D2343490FF}@jadmdmgeffngjbnalnfk 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5491D9EB-8059-2C1E-F770-F0D2343490FF}@kadmdmgelfeecocdjdjhai 0x61 0x61 0x00 0x00

---- EOF - GMER 1.0.15 ----

i stop it because i notice your next instruction

im moving to your next instruction

kair
New Member

Date Joined Nov 2009
Total Posts : 11

Posted 11-1-2009 9:42 (GMT +1)

avenger log

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Documents and Settings\Owner\Desktop\RRT50010.exe" deleted successfully.

Error: file "C:\WINDOWS\system32\SCVVHSOT.exe" not found!
Deletion of file "C:\WINDOWS\system32\SCVVHSOT.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Documents and Settings\Owner\Desktop\utorrent.exe" deleted successfully.
Folder "C:\DOCUME~1\Owner\LOCALS~1\Temp" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

kair
New Member

Date Joined Nov 2009
Total Posts : 11

Posted 11-1-2009 10:16 (GMT +1)

Combo Fix Log

ComboFix 09-10-30.01 - Owner 11/01/2009 16:41.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.665 [GMT 8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: BullGuard Antivirus *On-access scanning enabled* (Outdated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: BullGuard Firewall *disabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Dr Watson\Dr Watson.exe
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft.exe
c:\documents and settings\All Users\Documents\My Music\Desktop_.ini
c:\documents and settings\All Users\Documents\My Pictures\Desktop_.ini
c:\documents and settings\All Users\Documents\My Pictures\Sample Pictures\Desktop_.ini
c:\documents and settings\LocalService\Application Data\Microsoft\Microsoft.exe
c:\documents and settings\LocalService\Cookies\Cookies.exe
c:\documents and settings\LocalService\Favorites\Favorites.exe
c:\documents and settings\LocalService\Favorites\Links\Links.exe
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\Temporary Internet Files.exe
c:\documents and settings\NetworkService\Application Data\Microsoft\Microsoft.exe
c:\documents and settings\NetworkService\Cookies\Cookies.exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Temporary Internet Files.exe
c:\documents and settings\Owner\Application Data\inst.exe
c:\documents and settings\Owner\Cookies\Cookies.exe
c:\documents and settings\Owner\Favorites\Favorites.exe
c:\documents and settings\Owner\Favorites\Links\Links.exe
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Temporary Internet Files.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\Fonts\fonts.exe
c:\windows\msvrc20.dll
c:\windows\system\system.exe
c:\windows\system32\hrvmbxvn.ini
c:\windows\system32\lccdvhpu.ini
c:\windows\system32\restore\restore.exe
c:\windows\system32\setting.ini
c:\windows\system32\system.dll
c:\windows\system32\TvGQAJjl.ini
c:\windows\Tasks\Tasks.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr

((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-11-01 05:45 . 2009-11-01 08:03 -------- d-----w- C:\rsit
2009-11-01 02:47 . 2009-11-01 08:54 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2009-11-01 02:47 . 2009-11-01 05:41 -------- d-----w- c:\documents and settings\Owner\Application Data\BullGuard
2009-11-01 02:44 . 2009-01-23 13:48 55504 ----a-w- c:\windows\system32\drivers\BdFileSpy.sys
2009-11-01 02:43 . 2009-11-01 02:43 -------- d-----w- c:\program files\BullGuard Ltd
2009-10-31 01:20 . 2009-10-31 01:42 96 ---ha-w- c:\windows\system32\HsInfo.dat
2009-10-29 13:28 . 2009-11-01 08:13 -------- d-----w- C:\Netts
2009-10-29 10:37 . 2009-11-01 08:54 -------- d-----w- c:\program files\Common Files\Akamai
2009-10-29 09:18 . 2009-10-31 03:06 -------- d-----w- c:\program files\Guild Wars
2009-10-27 05:44 . 2009-10-31 03:05 -------- d-----w- c:\program files\e-Games
2009-10-19 05:14 . 2009-10-31 02:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 08:32 . 2009-02-22 22:41 -------- d-----w- c:\program files\AsiaSoft Online
2009-11-01 08:13 . 2009-01-17 18:54 -------- d-----w- c:\program files\GALA-NET
2009-11-01 07:05 . 2008-09-21 14:22 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-01 05:45 . 2008-11-01 01:09 -------- d-----w- c:\program files\Trend Micro
2009-11-01 05:45 . 2009-07-23 13:22 -------- d-----w- c:\program files\PC Connectivity Solution
2009-11-01 05:42 . 2009-01-12 19:56 -------- d-----w- c:\program files\Folder Guard Pro
2009-11-01 05:41 . 2009-05-29 12:08 -------- d-----w- c:\program files\Pokemon World Online
2009-11-01 05:41 . 2009-06-11 13:11 -------- d-----w- c:\program files\Hamachi
2009-11-01 05:41 . 2008-08-28 10:10 -------- d-----w- c:\program files\Garena
2009-11-01 05:41 . 2009-07-05 11:02 -------- d-----w- c:\program files\DivX
2009-11-01 05:41 . 2009-06-01 13:29 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-11-01 05:41 . 2008-09-22 06:26 -------- d-----w- c:\program files\CCleaner
2009-11-01 05:41 . 2008-11-09 04:04 -------- d-----w- c:\program files\7-Zip
2009-11-01 05:38 . 2008-12-01 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 05:20 . 2009-02-07 01:01 -------- d-s---w- c:\program files\Xfire
2009-11-01 05:02 . 2008-10-09 23:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-11-01 05:00 . 2009-02-07 01:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Xfire
2009-11-01 04:59 . 2009-07-02 11:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Vso
2009-11-01 04:58 . 2009-06-02 09:45 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-11-01 04:57 . 2008-11-21 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Fallout3
2009-11-01 04:50 . 2008-11-01 05:43 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-01 04:44 . 2009-02-12 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-01 04:35 . 2009-08-24 08:35 -------- d-----w- c:\documents and settings\Owner\Application Data\SpinTop
2009-11-01 04:34 . 2008-11-09 07:36 -------- d--h--r- c:\documents and settings\Owner\Application Data\SecuROM
2009-11-01 04:34 . 2008-11-07 00:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Red Alert 3
2009-11-01 04:16 . 2009-07-23 13:25 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Suite
2009-11-01 04:15 . 2009-07-23 13:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Nokia
2009-11-01 04:14 . 2008-11-01 07:59 -------- d-----w- c:\documents and settings\Owner\Application Data\My Games
2009-11-01 03:32 . 2008-11-02 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Moyea
2009-11-01 03:22 . 2007-01-14 16:05 -------- d-----w- c:\program files\Heroes of Newerth
2009-11-01 03:16 . 2009-02-12 19:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2009-11-01 03:15 . 2008-12-01 04:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-01 03:03 . 2008-10-03 12:44 172032 ----a-w- c:\windows\amcap.exe
2009-11-01 03:01 . 2009-02-12 19:25 -------- d-----w- c:\program files\QuickTime
2009-11-01 02:59 . 2008-10-03 12:44 61440 ------w- c:\windows\VM303_STI.EXE
2009-11-01 02:57 . 2008-12-14 04:30 -------- d-----w- c:\program files\Total Video Converter
2009-11-01 02:57 . 2008-12-01 04:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-01 02:56 . 2009-06-27 07:23 -------- d-----w- c:\program files\softendo.com
2009-11-01 02:56 . 2008-12-10 17:19 -------- d-----w- c:\program files\SnailWeb
2009-11-01 02:56 . 2009-03-12 11:00 -------- d-----w- c:\program files\Silkroad
2009-11-01 02:55 . 2008-11-28 02:06 -------- d-----w- c:\program files\Reference Assemblies
2009-11-01 02:55 . 2008-09-22 08:49 -------- d-----w- c:\program files\Realtek Sound Manager
2009-11-01 02:55 . 2008-09-22 08:48 -------- d-----w- c:\program files\Realtek AC97
2009-10-28 12:50 . 2008-10-31 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-27 06:01 . 2008-09-21 16:40 -------- d-----w- c:\program files\IDA
2009-10-07 13:52 . 2008-10-31 19:30 5465632 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-07 13:52 . 2008-10-31 19:30 4860 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-10-07 13:52 . 2008-10-31 19:30 43780 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-07 13:52 . 2008-10-31 19:30 1105952 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-09-29 04:34 . 2007-01-14 16:28 397312 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\Application Data.exe
2009-09-29 04:33 . 2007-01-14 16:20 405504 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\Application Data.exe
2009-09-29 04:33 . 2007-01-14 16:20 393216 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\Application Data.exe
2009-09-29 04:22 . 2007-01-14 16:20 405504 ----a-w- c:\documents and settings\Owner\Application Data\Application Data.exe
2009-09-29 04:22 . 2007-01-14 16:20 401408 ----a-w- c:\documents and settings\NetworkService\Application Data\Application Data.exe
2009-09-29 04:22 . 2007-01-14 16:20 393216 ----a-w- c:\documents and settings\LocalService\Application Data\Application Data.exe
2009-09-29 04:18 . 2007-01-14 16:30 401408 ----a-w- c:\program files\Common Files\Common Files.exe
2009-09-28 13:51 . 2008-10-31 19:31 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-28 13:51 . 2008-10-31 19:31 107547 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-25 05:37 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 06:54 . 2008-12-01 04:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 06:53 . 2008-12-01 04:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 07:18 . 2008-09-08 00:28 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-24 09:04 . 2009-08-24 09:04 16 ----a-w- c:\windows\popcinfo.dat
2009-08-20 18:09 . 2009-02-03 05:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-15 20:44 . 2009-06-27 07:20 56 --sh--r- c:\windows\system32\72E7E21E81.sys
2009-08-10 16:10 . 2008-08-29 00:44 27600 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 11:24 . 2008-08-26 09:25 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 11:24 . 2008-08-26 09:25 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 11:24 . 2008-08-26 09:25 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 11:24 . 2007-07-31 02:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 11:24 . 2008-08-26 09:25 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 11:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 11:23 . 2008-08-26 09:25 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 11:23 . 2008-08-26 09:25 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-04 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 23:46 . 2009-06-28 08:20 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-08-03 23:46 . 2009-06-28 08:20 88 --sh--r- c:\documents and settings\All Users\Application Data\811EE2E772.sys
2009-07-13 13:23 . 2009-07-05 11:08 56 --sh--r- c:\windows\system32\A71462A9CB.sys
2007-01-14 20:30 . 2009-07-05 11:07 14084 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 . 561A50497324F378E30F55D09B4E1258 . 975872 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 561A50497324F378E30F55D09B4E1258 . 975872 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internet Download Accelerator"="c:\program files\IDA\ida.exe" [2009-02-13 2415104]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-01 127488]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-07-24 304464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDog303"="c:\windows\VM303_STI.EXE" [2009-11-01 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-01 180224]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-07-24 304464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 55808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Internet Download Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Internet Download Accelerator.lnk
backup=c:\windows\pss\Internet Download Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VersionTrackerPro.lnk
backup=c:\windows\pss\VersionTrackerPro.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Shortcut to 29.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Shortcut to 29.lnk
backup=c:\windows\pss\Shortcut to 29.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Shortcut to f3.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Shortcut to f3.lnk
backup=c:\windows\pss\Shortcut to f3.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Shortcut to ismak32.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Shortcut to ismak32.lnk
backup=c:\windows\pss\Shortcut to ismak32.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^UberIcon.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\UberIcon.lnk
backup=c:\windows\pss\UberIcon.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^uTorrent Turbo Booster.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\uTorrent Turbo Booster.lnk
backup=c:\windows\pss\uTorrent Turbo Booster.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Y'z Shadow.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Y'z Shadow.lnk
backup=c:\windows\pss\Y'z Shadow.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ismak32.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Granary\\Granary.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\warcraft iii\\war3.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\avp.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\WINDOWS\\VM303_STI.EXE"=
"c:\\PROGRA~1\\FOLDER~1\\FGKey.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\HighStreet 5\\5street\\BugReport.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqsnotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Warcraft III\\Frozen Throne.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\HighStreet 5\\5street.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/30/2008 9:29 AM 33808]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:00 PM 14336]
R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [11/1/2009 10:44 AM 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [8/4/2004 8:00 PM 14336]
R2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [8/4/2004 8:00 PM 14336]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [8/4/2004 8:00 PM 14336]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [3/23/2009 8:07 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [3/23/2009 8:07 PM 257304]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/1/2008 9:06 AM 24592]
S3 BGRaSvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\BGRaSvc.exe [6/1/2009 7:50 PM 79184]
S3 FGUARD32;FGUARD32;c:\program files\Folder Guard Pro\FGUARD32.SYS [1/13/2009 3:56 AM 48896]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Owner\LOCALS~1\Temp\WCQ1B.tmp --> c:\docume~1\Owner\LOCALS~1\Temp\WCQ1B.tmp [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/1/2008 12:52 PM 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 8:37 PM 26624]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1757981266-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-27 02:59]

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1757981266-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-27 02:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garena.com/portal/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Download ALL with IDA - c:\program files\IDA\idaieall.htm
IE: Download with IDA - c:\program files\IDA\idaie.htm
LSP: c:\windows\system32\BGLsp.dll
TCP: {D9C8F4B4-0A7C-4A6E-AEEB-BF0A059F41E8} = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\utpnyazp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=2&q=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\utpnyazp.default\extensions\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}\components\FFAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\utpnyazp.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFExternalAlert.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft Silverlight\npctrl.1.0.21115.0.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npida.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-uTorrent - c:\documents and settings\Owner\Desktop\utorrent.exe
HKLM-Run-RRT-Auto - c:\documents and settings\Owner\Desktop\RRT50010.exe
ShellExecuteHooks-{21D48921-6AC2-4907-99C3-B98F17E17993} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 16:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spyb.sys >>UNKNOWN [0x87386938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xF7328B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xF7328B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xF7328B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xF7328B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xF7328B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xF7328B40 atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3600.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3600.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Owner\LOCALS~1\Temp\WCQ1B.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-1757981266-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5491D9EB-8059-2C1E-F770-F0D2343490FF}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"fadmdmgekeae"=hex:66,61,67,64,61,62,63,62,69,65,62,67,00,00
"jadmdmgeffngjbnalnfk"=hex:61,61,00,00
"kadmdmgelfeecocdjdjhai"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-1085031214-1757981266-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:7d,38,cf,27,09,1a,ca,8b,04,2f,f7,8e,8b,20,47,8a,9f,cc,9d,a0,5c,
fb,00,f7,a9,73,d7,6e,49,06,9e,39,7a,93,e3,e0,0e,cb,1a,7f,7e,9e,d5,1c,e3,42,\
"rkeysecu"=hex:b8,96,d9,6a,d3,b5,6b,2a,7d,43,65,8d,98,64,eb,80

[HKEY_LOCAL_MACHINE\System\MountedDevices]
@Denied: (Read) (Administrator)
"\\??\\Volume{4d130f02-730f-11dd-a48f-806d6172696f}"=hex:5c,00,3f,00,3f,00,5c,
00,46,00,44,00,43,00,23,00,47,00,45,00,4e,00,45,00,52,00,49,00,43,00,5f,00,\
"\\??\\Volume{4d130f03-730f-11dd-a48f-806d6172696f}"=hex:5c,00,3f,00,3f,00,5c,
00,49,00,44,00,45,00,23,00,43,00,64,00,52,00,6f,00,6d,00,48,00,4c,00,2d,00,\
"\\??\\Volume{4d130f04-730f-11dd-a48f-806d6172696f}"=hex:f5,9c,f5,9c,00,7e,00,
00,00,00,00,00
"\\DosDevices\\C:"=hex:f5,9c,f5,9c,00,7e,00,00,00,00,00,00
"\\DosDevices\\A:"=hex:5c,00,3f,00,3f,00,5c,00,46,00,44,00,43,00,23,00,47,00,
45,00,4e,00,45,00,52,00,49,00,43,00,5f,00,46,00,4c,00,4f,00,50,00,50,00,59,\
"\\DosDevices\\D:"=hex:5c,00,3f,00,3f,00,5c,00,53,00,43,00,53,00,49,00,23,00,
43,00,64,00,52,00,6f,00,6d,00,26,00,56,00,65,00,6e,00,5f,00,4f,00,4e,00,35,\
"\\??\\Volume{b5a27723-87e8-11dd-a9f4-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{16405368-9149-11dd-aa66-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{fbe11f98-9203-11dd-aa6e-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{fbe11f99-9203-11dd-aa6e-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\DosDevices\\E:"=hex:5c,00,3f,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
"\\??\\Volume{4111160e-951f-11dd-aa94-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,43,00,53,00,49,00,23,00,43,00,64,00,52,00,6f,00,6d,00,26,00,56,00,\
"\\??\\Volume{ace2cd3e-96c6-11dd-aaa7-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,43,00,53,00,49,00,23,00,43,00,64,00,52,00,6f,00,6d,00,26,00,56,00,\
"\\??\\Volume{a27376b6-9885-11dd-aab0-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{061f9710-a059-11dd-aafb-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{c6fe98cc-a866-11dd-ab41-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\DosDevices\\F:"=hex:5c,00,3f,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
"\\??\\Volume{344198c8-ad24-11dd-ab5b-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{55397e72-c40a-11dd-ac23-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{864b6752-cf7a-11dd-ac73-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{864b6753-cf7a-11dd-ac73-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{5740298e-d071-11dd-ac7d-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{cfe80515-d55b-11dd-aca2-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{2027a140-e134-11dd-ad06-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{16e001a0-ecf4-11dd-ad67-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{2ca1afd4-ed54-11dd-ad68-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{903a1e7c-efc1-11dd-ad7e-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{5321b35f-f300-11dd-ad97-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{05b84c9a-f644-11dd-adb2-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{da55a904-f9ee-11dd-adcb-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{0f9a34f8-faef-11dd-add9-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{959e8ae8-0177-11de-ae20-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{5bc6cf1e-01e1-11de-ae23-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{810464a8-0295-11de-ae2b-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{112ed3d6-09d7-11de-ae67-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{88721b62-0cd7-11de-ae7e-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{2dc99d69-0ef6-11de-ae94-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{b133a66a-139e-11de-aeb1-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{b133a66b-139e-11de-aeb1-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{64f9f510-5d3b-11de-aebc-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{86224611-5fc6-11de-aed0-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{86224612-5fc6-11de-aed0-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{9b8a9482-62b7-11de-aee5-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{f2244ce4-66da-11de-af05-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{d8078af7-6706-11de-af07-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{618f5eb8-67a1-11de-af0c-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{293e4bd2-2985-11de-af63-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{293e4bd3-2985-11de-af63-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{99edd96e-83bf-11de-b008-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{2bb58360-8599-11de-b01a-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{e772706a-8a79-11de-b057-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{b747f7c8-4a98-11de-b0ba-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{7081294c-4e4c-11de-b0d0-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{e36731e4-4eb1-11de-b0d4-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{0e22b425-5f0d-11de-b177-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{533debd8-6155-11de-b18e-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{98ee91f0-657e-11de-b1a6-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{e9d943ac-65fc-11de-b1ab-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{c8fc4e0a-6637-11de-b1ad-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{f8df236e-6dfe-11de-b1e9-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{f8df2371-6dfe-11de-b1e9-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{f480caac-6f64-11de-b1ee-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{8004caef-74c2-11de-b215-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{57e9100c-7c91-11de-b253-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{e92fdf90-803e-11de-b264-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{3eeb1bf6-8eff-11de-b313-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{95aea150-9040-11de-b31a-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{b203284c-9079-11de-b31c-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{19f6e5cc-96ee-11de-b353-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{cc42f986-9929-11de-b362-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{81d15462-a3e8-11db-b3af-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{c2aa4028-ad8d-11de-b3f1-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{2ba2689e-ad8e-11de-b3f2-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{cdfcddd6-adca-11de-b3f4-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{95a2744c-b729-11de-b437-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{236e091a-c122-11de-b487-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1804)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1860)
c:\windows\system32\BGLsp.dll

- - - - - - - > 'explorer.exe'(3976)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\msi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-01 17:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-01 09:00

Pre-Run: 1,201,414,144 bytes free
Post-Run: 2,212,089,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=5 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 3E9F9ECB951F0733171FD378DF75384B

kair
New Member

Date Joined Nov 2009
Total Posts : 11

Posted 11-1-2009 10:19 (GMT +1)

im a good to go?..

Another question

can i do this process in all of my infected pc's?

i got like 5 more infected pc's :D

Thank you very Much i hope i can help in the near future.

kair
New Member

Date Joined Nov 2009
Total Posts : 11

Posted 11-1-2009 12:25 (GMT +1)

sir im still infected the virus are

Win32.Worm.Sohanad.NBL
Worm.Generic.66037
Win32.Sality.OG
Trojan.Autorun.ADI

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 11-2-2009 6:06 (GMT +1)

Yes, you are still infected ;-)

Click: http://ad13.geekstogo.com/Win32kDiag.exe

and download Win32kDiag.exe directly to your Desktop

Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after:

cd\
win32kdiag -r -f

Once that completes press any key to finish the scan. Post the new Win32kDiag.txt log with your next reply (it should be located on the desktop).

If by chance you cannot run the command window steps ->

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here, along with a combofix log ->

Open notepad and copy/paste the bold text in the codebox below into it:

Name the file as CFScript
and Save it on the desktop

Code:

Killall::

Snapshot::

File::
c:\documents and settings\Owner\Local Settings\Application Data\Application Data.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\Application Data.exe
c:\documents and settings\LocalService\Local Settings\Application Data\Application Data.exe
c:\documents and settings\Owner\Application Data\Application Data.exe
c:\documents and settings\NetworkService\Application Data\Application Data.exe
c:\documents and settings\LocalService\Application Data\Application Data.exe
c:\program files\Common Files\Common Files.exe

Fcopy::

c:\windows\$NtServicePackUninstall$\explorer.exe | c:\windows\explorer.exe

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt,

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

kair
New Member

Date Joined Nov 2009
Total Posts : 11

Posted 11-2-2009 9:57 (GMT +1)

combo fix

ComboFix 09-11-01.04 - Owner 11/02/2009 16:23.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.411 [GMT 8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: BullGuard Antivirus *On-access scanning enabled* (Outdated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: BullGuard Firewall *disabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}

FILE ::
"c:\documents and settings\LocalService\Application Data\Application Data.exe"
"c:\documents and settings\LocalService\Local Settings\Application Data\Application Data.exe"
"c:\documents and settings\NetworkService\Application Data\Application Data.exe"
"c:\documents and settings\NetworkService\Local Settings\Application Data\Application Data.exe"
"c:\documents and settings\Owner\Application Data\Application Data.exe"
"c:\documents and settings\Owner\Local Settings\Application Data\Application Data.exe"
"c:\program files\Common Files\Common Files.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\All Users\Documents\Documents.exe
c:\documents and settings\Owner\Local Settings\Application Data\Application Data.exe
C:\new folder.exe
c:\program files\Common Files\Common Files.exe
C:\SCVVHSOT.exe

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-02 01:38 . 2009-11-02 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-02 01:36 . 2009-11-02 01:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-02 01:36 . 2009-11-02 01:36 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-11-01 09:59 . 2009-11-01 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-11-01 09:58 . 2009-11-01 12:36 -------- d-----w- c:\program files\RegCure
2009-11-01 09:46 . 2009-11-01 09:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-11-01 09:46 . 2009-11-01 09:46 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-11-01 09:46 . 2009-11-01 09:46 -------- d-----w- c:\program files\ParetoLogic
2009-11-01 09:46 . 2009-11-01 09:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-11-01 05:45 . 2009-11-02 06:54 -------- d-----w- C:\rsit
2009-11-01 02:47 . 2009-11-02 06:17 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2009-11-01 02:47 . 2009-11-01 11:25 -------- d-----w- c:\documents and settings\Owner\Application Data\BullGuard
2009-11-01 02:44 . 2009-01-23 13:48 55504 ----a-w- c:\windows\system32\drivers\BdFileSpy.sys
2009-11-01 02:43 . 2009-11-01 02:43 -------- d-----w- c:\program files\BullGuard Ltd
2009-10-31 01:20 . 2009-11-02 00:12 96 ---ha-w- c:\windows\system32\HsInfo.dat
2009-10-29 13:28 . 2009-11-02 08:16 -------- d-----w- C:\Netts
2009-10-29 10:37 . 2009-11-02 08:30 -------- d-----w- c:\program files\Common Files\Akamai
2009-10-29 09:18 . 2009-10-31 03:06 -------- d-----w- c:\program files\Guild Wars
2009-10-27 05:44 . 2009-10-31 03:05 -------- d-----w- c:\program files\e-Games
2009-10-19 05:14 . 2009-10-31 02:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 08:29 . 2009-02-22 22:41 -------- d-----w- c:\program files\AsiaSoft Online
2009-11-02 08:29 . 2009-01-17 18:54 -------- d-----w- c:\program files\GALA-NET
2009-11-02 08:28 . 2008-10-31 19:30 5465632 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-02 08:28 . 2008-10-31 19:30 4860 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-02 08:28 . 2008-10-31 19:30 43780 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-02 08:28 . 2008-10-31 19:30 1105952 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-02 08:22 . 2009-02-07 01:01 -------- d-s---w- c:\program files\Xfire
2009-11-02 06:23 . 2008-08-28 10:10 -------- d-----w- c:\program files\Garena
2009-11-02 06:18 . 2008-11-09 04:04 -------- d-----w- c:\program files\7-Zip
2009-11-02 01:34 . 2008-12-13 03:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-01 12:29 . 2009-01-26 23:08 -------- d-----w- c:\program files\MP3 Player Utilities 4.05
2009-11-01 12:29 . 2009-07-23 13:22 -------- d-----w- c:\program files\PC Connectivity Solution
2009-11-01 12:28 . 2009-02-12 19:25 -------- d-----w- c:\program files\QuickTime
2009-11-01 12:26 . 2009-01-12 19:56 -------- d-----w- c:\program files\Folder Guard Pro
2009-11-01 12:24 . 2009-08-20 18:54 -------- d-----w- c:\documents and settings\Owner\Application Data\com.Multiply.AutoUploader.C7DF09F73C2059D294831784007C5F0856677385.1
2009-11-01 12:22 . 2009-02-12 21:39 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-11-01 10:05 . 2008-10-04 09:36 -------- d-----w- c:\program files\MagicISO
2009-11-01 10:04 . 2007-01-14 16:05 -------- d-----w- c:\program files\Heroes of Newerth
2009-11-01 07:05 . 2008-09-21 14:22 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-01 05:45 . 2008-11-01 01:09 -------- d-----w- c:\program files\Trend Micro
2009-11-01 05:41 . 2009-05-29 12:08 -------- d-----w- c:\program files\Pokemon World Online
2009-11-01 05:41 . 2009-06-11 13:11 -------- d-----w- c:\program files\Hamachi
2009-11-01 05:41 . 2009-07-05 11:02 -------- d-----w- c:\program files\DivX
2009-11-01 05:41 . 2009-06-01 13:29 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-11-01 05:41 . 2008-09-22 06:26 -------- d-----w- c:\program files\CCleaner
2009-11-01 05:38 . 2008-12-01 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 05:02 . 2008-10-09 23:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-11-01 05:00 . 2009-02-07 01:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Xfire
2009-11-01 04:59 . 2009-07-02 11:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Vso
2009-11-01 04:58 . 2009-06-02 09:45 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-11-01 04:57 . 2008-11-21 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Fallout3
2009-11-01 04:50 . 2008-11-01 05:43 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-01 04:44 . 2009-02-12 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-01 04:35 . 2009-08-24 08:35 -------- d-----w- c:\documents and settings\Owner\Application Data\SpinTop
2009-11-01 04:34 . 2008-11-09 07:36 -------- d--h--r- c:\documents and settings\Owner\Application Data\SecuROM
2009-11-01 04:34 . 2008-11-07 00:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Red Alert 3
2009-11-01 04:16 . 2009-07-23 13:25 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Suite
2009-11-01 04:15 . 2009-07-23 13:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Nokia
2009-11-01 04:14 . 2008-11-01 07:59 -------- d-----w- c:\documents and settings\Owner\Application Data\My Games
2009-11-01 03:32 . 2008-11-02 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Moyea
2009-11-01 03:16 . 2009-02-12 19:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2009-11-01 03:15 . 2008-12-01 04:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-01 03:03 . 2008-10-03 12:44 172032 ----a-w- c:\windows\amcap.exe
2009-11-01 02:59 . 2008-10-03 12:44 61440 ------w- c:\windows\VM303_STI.EXE
2009-11-01 02:57 . 2008-12-14 04:30 -------- d-----w- c:\program files\Total Video Converter
2009-11-01 02:57 . 2008-12-01 04:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-01 02:56 . 2009-06-27 07:23 -------- d-----w- c:\program files\softendo.com
2009-11-01 02:56 . 2008-12-10 17:19 -------- d-----w- c:\program files\SnailWeb
2009-11-01 02:56 . 2009-03-12 11:00 -------- d-----w- c:\program files\Silkroad
2009-11-01 02:55 . 2008-11-28 02:06 -------- d-----w- c:\program files\Reference Assemblies
2009-11-01 02:55 . 2008-09-22 08:49 -------- d-----w- c:\program files\Realtek Sound Manager
2009-11-01 02:55 . 2008-09-22 08:48 -------- d-----w- c:\program files\Realtek AC97
2009-10-27 06:01 . 2008-09-21 16:40 -------- d-----w- c:\program files\IDA
2009-09-28 13:51 . 2008-10-31 19:31 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-28 13:51 . 2008-10-31 19:31 107547 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-25 05:37 . 2004-08-04 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 06:54 . 2008-12-01 04:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 06:53 . 2008-12-01 04:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 07:18 . 2008-09-08 00:28 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-24 09:04 . 2009-08-24 09:04 16 ----a-w- c:\windows\popcinfo.dat
2009-08-20 18:09 . 2009-02-03 05:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-15 20:44 . 2009-06-27 07:20 56 --sh--r- c:\windows\system32\72E7E21E81.sys
2009-08-10 16:10 . 2008-08-29 00:44 27600 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 11:24 . 2008-08-26 09:25 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 11:24 . 2008-08-26 09:25 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 11:24 . 2008-08-26 09:25 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 11:24 . 2007-07-31 02:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 11:24 . 2008-08-26 09:25 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 11:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 11:23 . 2008-08-26 09:25 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 11:23 . 2008-08-26 09:25 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-04 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-13 13:23 . 2009-07-05 11:08 56 --sh--r- c:\windows\system32\A71462A9CB.sys
2007-01-14 20:30 . 2009-07-05 11:07 14084 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internet Download Accelerator"="c:\program files\IDA\ida.exe" [2009-02-13 2415104]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-01 127488]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-07-24 304464]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-12 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDog303"="c:\windows\VM303_STI.EXE" [2009-11-01 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-01 180224]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-07-24 304464]
"ParetoLogic Anti-Virus PLUS"="c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" [2009-11-02 2355]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 55808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Internet Download Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Internet Download Accelerator.lnk
backup=c:\windows\pss\Internet Download Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VersionTrackerPro.lnk
backup=c:\windows\pss\VersionTrackerPro.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Shortcut to 29.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Shortcut to 29.lnk
backup=c:\windows\pss\Shortcut to 29.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Shortcut to f3.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Shortcut to f3.lnk
backup=c:\windows\pss\Shortcut to f3.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Shortcut to ismak32.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Shortcut to ismak32.lnk
backup=c:\windows\pss\Shortcut to ismak32.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^UberIcon.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\UberIcon.lnk
backup=c:\windows\pss\UberIcon.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^uTorrent Turbo Booster.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\uTorrent Turbo Booster.lnk
backup=c:\windows\pss\uTorrent Turbo Booster.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Y'z Shadow.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Y'z Shadow.lnk
backup=c:\windows\pss\Y'z Shadow.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ismak32.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Granary\\Granary.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\warcraft iii\\war3.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\avp.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\WINDOWS\\VM303_STI.EXE"=
"c:\\PROGRA~1\\FOLDER~1\\FGKey.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\HighStreet 5\\5street\\BugReport.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqsnotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Warcraft III\\Frozen Throne.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\HighStreet 5\\5street.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/30/2008 9:29 AM 33808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:00 PM 14336]
R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [11/1/2009 10:44 AM 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [8/4/2004 8:00 PM 14336]
R2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [8/4/2004 8:00 PM 14336]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [8/4/2004 8:00 PM 14336]
R2 ZeppelinService;plasservice;c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [2/18/2009 2:40 PM 587216]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [3/23/2009 8:07 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [3/23/2009 8:07 PM 257304]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/1/2008 9:06 AM 24592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S3 BGRaSvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\BGRaSvc.exe [6/1/2009 7:50 PM 79184]
S3 FGUARD32;FGUARD32;c:\program files\Folder Guard Pro\FGUARD32.SYS [1/13/2009 3:56 AM 48896]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Owner\LOCALS~1\Temp\BEZ69.tmp --> c:\docume~1\Owner\LOCALS~1\Temp\BEZ69.tmp [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/1/2008 12:52 PM 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 8:37 PM 26624]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire
.
Contents of the 'Scheduled Tasks' folder

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1757981266-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-27 02:59]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1757981266-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-27 02:59]

2009-11-01 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 04:25]

2009-11-01 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 04:25]

2009-11-02 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-02 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garena.com/portal/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Download ALL with IDA - c:\program files\IDA\idaieall.htm
IE: Download with IDA - c:\program files\IDA\idaie.htm
LSP: c:\windows\system32\BGLsp.dll
TCP: {D9C8F4B4-0A7C-4A6E-AEEB-BF0A059F41E8} = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\utpnyazp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=2&q=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\utpnyazp.default\extensions\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}\components\FFAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\utpnyazp.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFExternalAlert.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft Silverlight\npctrl.1.0.21115.0.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npida.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 16:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spum.sys >>UNKNOWN [0x87386938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xF730BB40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xF730BB40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xF730BB40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xF730BB40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xF730BB40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xF730BB40 atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3600.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3600.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Owner\LOCALS~1\Temp\BEZ69.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-1757981266-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5491D9EB-8059-2C1E-F770-F0D2343490FF}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"fadmdmgekeae"=hex:66,61,67,64,61,62,63,62,69,65,62,67,00,00
"jadmdmgeffngjbnalnfk"=hex:61,61,00,00
"kadmdmgelfeecocdjdjhai"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-1085031214-1757981266-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:7d,38,cf,27,09,1a,ca,8b,04,2f,f7,8e,8b,20,47,8a,9f,cc,9d,a0,5c,
fb,00,f7,a9,73,d7,6e,49,06,9e,39,7a,93,e3,e0,0e,cb,1a,7f,7e,9e,d5,1c,e3,42,\
"rkeysecu"=hex:b8,96,d9,6a,d3,b5,6b,2a,7d,43,65,8d,98,64,eb,80

[HKEY_LOCAL_MACHINE\System\MountedDevices]
@Denied: (Read) (Administrator)
"\\??\\Volume{4d130f02-730f-11dd-a48f-806d6172696f}"=hex:5c,00,3f,00,3f,00,5c,
00,46,00,44,00,43,00,23,00,47,00,45,00,4e,00,45,00,52,00,49,00,43,00,5f,00,\
"\\??\\Volume{4d130f03-730f-11dd-a48f-806d6172696f}"=hex:5c,00,3f,00,3f,00,5c,
00,49,00,44,00,45,00,23,00,43,00,64,00,52,00,6f,00,6d,00,48,00,4c,00,2d,00,\
"\\??\\Volume{4d130f04-730f-11dd-a48f-806d6172696f}"=hex:f5,9c,f5,9c,00,7e,00,
00,00,00,00,00
"\\DosDevices\\C:"=hex:f5,9c,f5,9c,00,7e,00,00,00,00,00,00
"\\DosDevices\\A:"=hex:5c,00,3f,00,3f,00,5c,00,46,00,44,00,43,00,23,00,47,00,
45,00,4e,00,45,00,52,00,49,00,43,00,5f,00,46,00,4c,00,4f,00,50,00,50,00,59,\
"\\DosDevices\\D:"=hex:5c,00,3f,00,3f,00,5c,00,53,00,43,00,53,00,49,00,23,00,
43,00,64,00,52,00,6f,00,6d,00,26,00,56,00,65,00,6e,00,5f,00,4f,00,4e,00,35,\
"\\??\\Volume{b5a27723-87e8-11dd-a9f4-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{16405368-9149-11dd-aa66-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{fbe11f98-9203-11dd-aa6e-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{fbe11f99-9203-11dd-aa6e-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\DosDevices\\E:"=hex:5c,00,3f,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
"\\??\\Volume{4111160e-951f-11dd-aa94-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,43,00,53,00,49,00,23,00,43,00,64,00,52,00,6f,00,6d,00,26,00,56,00,\
"\\??\\Volume{ace2cd3e-96c6-11dd-aaa7-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,43,00,53,00,49,00,23,00,43,00,64,00,52,00,6f,00,6d,00,26,00,56,00,\
"\\??\\Volume{a27376b6-9885-11dd-aab0-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{061f9710-a059-11dd-aafb-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{c6fe98cc-a866-11dd-ab41-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\DosDevices\\F:"=hex:5c,00,3f,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
"\\??\\Volume{344198c8-ad24-11dd-ab5b-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{55397e72-c40a-11dd-ac23-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{864b6752-cf7a-11dd-ac73-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{864b6753-cf7a-11dd-ac73-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{5740298e-d071-11dd-ac7d-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{cfe80515-d55b-11dd-aca2-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{2027a140-e134-11dd-ad06-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{16e001a0-ecf4-11dd-ad67-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{2ca1afd4-ed54-11dd-ad68-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{903a1e7c-efc1-11dd-ad7e-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{5321b35f-f300-11dd-ad97-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{05b84c9a-f644-11dd-adb2-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{da55a904-f9ee-11dd-adcb-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{0f9a34f8-faef-11dd-add9-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{959e8ae8-0177-11de-ae20-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{5bc6cf1e-01e1-11de-ae23-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{810464a8-0295-11de-ae2b-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{112ed3d6-09d7-11de-ae67-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{88721b62-0cd7-11de-ae7e-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{2dc99d69-0ef6-11de-ae94-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{b133a66a-139e-11de-aeb1-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{b133a66b-139e-11de-aeb1-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{64f9f510-5d3b-11de-aebc-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{86224611-5fc6-11de-aed0-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{86224612-5fc6-11de-aed0-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{9b8a9482-62b7-11de-aee5-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{f2244ce4-66da-11de-af05-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{d8078af7-6706-11de-af07-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{618f5eb8-67a1-11de-af0c-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{293e4bd2-2985-11de-af63-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{293e4bd3-2985-11de-af63-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{99edd96e-83bf-11de-b008-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{2bb58360-8599-11de-b01a-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{e772706a-8a79-11de-b057-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{b747f7c8-4a98-11de-b0ba-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{7081294c-4e4c-11de-b0d0-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{e36731e4-4eb1-11de-b0d4-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{0e22b425-5f0d-11de-b177-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{533debd8-6155-11de-b18e-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{98ee91f0-657e-11de-b1a6-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{e9d943ac-65fc-11de-b1ab-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{c8fc4e0a-6637-11de-b1ad-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{f8df236e-6dfe-11de-b1e9-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{f8df2371-6dfe-11de-b1e9-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{f480caac-6f64-11de-b1ee-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{8004caef-74c2-11de-b215-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{57e9100c-7c91-11de-b253-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{e92fdf90-803e-11de-b264-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{3eeb1bf6-8eff-11de-b313-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{95aea150-9040-11de-b31a-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{b203284c-9079-11de-b31c-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{19f6e5cc-96ee-11de-b353-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{cc42f986-9929-11de-b362-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{81d15462-a3e8-11db-b3af-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{c2aa4028-ad8d-11de-b3f1-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{2ba2689e-ad8e-11de-b3f2-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{cdfcddd6-adca-11de-b3f4-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{95a2744c-b729-11de-b437-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
"\\??\\Volume{236e091a-c122-11de-b487-001921eb9bd9}"=hex:5c,00,3f,00,3f,00,5c,
00,53,00,54,00,4f,00,52,00,41,00,47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1896)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1952)
c:\windows\system32\BGLsp.dll

- - - - - - - > 'explorer.exe'(3652)
c:\program files\BullGuard Ltd\BullGuard\antispam\PluginHook.dll
c:\program files\BullGuard Ltd\BullGuard\res\en\PluginHookRes.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\msi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe
.
**************************************************************************
.
Completion time: 2009-11-02 16:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-02 08:40
ComboFix2.txt 2009-11-01 09:01

Pre-Run: 897,134,592 bytes free
Post-Run: 938,131,456 bytes free

Current=2 Default=2 Failed=5 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 4AFFFA269F440BCEC0B7F4D8745D10E0

kair
New Member

Date Joined Nov 2009
Total Posts : 11

Posted 11-2-2009 9:58 (GMT +1)

1st one

Running from: C:\Documents and Settings\Owner\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\$hf_mig$\$hf_mig$.exe

Attempting to restore permissions of : C:\WINDOWS\$hf_mig$\$hf_mig$.exe

Cannot access: C:\WINDOWS\temp\tmp00001465\tmp000273c3

Attempting to restore permissions of : C:\WINDOWS\temp\tmp00001465\tmp000273c3

Cannot access: C:\WINDOWS\temp\tmp00001465\tmp000273e2

Attempting to restore permissions of : C:\WINDOWS\temp\tmp00001465\tmp000273e2

Finished!

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 11-2-2009 2:01 (GMT +1)

If you have run combofix before win32kdiag.exe, please post new combofix log.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

kair
New Member

Date Joined Nov 2009
Total Posts : 11

Posted 11-2-2009 2:27 (GMT +1)

no, i run first the win32

and the last one is the combo fix

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 11-2-2009 4:57 (GMT +1)

Ok.

Please go to http://www.eset.com/onlinescan/

to perform an online scan. Please use Internet Explorer as it uses ActiveX.

Check (tick) this box: YES, I accept the Terms of Use.

Click on the Start button next to it.

When prompted to run ActiveX. click Yes.

You will be asked to install an ActiveX. Click Install.

Once installed, the scanner will be initialized.

After the scanner is initialized, click Start.

Check (tick) Remove found threats box.

Check (tick) Scan unwanted applications.

Click on Scan.

It will start scanning. Please be patient.

Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt.

Please post this log in your next reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Saturday, November 21, 2009 9:44 AM (GMT +1)
There are a total of 73.028 posts in 17.116 threads.
In the last 3 days there were 14 new threads and 69 reply posts. View Active Threads