igrek001 Posted March 7, 2010 Posted March 7, 2010 I have Dell desktop computer with Windows XP, pack 3.... After scanning my harddrive with Super AntiSpyware, when I click any icon on my Desktop, appears table with 'Open with'... and when I try to open with any program, message appears: 'the (name of program I try to open) is not valid Win32 application'... Help, please with this problem.. Quote
RandyL Posted March 7, 2010 Posted March 7, 2010 Considering you have had previous infections it's likely that this is caused by malware. Is this just the desktop shortcut icons that cause this error? Have you tried other shortcuts? Have you tried opening programs with the exe file instead of a shortcut? Can you give us an example of what programs won't open? Did you ever get rid of your previous infections? What antivirus program do you have? Was there any particular reason you were scanning with SuperAntispyware? Did it find and remove anything? If so what? Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
igrek001 Posted March 7, 2010 Author Posted March 7, 2010 Thank you for response. I'll try to answer to questions you ask. Practicaly all shortcuts icons cause the 'Open with' table. And when I tried to open program from .exe in 'Program files', the same 'Open with' appears. Example of programs I tried to open: all Microsoft Office 2003, Nero7, Chrome browser and others.. The reason for scanning with SuperAntispyware was annoyed pop-antivirus program XP 2010. SuperAntispyware showed more than 50 spyware program and removed them. I don't remember exactly, but there was two relaited to Trojan and all other sort of cookies... Quote
Starbuck Posted March 7, 2010 Posted March 7, 2010 Hi igrek001, try running this program and post the results: Please download exeHelper to your desktop. If your AV program throws up a warning about the program, ignore the warning. Some AV's flag this program because of how it works... that's all. Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. Post the contents of exehelperlog.txt ( Will be created in the directory where you ran exeHelper.com and should open at the end of the scan) Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ). Thanks Quote Member of:UNITE
igrek001 Posted March 8, 2010 Author Posted March 8, 2010 Thank you very much... I followed to your instruction, and after closing the black window received the exehelperlog.txt -Notepad: exeHelper by Raktor Build 20091220 Run at 20:23:08 on 03/07/10 Now searching... Checking for numerical processes... Checking for sysguard processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- where should I post it??... so far, I still have problem to open programs... :-( Quote
Starbuck Posted March 8, 2010 Posted March 8, 2010 Hi igrek001 Because your problem is almost definately malware related, i'm going to move your thread to the malware removal forum. We'll continue there. Thanks Quote Member of:UNITE
Starbuck Posted March 8, 2010 Posted March 8, 2010 'the (name of program I try to open) is not valid Win32 application' this statement is usually a sign of a bagle worm infection. This can be a right pig, so let's see if we can break it's hold enough to remove it. Step 1 Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall If Combofix won't run.... try renaming it with a .com extension. Thanks Quote Member of:UNITE
igrek001 Posted March 9, 2010 Author Posted March 9, 2010 Hello, Starbuck!! Thank you for your detail instruction, but there are problems to open the Combo-fix and disable Anti-virus and Antimalware programs, as you recommended... after I double click any of them, appears table: Open with... and when I try to choose something the same message: ... this is not valid Win32 application... :-(... the instruction 'How to temporary disable antivirus ....' still require first open them, but I cannot...:-( Quote
Starbuck Posted March 9, 2010 Posted March 9, 2010 Hi igrek001 If you managed to download Combofix, try this: Please reboot your computer in Safe Mode by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, a menu with options should appear; You will need to use the 'keyboard arrow keys' to navigate on this menu. * Select the first option, to run Windows in Safe Mode, then press "Enter". * Then choose your usual account. This should stop most AV's from running. Now run Combofix. Don't worry too much about the recovery console for the time being, we can address that later. Let's see if we can get a scan done first. Thanks. Quote Member of:UNITE
igrek001 Posted March 9, 2010 Author Posted March 9, 2010 hello, Starbuck!! I wasn't lucky: in the Safe Mode, when I click on Combofix (I change the file name to Fixer, as you adviced), the same table 'Open with' appears... :-) I can open only my default browther Slimbrowser and all favorit programs I have there... also I can open 'My Computer' and 'My documets' ... that's all... no one program with .exe from the Desktop cannot be opened... Quote
Starbuck Posted March 9, 2010 Posted March 9, 2010 Hi igrek001 Do you access to another pc, so that we could download something to that and transfer it to the infected system? Quote Member of:UNITE
igrek001 Posted March 10, 2010 Author Posted March 10, 2010 yes, I have laptop... how I may download and transfer the fixing site?? Quote
Starbuck Posted March 10, 2010 Posted March 10, 2010 (edited) yes, I have laptop That's good. The malware is stopping us from removing it by blocking .exe programs, so we'll have to use a different way of breaking it's strong hold. This will mean booting your system into another operating system and removing the malware that way: OK this file is big... print these instruction out so that you know what you are doing Two programmes to download First ISOBurner this will allow you to burn OTLPE.iso to a CD and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions Second Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is approx 290Mb in size so it may take some time to download. When downloaded double click and this will then open ISOBurner to burn the file to CD Reboot your system using the boot CD you just created. Note : If you do not know how to set your computer to boot from CD follow the steps here As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :) Your system should now display a Reatogo desktop. Note : as you are running from CD it is not exactly speedy Double-click on the OTLPE icon. Select the Windows folder of the infected drive if it asks for a location When asked "Do you wish to load the remote registry", select Yes When asked "Do you wish to load remote user profile(s) for scanning", select Yes Ensure the box "Automatically Load All Remaining Users" is checked and press OK OTL should now start. Change the following settings. Change Drivers to All Change Registry to All Under the Custom Scan box paste this in: %SYSTEMDRIVE%\*.* /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys /md5stop %systemroot%\*. /mp /s %systemroot%\System32\config\*.sav You can copy and paste these entries and save them on a usb stick. You can then copy and paste into the custom scan area easily. Press Run Scan to start the scan. When finished, the file will be saved in drive C:\OTL.txt Copy this file to your USB drive if you do not have internet connection on this system. Right click the file and select send to : select the USB drive. Confirm that it has copied to the USB drive by selecting it You can backup any files that you wish from this OS Please post the contents of the C:\OTL.txt file in your reply. If the report is too big to post here, add it as an attachment. Thanks Edited March 10, 2010 by Starbuck Quote Member of:UNITE
igrek001 Posted March 10, 2010 Author Posted March 10, 2010 Thank you very much, Starbuck!!... There was no reason to do this , because suddenly PC allowed me to install previosly downloaded Combofix program, you recomended... I scanned my computer with this program, receive log report and saved it.... now all programs open easy, thank you again!!! Quote
Starbuck Posted March 10, 2010 Posted March 10, 2010 Hi igrek001 because suddenly PC allowed me to install previosly downloaded Combofix program Typical :confused: I scanned my computer with this program, receive log report and saved it. Ok, let me have the report and i'll make sure there's nothing else to remove. Quote Member of:UNITE
igrek001 Posted March 12, 2010 Author Posted March 12, 2010 Here it is (it's pretty big, and I'm not sure, that here is enough space..) ComboFix 10-03-08.01 - Administrator 03/10/2010 0:08.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.3062.2659 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\Fixer.exe AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Application Data\Desktopicon c:\documents and settings\Administrator\Application Data\Desktopicon\config.ini c:\documents and settings\Administrator\Application Data\Desktopicon\eBayShortcuts.exe c:\documents and settings\All Users\Application Data\Wyeke c:\documents and settings\All Users\Application Data\Wyeke\wyeke139.exe c:\program files\Mail.Ru\Agent\Mra\dll\newmrasearch.dll c:\program files\Wyeke c:\program files\Wyeke\uninstall.exe c:\program files\Wyeke\wyeke.dll c:\program files\Wyeke\wyeke.exe c:\recycler\S-1-5-21-1547161642-1647877149-839522115-500 c:\windows\Temp\tmp3.tmp E:\autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_WYEKE_SERVICE -------\Service_Wyeke Service ((((((((((((((((((((((((( Files Created from 2010-02-10 to 2010-03-10 ))))))))))))))))))))))))))))))) . 2010-03-10 05:18 . 2010-03-10 05:18 439816 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\setup.exe 2010-03-07 05:36 . 2010-03-07 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2010-03-07 05:36 . 2010-03-07 05:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage 2010-03-05 04:53 . 2010-03-05 04:53 -------- d-----w- c:\program files\25 Кадр 2010-02-28 05:30 . 2010-03-05 05:19 -------- d-----w- c:\program files\stitch_color 2010-02-28 05:09 . 2010-02-28 05:29 286720 ------w- c:\windows\Setup1.exe 2010-02-28 05:09 . 2010-02-28 05:29 73216 ----a-w- c:\windows\ST6UNST.EXE 2010-02-28 04:47 . 2010-02-28 04:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\RyijyApp 2010-02-28 04:46 . 2010-02-28 04:46 11454 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB0D2734-55AB-437E-B629-1F167CAF7921}\_FFE8D63FEF90B8AD2E7FC9.exe 2010-02-28 04:46 . 2010-02-28 04:46 11454 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB0D2734-55AB-437E-B629-1F167CAF7921}\_6FEFF9B68218417F98F549.exe 2010-02-28 04:46 . 2010-02-28 04:46 11454 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB0D2734-55AB-437E-B629-1F167CAF7921}\_53E431C98DE07307821BFE.exe 2010-02-28 04:46 . 2010-02-28 04:46 -------- d-----w- c:\program files\Ryijy Stitch Designer 2010-02-28 04:34 . 2000-06-29 08:45 52224 ----a-w- c:\windows\system32\Crypserv.exe 2010-02-28 04:34 . 2000-02-03 19:53 24608 ----a-w- c:\windows\system32\Ckldrv.sys 2010-02-28 04:34 . 1999-06-18 20:49 165888 ----a-w- c:\windows\Ckconfig.exe 2010-02-28 04:34 . 1996-05-03 16:21 27648 ----a-r- c:\windows\Setup_ck.exe 2010-02-28 04:34 . 1996-05-03 14:36 18432 ----a-w- c:\windows\Setup_ck.dll 2010-02-28 04:34 . 1995-07-04 17:33 11776 ----a-w- c:\windows\Ckrfresh.exe 2010-02-28 04:34 . 2010-02-28 04:34 -------- d-----w- c:\program files\HobbyWare 2010-02-28 04:33 . 2010-02-28 04:33 -------- d-----w- c:\windows\Downloaded Installations 2010-02-28 03:21 . 2010-02-28 03:22 -------- d-----w- c:\program files\25 ???? 2010-02-25 04:17 . 1999-05-26 14:46 212480 ----a-w- c:\windows\system32\pcdlib32.dll 2010-02-25 04:17 . 2010-02-25 04:17 -------- d-----w- c:\program files\STOIK 2010-02-25 04:16 . 1999-11-17 23:56 327168 ----a-w- c:\windows\IsUn0419.exe 2010-02-25 04:06 . 2010-02-26 02:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\free-downloads.net 2010-02-25 04:06 . 2010-02-25 04:06 -------- d-----w- c:\program files\free-downloads.net 2010-02-25 04:06 . 2010-01-20 17:16 52224 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}\components\FFExternalAlert.dll 2010-02-25 04:06 . 2010-01-20 17:16 101376 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}\components\RadioWMPCore.dll 2010-02-25 04:05 . 2010-02-25 04:05 -------- d-----w- c:\program files\Alcohol Soft 2010-02-25 04:02 . 2010-02-25 04:02 691696 ----a-w- c:\windows\system32\drivers\sptd.sys 2010-02-25 03:29 . 2010-02-28 05:13 -------- d-----w- c:\program files\eMule 2010-02-16 04:40 . 2010-02-16 04:40 -------- d-----w- c:\program files\Common Files\xing shared 2010-02-16 04:39 . 2010-02-16 04:39 -------- d-----w- c:\program files\Real 2010-02-16 04:39 . 2010-02-16 04:40 -------- d-----w- c:\program files\Common Files\Real 2010-02-10 02:16 . 2010-02-10 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 1601-01-01 00:00 . 1601-01-01 00:00 0 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\temp\~Upg0\setup.exe 1601-01-01 00:00 . 1601-01-01 00:00 0 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\temp\~Upg0\install.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-10 05:18 . 2008-10-09 03:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2 2010-03-10 05:03 . 2008-10-09 06:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\SlimBrowser 2010-03-10 04:54 . 2010-02-07 03:17 -------- d-----w- c:\program files\SlimBrowser 2010-03-07 05:45 . 2008-10-09 12:42 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys 2010-03-05 07:21 . 2009-11-30 03:48 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-03-05 05:20 . 2008-09-23 07:42 48488 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-03-05 04:49 . 2009-12-20 03:56 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-03-01 04:25 . 2008-10-23 01:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss 2010-02-26 02:19 . 2008-12-21 18:53 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-02-22 19:04 . 2009-11-30 03:47 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-02-16 04:39 . 2008-05-09 04:01 499712 ----a-w- c:\windows\system32\msvcp71.dll 2010-02-16 04:39 . 2008-05-09 04:01 348160 ----a-w- c:\windows\system32\msvcr71.dll 2010-02-11 18:53 . 2008-12-12 03:18 38848 ----a-w- c:\windows\system32\avastSS.scr 2010-02-11 18:53 . 2008-12-12 03:17 153184 ----a-w- c:\windows\system32\aswBoot.exe 2010-02-11 18:42 . 2008-12-12 03:18 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2010-02-11 18:42 . 2008-12-12 03:18 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys 2010-02-11 18:39 . 2008-12-12 03:18 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2010-02-11 18:38 . 2008-12-12 03:18 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2010-02-11 18:38 . 2008-12-12 03:18 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys 2010-02-11 18:38 . 2008-12-12 03:18 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2010-02-11 18:38 . 2008-12-12 03:18 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2010-02-10 02:18 . 2008-10-22 04:50 -------- d-----w- c:\program files\Alwil Software 2010-02-08 03:46 . 2010-02-08 03:46 -------- d-----w- c:\program files\Common Files\Webroot Shared 2010-02-08 03:46 . 2008-11-08 04:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot 2010-02-08 03:46 . 2010-02-08 03:46 -------- d-----w- c:\program files\Webroot 2010-02-07 05:00 . 2009-11-07 03:31 -------- d-----w- c:\program files\My.Freeze.com NetAssistant 2010-01-23 04:25 . 2008-10-09 13:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype 2010-01-23 02:56 . 2008-10-19 04:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM 2010-01-21 04:37 . 2008-05-09 03:12 -------- d-----w- c:\program files\Microsoft Silverlight 2010-01-05 10:00 . 2004-08-12 13:33 832512 ----a-w- c:\windows\system32\wininet.dll 2010-01-05 10:00 . 2004-08-12 13:19 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-01-05 10:00 . 2004-08-12 13:18 17408 ----a-w- c:\windows\system32\corpol.dll 2009-12-31 16:50 . 2004-08-12 13:30 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-16 18:43 . 2006-07-28 17:09 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2004-08-12 13:18 33280 ----a-w- c:\windows\system32\csrsrv.dll 2008-10-09 13:15 . 2008-10-09 13:15 22404904 ----a-w- c:\program files\SkypeSetup.exe 2008-10-09 06:23 . 2008-10-09 06:23 1975910 ----a-w- c:\program files\sbsetup.exe 2008-10-08 21:08 . 2008-10-08 21:08 5047800 ----a-w- c:\program files\magentsetup.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{a33fa729-d155-4b23-842b-2c665ecabdb6}"= "c:\program files\The_Pirate_Bay\tbThe1.dll" [2010-02-26 2349080] "{ca9e4d90-1386-42f8-9f36-df74277aabc2}"= "c:\program files\TV_Mule\tbTV_1.dll" [2010-02-26 2349080] "{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-12-31 2349080] [HKEY_CLASSES_ROOT\clsid\{a33fa729-d155-4b23-842b-2c665ecabdb6}] [HKEY_CLASSES_ROOT\clsid\{ca9e4d90-1386-42f8-9f36-df74277aabc2}] [HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a33fa729-d155-4b23-842b-2c665ecabdb6}] 2010-02-26 02:28 2349080 ----a-w- c:\program files\The_Pirate_Bay\tbThe1.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca9e4d90-1386-42f8-9f36-df74277aabc2}] 2010-02-26 02:28 2349080 ----a-w- c:\program files\TV_Mule\tbTV_1.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}] 2009-12-31 16:53 2349080 ----a-w- c:\program files\free-downloads.net\tbfree.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{a33fa729-d155-4b23-842b-2c665ecabdb6}"= "c:\program files\The_Pirate_Bay\tbThe1.dll" [2010-02-26 2349080] "{ca9e4d90-1386-42f8-9f36-df74277aabc2}"= "c:\program files\TV_Mule\tbTV_1.dll" [2010-02-26 2349080] "{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-12-31 2349080] [HKEY_CLASSES_ROOT\clsid\{a33fa729-d155-4b23-842b-2c665ecabdb6}] [HKEY_CLASSES_ROOT\clsid\{ca9e4d90-1386-42f8-9f36-df74277aabc2}] [HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{A33FA729-D155-4B23-842B-2C665ECABDB6}"= "c:\program files\The_Pirate_Bay\tbThe1.dll" [2010-02-26 2349080] "{CA9E4D90-1386-42F8-9F36-DF74277AABC2}"= "c:\program files\TV_Mule\tbTV_1.dll" [2010-02-26 2349080] [HKEY_CLASSES_ROOT\clsid\{a33fa729-d155-4b23-842b-2c665ecabdb6}] [HKEY_CLASSES_ROOT\clsid\{ca9e4d90-1386-42f8-9f36-df74277aabc2}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-22 2012912] "Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-01 135664] "Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-04-20 894464] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-02 153136] "MAgent"="c:\program files\Mail.Ru\Agent\MAgent.exe" [2009-10-31 4417016] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288] "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-16 198160] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5\Belkinwcui.exe [2008-10-8 1564672] hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456] hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\BitLord\\BitLord.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Program Files\\Mail.Ru\\Agent\\magent.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Documents and Settings\\Administrator\\tetatet\\tetatet.exe"= "c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"= "c:\\Program Files\\ooVoo\\ooVoo.exe"= "c:\\Program Files\\Hercules\\Classic Silver\\Station2.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\SlimBrowser\\sbrowser.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443 "443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675 "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [11/2/2006 1:57 PM 218112] R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [11/2/2006 1:57 PM 48140] R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [11/2/2006 1:57 PM 204800] R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [11/2/2006 1:57 PM 17664] R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/24/2010 11:02 PM 691696] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/11/2008 10:18 PM 162512] R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [10/2/2009 1:07 PM 9600] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 8:43 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 66632] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/11/2008 10:18 PM 19024] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/8/2008 10:41 PM 38144] R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [10/12/2009 11:33 AM 46824] R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [10/8/2008 10:42 PM 238848] R3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [12/4/2009 8:13 PM 94720] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 12872] S3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\drivers\aveodcnt.sys [10/29/2009 12:53 PM 171520] S3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [10/9/2008 1:42 AM 1252474] S3 Rocket;eBook Service;c:\windows\system32\drivers\eRocket.sys [11/14/2008 9:06 AM 44621] S4 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [11/2/2006 1:57 PM 11029] . Contents of the 'Scheduled Tasks' folder 2009-02-14 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8223500795.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 12:52] 2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3105199670-2300768646-1652051771-500Core.job - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-01 01:38] 2010-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3105199670-2300768646-1652051771-500UA.job - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-01 01:38] 2010-03-10 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07] 2009-11-07 c:\windows\Tasks\PCConfidential.job - c:\program files\Winferno\PC Confidential\PCConfidential.exe [2009-11-07 19:10] 2010-03-10 c:\windows\Tasks\RegPowerClean.job - c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2009-11-07 19:48] 2010-03-10 c:\windows\Tasks\RPCReminder.job - c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2009-11-07 19:34] . Quote
igrek001 Posted March 12, 2010 Author Posted March 12, 2010 there is not all.... here is the second part: ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 IE: Iaeoe a eioa?iaoa - c:\program files\Mail.Ru\Sputnik\MailRuSputnik.dll/282 IE: Iaeoe a neiaa?yo - c:\program files\Mail.Ru\Sputnik\MailRuSputnik.dll/283 IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\Mail.Ru\Agent\magent.exe FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1098640&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - free-downloads.net Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT1098640&SearchSource=13 FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}\components\FFExternalAlert.dll FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}\components\RadioWMPCore.dll FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - URLSearchHooks-{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - c:\program files\My.Freeze.com NetAssistant\NetAssistant.dll Toolbar-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - c:\program files\My.Freeze.com Toolbar\freeze_sa_us.dll WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - c:\program files\My.Freeze.com Toolbar\freeze_sa_us.dll HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe AddRemove-My.Freeze.com Toolbar - c:\program files\My.Freeze.com Toolbar\settings_uninstall_app.exe AddRemove-{73317C31-2B6E-4B88-9865-B97C1331A39D} - c:\program files\InstallShield Installation Information\{73317C31-2B6E-4B88-9865-B97C1331A39D}\setup.exe AddRemove-{D593C72C-435B-4171-8106-9CA8AA34D716} - c:\program files\InstallShield Installation Information\{D593C72C-435B-4171-8106-9CA8AA34D716}\SETUP.EXE ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2010-03-10 00:17 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys sphq.sys hal.dll >>UNKNOWN [0x8A7BB938]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xba91cf28 \Driver\ACPI -> ACPI.sys @ 0xba674cb8 \Driver\atapi -> atapi.sys @ 0xba549b40 \Driver\iaStor -> iaStor.sys @ 0xba590e20 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022 ParseProcedure -> ntkrnlpa.exe @ 0x80577c84 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022 ParseProcedure -> ntkrnlpa.exe @ 0x80577c84 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3924) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast5\AvastSvc.exe c:\windows\system32\crypserv.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\windows\system32\wwSecure.exe c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe c:\program files\OpenOffice.org 2.4\program\soffice.exe c:\program files\OpenOffice.org 2.4\program\soffice.BIN c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe . ************************************************************************** . Completion time: 2010-03-10 00:22:02 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-10 05:21 Pre-Run: 224,936,873,984 bytes free Post-Run: 225,820,241,920 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 368996277F1320040CE042C25480B202 Quote
Starbuck Posted March 12, 2010 Posted March 12, 2010 Hi igrek001 Step 1 Please download DeFogger to your desktop. Double click DeFogger to run the tool. The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OK IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop. Do not re-enable these drivers until otherwise instructed. Step 2 Please download GMER from one of the following locations and save it to your desktop:Main Mirror This version will download a randomly named file (Recommended) Zipped Mirror This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe. http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO. Now click the Scan button. If you see a rootkit warning window, click OK. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log. Click the Copy button and paste the results into your next reply. Exit GMER and re-enable all active protection when done. -- If you encounter any problems, try running GMER in Safe Mode. In your next reply, please submit: Gmer.log Thanks. Quote Member of:UNITE
igrek001 Posted March 13, 2010 Author Posted March 13, 2010 Hello, Starbuck! Thank you for your support. I followed your instruction accurately. Here is copy of the gmer.log: GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover Rootkit scan 2010-03-13 00:20:00 Windows 5.1.2600 Service Pack 3 Running: 4etrb7jr.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxloifow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA892EC5A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA892EB16] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA892F0CA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA892EFF4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA892E6EC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA892EBF0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA892E62C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA892E690] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA892ED10] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA892F198] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA892ECD0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA892EE50] SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA8A40320] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA893B4FE] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA893B322] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA893B45C] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntkrnlpa.exe!ZwLoadDriver 80579608 7 Bytes JMP A893B460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!NtCreateSection 805A076A 7 Bytes JMP A893B326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CEE 5 Bytes JMP A89374BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObInsertObject 805B8B66 5 Bytes JMP A8938972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F8 7 Bytes JMP A893B502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB92C0F80] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[888] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005C0002 IAT C:\WINDOWS\system32\services.exe[888] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005C0000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software) AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x95 0xC1 0xC2 0xED ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xCF 0xC5 0xA8 0x4F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x5E 0x47 0xF0 0xFA ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x95 0xC1 0xC2 0xED ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xCF 0xC5 0xA8 0x4F ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x5E 0x47 0xF0 0xFA ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\FormatFactory ( Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\FormatFactory (@SlowInfoCache 0x28 0x02 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\FormatFactory (@Changed 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory ( Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (@DisplayName FormatFactory (????????) V1.70 ?????????? Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (@UninstallString C:\Program Files\FormatFactory\uninst.exe Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (@DisplayIcon C:\Program Files\FormatFactory\FormatFactory.exe Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (@DisplayVersion V1.70 ?????????? Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (@URLInfoAbout formatfactory_¶àÌØÈí¼þËÑË÷_¶àÌØÈí¼þÕ¾ (????????) Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (@Publisher ?????????? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\FormatFactory ( Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\FormatFactory (@Order 0x08 0x00 0x00 0x00 ... ---- EOF - GMER 1.0.15 ---- Quote
Starbuck Posted March 13, 2010 Posted March 13, 2010 Hi igrek001 I can't find any information on the 2 following programs, do you know what they are? c:\program files\25 Кадр c:\program files\25 ???? If you have no idea, run this script and we'll take a look at the contents; Close any open browsers. Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix: Open Notepad - it must be Notepad, not Wordpad. Copy the text below in the code box by highlighting all the text and pressing Ctrl+C DirLook:: c:\program files\25 Кадр c:\program files\25 ???? Go to the Notepad window and click Edit >> Paste Then click File >> Save Name the file "CFScript.txt" (including the quotes) Save the file to your Desktop The main ComboFix.exe program should be on your Desktop Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon as below. http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/cf.gif Now please wait for ComboFix to finish running. Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash Thanks Quote Member of:UNITE
igrek001 Posted March 15, 2010 Author Posted March 15, 2010 Hello, Starbuck! I know the program '25 kadr'... this is a russian program for quickly learn English... it works only with special CD I downloaded and burned from the russian torrent site... should I still follow to your last recomendation?? Quote
Starbuck Posted March 16, 2010 Posted March 16, 2010 Hi igrek001 Thanks for letting me know. You need not run the script. ComboFix is showing a possible USB infection, we'll take care of that and then a couple of other scans done. Step 1 Temporarily disable your anti-virus, script blocking and any real time protection programs before downloading this tool as it can be falsely flagged as malware. Please download Flash_Disinfector.exe by sUBs and save it to your desktop. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear. The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present. Wait until it has finished scanning and then exit the program. Reboot your computer when done. Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files. Step 2 Download CKScanner Important - Save it to your desktop. Doubleclick CKScanner.exe and click Search For Files. After a very short time, when the cursor hourglass disappears, click Save List To File. A message box will verify the file has been saved. Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply. Step 3 Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: Report from CKScanner Both reports from OTL Thanks. Quote Member of:UNITE
igrek001 Posted March 19, 2010 Author Posted March 19, 2010 Hello, Starbuck!! Thank you for your detail instruction. For some reason the CK Scanner didn't dowloaded, instead window with message, that it couldn't be found appears. Therefore, I'm sending only the OTL report: OTL logfile created on: 18.03.2010 23:19:55 - Run 1 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000419 | Country: Russia | Language: RUS | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 82,00% Memory free 4,00 Gb Paging File | 3,00 Gb Available in Paging File | 89,00% Paging File free Paging file location(s): C:\pagefile.sys 756 1512 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 233,76 Gb Total Space | 208,62 Gb Free Space | 89,25% Space Free | Partition Type: NTFS D: Drive not present or media not loaded Drive E: | 232,83 Gb Total Space | 211,49 Gb Free Space | 90,84% Space Free | Partition Type: FAT32 Drive F: | 5,45 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS Drive G: | 1,91 Gb Total Space | 0,93 Gb Free Space | 48,55% Space Free | Partition Type: FAT H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: WXP-F03WF61 Current User Name: Administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) PRC - C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com) PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software) PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software) PRC - C:\Program Files\SlimBrowser\sbrowser.exe (FlashPeak, Inc.) PRC - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (StarWind Software) PRC - C:\Program Files\Xobni\XobniService.exe (Xobni Corporation) PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\OpenOffice.org 2.4\program\soffice.bin (OpenOffice.org) PRC - C:\Program Files\OpenOffice.org 2.4\program\soffice.exe (OpenOffice.org) PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.) PRC - C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe (Belkin) PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG) PRC - C:\Program Files\Webroot\Washer\wwDisp.exe (Webroot Software) PRC - C:\WINDOWS\system32\wwSecure.exe (Webroot Software, Inc.) PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.) PRC - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.) PRC - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard) PRC - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe (Hewlett-Packard Co.) PRC - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe (Hewlett-Packard Co.) PRC - C:\WINDOWS\system32\Crypserv.exe (Kenonic Controls Ltd.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll (RealPlayer) MOD - C:\WINDOWS\system32\msvcp71.dll (Microsoft Corporation) MOD - C:\WINDOWS\system32\msvcr71.dll (Microsoft Corporation) MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software) SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software) SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software) SRV - (StarWindServiceAE) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (StarWind Software) SRV - (XobniService) -- C:\Program Files\Xobni\XobniService.exe (Xobni Corporation) SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation) SRV - (wwSecSvc) -- C:\WINDOWS\system32\wwSecure.exe (Webroot Software, Inc.) SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP) SRV - (Crypkey License) -- C:\WINDOWS\System32\Crypserv.exe (Kenonic Controls Ltd.) ========== Driver Services (SafeList) ========== DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys (Duplex Secure Ltd.) DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software) DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software) DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software) DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software) DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software) DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software) DRV - (AVEO) -- C:\WINDOWS\system32\drivers\aveodcnt.sys (AVEO Corp) DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation) DRV - (Aspi32) -- C:\WINDOWS\system32\drivers\ASPI32.SYS (Adaptec) DRV - (camfilt2) -- C:\WINDOWS\system32\drivers\camfilt2.sys (Guillemot Corporation) DRV - (SNPSTD3) -- C:\WINDOWS\system32\drivers\snpstd3.sys (Sonix Co. Ltd.) DRV - (BELKIN) -- C:\WINDOWS\system32\drivers\BLKWGU.sys (Belkin Corporation. ) DRV - (Symmpi) -- C:\WINDOWS\System32\DRIVERS\symmpi.sys (LSI Logic) DRV - (iaStor) -- C:\WINDOWS\System32\DRIVERS\iaStor.sys (Intel Corporation) DRV - (ISODisk) -- C:\WINDOWS\system32\drivers\ISODisk.sys () DRV - (megasas) -- C:\WINDOWS\system32\drivers\megasas.sys (LSI Logic Corporation) DRV - (aarich) -- C:\WINDOWS\system32\DRIVERS\aarich.sys (Adaptec, Inc.) DRV - (a320raid) -- C:\WINDOWS\System32\DRIVERS\a320raid.sys (Adaptec, Inc.) DRV - (AFS2K) -- C:\WINDOWS\system32\drivers\AFS2K.SYS (Oak Technology Inc.) DRV - (senfilt) -- C:\WINDOWS\system32\drivers\senfilt.sys (Creative Technology Ltd.) DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation) DRV - (aac) -- C:\WINDOWS\System32\DRIVERS\aac.sys (Adaptec, Inc.) DRV - (adpu320) -- C:\WINDOWS\system32\drivers\adpu320.sys (Adaptec, Inc.) DRV - (P1120VID) -- C:\WINDOWS\system32\drivers\P1120Vid.sys (Creative Technology Ltd.) DRV - (P1110VID) -- C:\WINDOWS\system32\drivers\P1110Vid.sys (Creative Technology Ltd.) DRV - (fasttx2k) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys (Promise Technology, Inc.) DRV - (vmscsi) -- C:\WINDOWS\system32\drivers\vmscsi.sys (VMware, Inc.) DRV - (Rocket) -- C:\WINDOWS\system32\drivers\eRocket.sys (GemStar) DRV - (NetworkX) -- C:\WINDOWS\system32\ckldrv.sys () ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== Quote
igrek001 Posted March 19, 2010 Author Posted March 19, 2010 ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Google IE - HKCU\..\URLSearchHook: {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll (@Mail.Ru) IE - HKCU\..\URLSearchHook: {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll (Conduit Ltd.) IE - HKCU\..\URLSearchHook: {ca9e4d90-1386-42f8-9f36-df74277aabc2} - C:\Program Files\TV_Mule\tbTV_1.dll (Conduit Ltd.) IE - HKCU\..\URLSearchHook: {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll (Conduit Ltd.) IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultthis.engineName: "free-downloads.net Customized Web Search" FF - prefs.js..browser.search.defaulturl: "{searchTerms - Suchen}" FF - prefs.js..browser.search.selectedEngine: "free-downloads.net Customized Web Search" FF - prefs.js..browser.startup.homepage: "Search" FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: paypalfirefoxplugin@orbiscom:2.2.15.0 FF - prefs.js..extensions.enabledItems: {4CFC8387-5FB1-47C1-8AA4-5B7B906A591E}:1.0 FF - prefs.js..extensions.enabledItems: {37964A3C-4EE8-47b1-8321-34DE2C39BA4D}:2.0.1.20 FF - prefs.js..extensions.enabledItems: {ecdee021-0d17-467f-a1ff-c7a115230949}:2.5.6.0 FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0 FF - HKLM\software\mozilla\Firefox\Extensions\\paypalfirefoxplugin@orbiscom: C:\Program Files\PayPal\PayPal Plug-In [2008.11.13 06:16:21 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010.03.11 01:16:06 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.03.11 01:15:49 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.03.11 01:16:16 | 000,000,000 | ---D | M] [2008.12.12 00:25:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions [2010.03.06 03:22:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions [2009.10.02 23:33:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2009.03.22 08:29:23 | 000,000,000 | ---D | M] (Спутник @Mail.Ru) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{37964A3C-4EE8-47b1-8321-34DE2C39BA4D} [2010.02.25 00:06:09 | 000,000,000 | ---D | M] (free-downloads.net Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949} [2010.01.20 13:16:28 | 000,000,939 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\searchplugins\conduit.xml [2010.03.07 22:57:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010.03.07 22:57:33 | 000,000,000 | ---D | M] (Wyeke) -- C:\Program Files\Mozilla Firefox\extensions\{4CFC8387-5FB1-47C1-8AA4-5B7B906A591E} [2009.12.09 00:05:41 | 000,002,377 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wyeke127.xml [2010.03.07 22:57:33 | 000,002,376 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wyeke139.xml O1 HOSTS File: ([2010.03.13 02:08:17 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) O2 - BHO: (PCCBHO.CPCCBHO) - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll (Capital Intellect Inc) O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation) O2 - BHO: (MailRuBHO Class) - {8984B388-A5BB-4DF7-B274-77B879E179DB} - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll (@Mail.Ru) O2 - BHO: (greatbar23dec2009 Toolbar) - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll (Conduit Ltd.) O2 - BHO: (TV Nova Toolbar) - {ca9e4d90-1386-42f8-9f36-df74277aabc2} - C:\Program Files\TV_Mule\tbTV_1.dll (Conduit Ltd.) O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O2 - BHO: (OToolbarHelper Class) - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll () O2 - BHO: (free-downloads.net Toolbar) - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll (Conduit Ltd.) O2 - BHO: (XBTBPos00 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\My.Freeze.com Toolbar\freeze_sa_us.dll File not found O3 - HKLM\..\Toolbar: (Ñïóòíèê@Mail.Ru) - {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll (@Mail.Ru) O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (greatbar23dec2009 Toolbar) - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll (Conduit Ltd.) O3 - HKLM\..\Toolbar: (TV Nova Toolbar) - {ca9e4d90-1386-42f8-9f36-df74277aabc2} - C:\Program Files\TV_Mule\tbTV_1.dll (Conduit Ltd.) O3 - HKLM\..\Toolbar: (PayPal Plug-In) - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll () O3 - HKLM\..\Toolbar: (free-downloads.net Toolbar) - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll (Conduit Ltd.) O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (Ñïóòíèê@Mail.Ru) - {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll (@Mail.Ru) O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (greatbar23dec2009 Toolbar) - {A33FA729-D155-4B23-842B-2C665ECABDB6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll (Conduit Ltd.) O3 - HKCU\..\Toolbar\WebBrowser: (TV Nova Toolbar) - {CA9E4D90-1386-42F8-9F36-DF74277AABC2} - C:\Program Files\TV_Mule\tbTV_1.dll (Conduit Ltd.) O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software) O4 - HKLM..\Run: [MAgent] C:\Program Files\Mail.Ru\Agent\MAgent.exe (Mail.Ru) O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG) O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.) O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.) O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG) O4 - HKCU..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com) O4 - HKCU..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe (Webroot Software) O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe () O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless G USB Adapter Client Utility.lnk = C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe (Belkin) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data] O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: Íàéòè â èíòåðíåòå - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll (@Mail.Ru) O8 - Extra context menu item: Íàéòè â ñëîâàðÿõ - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll (@Mail.Ru) O9 - Extra Button: Отправка в блог - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : &Отправка в блог Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe (Capital Intellect, Inc) O9 - Extra Button: Mail.Ru Агент - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\Program Files\Mail.Ru\Agent\magent.exe (Mail.Ru) O9 - Extra 'Tools' menuitem : Mail.Ru Агент - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\Program Files\Mail.Ru\Agent\magent.exe (Mail.Ru) O9 - Extra Button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe (Capital Intellect, Inc) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210299458796 (WUWebControl Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210299513640 (MUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 68.87.71.230 68.87.73.246 O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.07.28 13:13:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2010.03.18 23:09:48 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ] O32 - AutoRun File - [2009.05.20 08:12:16 | 000,000,000 | ---D | M] - E:\autorun -- [ FAT32 ] O32 - AutoRun File - [2010.03.18 23:09:50 | 000,000,000 | RHSD | M] - E:\autorun.inf -- [ FAT32 ] O32 - AutoRun File - [2006.12.11 16:03:59 | 000,000,277 | R--- | M] () - F:\autorun.inf -- [ CDFS ] O32 - AutoRun File - [2010.03.18 23:09:50 | 000,000,000 | RHSD | M] - G:\autorun.inf -- [ FAT ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2006.07.28 13:13:02 | 000,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found MsConfig - State: "system.ini" - 0 MsConfig - State: "win.ini" - 0 MsConfig - State: "bootini" - 0 MsConfig - State: "services" - 0 MsConfig - State: "startup" - 0 CREATERESTOREPOINT Restore point Set: OTL Restore Point (16891891626803200) ========== Files/Folders - Created Within 30 Days ========== Quote
igrek001 Posted March 19, 2010 Author Posted March 19, 2010 ========== Files/Folders - Created Within 30 Days ========== [2010.03.18 23:17:22 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe [2010.03.18 23:09:48 | 000,000,000 | RHSD | C] -- C:\autorun.inf [2010.03.15 14:06:18 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2010.03.13 01:55:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump [2010.03.11 01:14:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared [2010.03.11 00:47:15 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe [2010.03.10 14:17:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Estsoft [2010.03.10 14:16:21 | 000,000,000 | ---D | C] -- C:\Program Files\ESTsoft [2010.03.10 14:16:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\ESTsoft [2010.03.10 01:06:49 | 000,000,000 | RHSD | C] -- C:\cmdcons [2010.03.10 01:05:23 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010.03.10 01:05:23 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010.03.10 01:05:23 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010.03.10 01:05:23 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010.03.10 01:04:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010.03.10 00:48:28 | 000,000,000 | ---D | C] -- C:\Qoobox [2010.03.07 01:36:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage [2010.03.07 01:36:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Office Genuine Advantage [2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW [2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK [2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR [2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE [2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR [2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL [2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO [2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR [2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT [2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL [2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR [2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI [2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES [2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR [2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE [2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK [2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA [2010.03.05 00:53:35 | 000,000,000 | ---D | C] -- C:\Program Files\25 Кадр [2010.02.28 01:30:01 | 000,000,000 | ---D | C] -- C:\Program Files\stitch_color [2010.02.28 01:09:53 | 000,286,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\Setup1.exe [2010.02.28 01:09:52 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\ST6UNST.EXE [2010.02.28 00:47:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\RyijyApp [2010.02.28 00:46:52 | 000,000,000 | ---D | C] -- C:\Program Files\Ryijy Stitch Designer [2010.02.28 00:34:30 | 000,165,888 | ---- | C] (Kenonic Controls) -- C:\WINDOWS\Ckconfig.exe [2010.02.28 00:34:30 | 000,052,224 | ---- | C] (Kenonic Controls Ltd.) -- C:\WINDOWS\System32\Crypserv.exe [2010.02.28 00:34:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\PM Patterns [2010.02.28 00:34:18 | 000,000,000 | ---D | C] -- C:\Program Files\HobbyWare [2010.02.28 00:33:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations [2010.02.25 00:17:13 | 000,212,480 | ---- | C] (Eastman Kodak) -- C:\WINDOWS\System32\pcdlib32.dll [2010.02.25 00:17:10 | 000,000,000 | ---D | C] -- C:\Program Files\STOIK [2010.02.25 00:16:23 | 000,327,168 | ---- | C] (InstallShield Software Corporation) -- C:\WINDOWS\IsUn0419.exe [2010.02.25 00:06:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\free-downloads.net [2010.02.25 00:06:10 | 000,000,000 | ---D | C] -- C:\Program Files\free-downloads.net [2010.02.25 00:05:44 | 000,000,000 | ---D | C] -- C:\Program Files\Alcohol Soft [2010.02.25 00:02:37 | 000,691,696 | ---- | C] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys [2010.02.24 23:29:26 | 000,000,000 | ---D | C] -- C:\Program Files\eMule [2010.01.20 02:13:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2009.12.04 21:13:31 | 000,057,344 | ---- | C] ( ) -- C:\WINDOWS\System32\vsnpstd3.dll [2009.12.04 21:13:31 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnpstd3.dll [2009.11.19 02:39:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Xobni [2008.10.28 05:20:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2008.10.28 05:20:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2008.10.09 09:15:33 | 022,404,904 | ---- | C] (Skype Technologies S.A.) -- C:\Program Files\SkypeSetup.exe [2008.10.08 17:08:08 | 005,047,800 | ---- | C] (Mail.Ru) -- C:\Program Files\magentsetup.exe [2008.05.08 22:58:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2008.05.08 21:29:23 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [2006.07.28 13:13:28 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010.03.18 23:17:26 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe [2010.03.18 23:14:08 | 000,000,434 | ---- | M] () -- C:\WINDOWS\tasks\RegPowerClean.job [2010.03.18 23:14:07 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010.03.18 23:14:05 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job [2010.03.18 23:14:04 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\RPCReminder.job [2010.03.18 23:14:04 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3105199670-2300768646-1652051771-500.job [2010.03.18 23:14:00 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010.03.18 23:13:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010.03.18 23:13:07 | 005,505,024 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT [2010.03.18 23:13:07 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini [2010.03.18 23:07:23 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe [2010.03.18 22:57:00 | 000,001,056 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3105199670-2300768646-1652051771-500UA.job [2010.03.18 22:57:00 | 000,001,004 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3105199670-2300768646-1652051771-500Core.job [2010.03.18 14:59:47 | 000,002,344 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk [2010.03.18 14:18:03 | 000,002,257 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk [2010.03.15 00:00:50 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3105199670-2300768646-1652051771-500.job [2010.03.14 23:52:11 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2010.03.14 23:44:30 | 003,889,756 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe [2010.03.14 23:41:20 | 000,013,184 | -HS- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\w3gXo856Mln [2010.03.14 23:28:05 | 000,512,784 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010.03.14 23:28:05 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010.03.14 23:28:05 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010.03.13 02:08:17 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2010.03.12 23:52:48 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\4etrb7jr.exe [2010.03.12 23:51:43 | 000,000,525 | ---- | M] () -- C:\hpfr3420.xml [2010.03.12 23:46:52 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Office Word 2003.lnk [2010.03.12 23:41:57 | 000,000,204 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable [2010.03.12 23:39:33 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Defogger.exe [2010.03.12 01:50:09 | 000,000,019 | ---- | M] () -- C:\.systemPath [2010.03.12 01:50:08 | 000,001,591 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\English 1 (U.S.) Sample.lnk [2010.03.12 01:30:46 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\Administrator\default.pls [2010.03.12 01:29:00 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010.03.11 02:15:10 | 000,000,658 | ---- | M] () -- C:\WINDOWS\win.ini [2010.03.11 01:16:07 | 000,000,747 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk [2010.03.11 01:15:48 | 000,185,920 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll [2010.03.11 01:15:18 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll [2010.03.11 01:15:18 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll [2010.03.11 01:14:07 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll [2010.03.10 14:16:24 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ALZip.lnk [2010.03.10 01:06:57 | 000,000,281 | RHS- | M] () -- C:\boot.ini [2010.03.07 22:03:15 | 000,000,110 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\ax_files.xml [2010.03.06 02:48:18 | 000,014,476 | -HS- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\05rTajk [2010.03.06 01:29:41 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Ryijy Designer.lnk [2010.03.05 01:46:50 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI [2010.03.05 01:23:56 | 000,092,160 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.03.05 01:20:27 | 000,048,488 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2010.03.05 01:15:43 | 000,000,694 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Stitch20.exe.lnk [2010.03.05 00:53:50 | 000,000,618 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\25 Кадр.lnk [2010.03.05 00:48:24 | 000,215,264 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010.03.05 00:45:22 | 000,001,680 | ---- | M] () -- C:\WINDOWS\System32\esnecil.ind [2010.03.01 00:58:50 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn [2010.03.01 00:58:50 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for [2010.02.28 01:29:47 | 000,286,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Setup1.exe [2010.02.28 01:29:46 | 000,073,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ST6UNST.EXE [2010.02.28 00:34:45 | 000,001,680 | ---- | M] () -- C:\WINDOWS\System32\esnecil.nlp [2010.02.28 00:34:33 | 000,000,085 | ---- | M] () -- C:\WINDOWS\Crypkey.ini [2010.02.25 00:05:57 | 000,000,833 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Alcohol 120%.lnk [2010.02.25 00:02:37 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys [2010.02.24 23:29:44 | 000,000,638 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\eMule.lnk [2010.02.24 14:44:42 | 002,198,016 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\pis'mo v Evercare 19.01.10.doc [2010.02.24 01:20:12 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.03.18 23:11:14 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe [2010.03.14 23:39:31 | 000,013,184 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\w3gXo856Mln [2010.03.12 23:52:45 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\4etrb7jr.exe [2010.03.12 23:41:43 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable [2010.03.12 23:39:31 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Defogger.exe [2010.03.12 01:50:09 | 000,000,019 | ---- | C] () -- C:\.systemPath [2010.03.11 01:16:09 | 000,000,294 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3105199670-2300768646-1652051771-500.job [2010.03.11 01:16:08 | 000,000,302 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3105199670-2300768646-1652051771-500.job [2010.03.11 01:16:07 | 000,000,747 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk [2010.03.10 14:16:24 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ALZip.lnk [2010.03.10 01:06:56 | 000,000,211 | ---- | C] () -- C:\Boot.bak [2010.03.10 01:06:53 | 000,260,272 | ---- | C] () -- C:\cmldr [2010.03.10 01:05:23 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010.03.10 01:05:23 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010.03.10 01:05:23 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010.03.10 01:05:23 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010.03.10 01:05:23 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2010.03.08 23:21:01 | 003,889,756 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe [2010.03.06 00:58:04 | 000,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job [2010.03.05 02:28:12 | 000,014,476 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\05rTajk [2010.03.05 01:15:43 | 000,000,694 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Stitch20.exe.lnk [2010.03.05 00:53:50 | 000,000,618 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\25 Кадр.lnk [2010.03.01 00:58:50 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn [2010.03.01 00:58:50 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for [2010.02.28 00:46:53 | 000,002,473 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Ryijy Designer.lnk [2010.02.28 00:34:45 | 000,001,680 | ---- | C] () -- C:\WINDOWS\System32\esnecil.nlp [2010.02.28 00:34:45 | 000,001,680 | ---- | C] () -- C:\WINDOWS\System32\esnecil.ind [2010.02.28 00:34:33 | 000,000,085 | ---- | C] () -- C:\WINDOWS\Crypkey.ini [2010.02.28 00:34:30 | 000,027,648 | R--- | C] () -- C:\WINDOWS\Setup_ck.exe [2010.02.28 00:34:30 | 000,024,608 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys [2010.02.28 00:34:30 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll [2010.02.28 00:34:30 | 000,011,776 | ---- | C] () -- C:\WINDOWS\Ckrfresh.exe [2010.02.25 03:02:09 | 000,000,110 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\ax_files.xml [2010.02.25 00:05:57 | 000,000,833 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Alcohol 120%.lnk [2010.02.24 23:29:44 | 000,000,638 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\eMule.lnk [2010.02.24 14:44:34 | 002,198,016 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\pis'mo v Evercare 19.01.10.doc [2009.12.07 01:46:23 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\xobni_installer_updater.log [2009.12.04 21:13:31 | 000,015,478 | ---- | C] () -- C:\WINDOWS\snpstd3.ini [2009.11.06 23:32:59 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\xobni_installer_updater.log [2009.10.29 13:53:13 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\MFC_InstDrvDLL.dll [2009.10.02 14:07:02 | 000,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\ISODisk.sys [2009.09.15 15:36:38 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\jmam.dll [2009.09.15 15:36:38 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\jmfjawt.dll [2009.09.15 15:36:37 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\jmutil.dll [2009.08.03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll [2009.06.24 10:53:01 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2009.05.15 10:20:53 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI [2009.03.20 20:52:49 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI [2008.11.12 00:46:03 | 000,005,876 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\log.txt [2008.10.09 06:05:14 | 000,092,160 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008.10.09 02:23:35 | 001,975,910 | ---- | C] () -- C:\Program Files\sbsetup.exe [2008.10.08 23:41:54 | 000,013,768 | ---- | C] () -- C:\WINDOWS\System32\drivers\string.ini [2008.10.08 23:36:58 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.