Jump to content

Recommended Posts

Posted

I have Dell desktop computer with Windows XP, pack 3....

After scanning my harddrive with Super AntiSpyware, when I click any icon on my Desktop, appears table with 'Open with'... and when I try to open with any program, message appears: 'the (name of program I try to open) is not valid Win32 application'...

Help, please with this problem..

  • Replies 59
  • Created
  • Last Reply

Top Posters In This Topic

Posted

Considering you have had previous infections it's likely that this is caused by malware.

 

Is this just the desktop shortcut icons that cause this error? Have you tried other shortcuts? Have you tried opening programs with the exe file instead of a shortcut? Can you give us an example of what programs won't open?

 

Did you ever get rid of your previous infections? What antivirus program do you have? Was there any particular reason you were scanning with SuperAntispyware? Did it find and remove anything? If so what?

We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.

Get help with computer problems. Join Free PC Help here

 

Donations are welcome. Read Here

Posted

Thank you for response. I'll try to answer to questions you ask.

Practicaly all shortcuts icons cause the 'Open with' table. And when I tried to open program from .exe in 'Program files', the same 'Open with' appears. Example of programs I tried to open: all Microsoft Office 2003, Nero7, Chrome browser and others..

The reason for scanning with SuperAntispyware was annoyed pop-antivirus program XP 2010.

SuperAntispyware showed more than 50 spyware program and removed them. I don't remember exactly, but there was two relaited to Trojan and all other sort of cookies...

Posted

Hi igrek001,

 

try running this program and post the results:

 

Please download exeHelper to your desktop.

If your AV program throws up a warning about the program, ignore the warning. Some AV's flag this program because of how it works... that's all.

  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt ( Will be created in the directory where you ran exeHelper.com and should open at the end of the scan)

Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ).

 

Thanks

Member of:

UNITE

Posted

Thank you very much... I followed to your instruction, and after closing the black window received the

exehelperlog.txt -Notepad:

 

exeHelper by Raktor

Build 20091220

Run at 20:23:08 on 03/07/10

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

 

where should I post it??... so far, I still have problem to open programs... :-(

Posted

Hi igrek001

 

Because your problem is almost definately malware related, i'm going to move your thread to the malware removal forum.

We'll continue there.

 

Thanks

Member of:

UNITE

Posted
'the (name of program I try to open) is not valid Win32 application'
this statement is usually a sign of a bagle worm infection.

This can be a right pig, so let's see if we can break it's hold enough to remove it.

 

Step 1

 

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

 

Link 1

Link 2

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

 

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

 

This is an example, you may rename ComboFix to anything you want.

 

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
     
    Then:
     
    Double click on Combo-Fix.exe & follow the prompts.
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    If running Vista, you may not see this screen
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

http://img.photobucket.com/albums/v706/ried7/whatnext.png

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

 

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

 

If Combofix won't run.... try renaming it with a .com extension.

 

Thanks

Member of:

UNITE

Posted

Hello, Starbuck!!

 

Thank you for your detail instruction, but there are problems to open the Combo-fix and disable Anti-virus and Antimalware programs, as you recommended... after I double click any of them, appears table: Open with... and when I try to choose something the same message: ... this is not valid Win32 application... :-(... the instruction 'How to temporary disable antivirus ....' still require first open them, but I cannot...:-(

Posted

Hi igrek001

 

If you managed to download Combofix, try this:

 

Please reboot your computer in Safe Mode by doing the following :

 

* Restart your computer

* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

* Instead of Windows loading as normal, a menu with options should appear;

You will need to use the 'keyboard arrow keys' to navigate on this menu.

* Select the first option, to run Windows in Safe Mode, then press "Enter".

* Then choose your usual account.

 

This should stop most AV's from running.

 

Now run Combofix.

Don't worry too much about the recovery console for the time being, we can address that later.

Let's see if we can get a scan done first.

 

Thanks.

Member of:

UNITE

Posted

hello, Starbuck!!

I wasn't lucky: in the Safe Mode, when I click on Combofix (I change the file name to Fixer, as you adviced), the same table 'Open with' appears... :-)

I can open only my default browther Slimbrowser and all favorit programs I have there... also I can open 'My Computer' and 'My documets' ... that's all... no one program with .exe from the Desktop cannot be opened...

Posted (edited)
yes, I have laptop
That's good.

The malware is stopping us from removing it by blocking .exe programs, so we'll have to use a different way of breaking it's strong hold.

This will mean booting your system into another operating system and removing the malware that way:

 

OK this file is big... print these instruction out so that you know what you are doing

 

Two programmes to download

 

First

 

ISOBurner this will allow you to burn OTLPE.iso to a CD and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions

 

Second

 

  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is approx 290Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
     
  • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings.
  • Change Drivers to All
  • Change Registry to All
  • Under the Custom Scan box paste this in:
     
    %SYSTEMDRIVE%\*.*
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\System32\config\*.sav
     
     
    You can copy and paste these entries and save them on a usb stick.
    You can then copy and paste into the custom scan area easily.
     
     
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive.
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\OTL.txt file in your reply.

 

If the report is too big to post here, add it as an attachment.

 

Thanks

Edited by Starbuck

Member of:

UNITE

Posted

Thank you very much, Starbuck!!...

 

There was no reason to do this , because suddenly PC allowed me to install previosly downloaded Combofix program, you recomended... I scanned my computer with this program, receive log report and saved it.... now all programs open easy, thank you again!!!

Posted

Hi igrek001

 

because suddenly PC allowed me to install previosly downloaded Combofix program
Typical :confused:

 

I scanned my computer with this program, receive log report and saved it.
Ok, let me have the report and i'll make sure there's nothing else to remove.

Member of:

UNITE

Posted

Here it is (it's pretty big, and I'm not sure, that here is enough space..)

ComboFix 10-03-08.01 - Administrator 03/10/2010 0:08.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.3062.2659 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\Fixer.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Application Data\Desktopicon

c:\documents and settings\Administrator\Application Data\Desktopicon\config.ini

c:\documents and settings\Administrator\Application Data\Desktopicon\eBayShortcuts.exe

c:\documents and settings\All Users\Application Data\Wyeke

c:\documents and settings\All Users\Application Data\Wyeke\wyeke139.exe

c:\program files\Mail.Ru\Agent\Mra\dll\newmrasearch.dll

c:\program files\Wyeke

c:\program files\Wyeke\uninstall.exe

c:\program files\Wyeke\wyeke.dll

c:\program files\Wyeke\wyeke.exe

c:\recycler\S-1-5-21-1547161642-1647877149-839522115-500

c:\windows\Temp\tmp3.tmp

E:\autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_WYEKE_SERVICE

-------\Service_Wyeke Service

 

((((((((((((((((((((((((( Files Created from 2010-02-10 to 2010-03-10 )))))))))))))))))))))))))))))))

.

2010-03-10 05:18 . 2010-03-10 05:18 439816 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\setup.exe

2010-03-07 05:36 . 2010-03-07 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-03-07 05:36 . 2010-03-07 05:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage

2010-03-05 04:53 . 2010-03-05 04:53 -------- d-----w- c:\program files\25 Кадр

2010-02-28 05:30 . 2010-03-05 05:19 -------- d-----w- c:\program files\stitch_color

2010-02-28 05:09 . 2010-02-28 05:29 286720 ------w- c:\windows\Setup1.exe

2010-02-28 05:09 . 2010-02-28 05:29 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-02-28 04:47 . 2010-02-28 04:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\RyijyApp

2010-02-28 04:46 . 2010-02-28 04:46 11454 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB0D2734-55AB-437E-B629-1F167CAF7921}\_FFE8D63FEF90B8AD2E7FC9.exe

2010-02-28 04:46 . 2010-02-28 04:46 11454 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB0D2734-55AB-437E-B629-1F167CAF7921}\_6FEFF9B68218417F98F549.exe

2010-02-28 04:46 . 2010-02-28 04:46 11454 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB0D2734-55AB-437E-B629-1F167CAF7921}\_53E431C98DE07307821BFE.exe

2010-02-28 04:46 . 2010-02-28 04:46 -------- d-----w- c:\program files\Ryijy Stitch Designer

2010-02-28 04:34 . 2000-06-29 08:45 52224 ----a-w- c:\windows\system32\Crypserv.exe

2010-02-28 04:34 . 2000-02-03 19:53 24608 ----a-w- c:\windows\system32\Ckldrv.sys

2010-02-28 04:34 . 1999-06-18 20:49 165888 ----a-w- c:\windows\Ckconfig.exe

2010-02-28 04:34 . 1996-05-03 16:21 27648 ----a-r- c:\windows\Setup_ck.exe

2010-02-28 04:34 . 1996-05-03 14:36 18432 ----a-w- c:\windows\Setup_ck.dll

2010-02-28 04:34 . 1995-07-04 17:33 11776 ----a-w- c:\windows\Ckrfresh.exe

2010-02-28 04:34 . 2010-02-28 04:34 -------- d-----w- c:\program files\HobbyWare

2010-02-28 04:33 . 2010-02-28 04:33 -------- d-----w- c:\windows\Downloaded Installations

2010-02-28 03:21 . 2010-02-28 03:22 -------- d-----w- c:\program files\25 ????

2010-02-25 04:17 . 1999-05-26 14:46 212480 ----a-w- c:\windows\system32\pcdlib32.dll

2010-02-25 04:17 . 2010-02-25 04:17 -------- d-----w- c:\program files\STOIK

2010-02-25 04:16 . 1999-11-17 23:56 327168 ----a-w- c:\windows\IsUn0419.exe

2010-02-25 04:06 . 2010-02-26 02:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\free-downloads.net

2010-02-25 04:06 . 2010-02-25 04:06 -------- d-----w- c:\program files\free-downloads.net

2010-02-25 04:06 . 2010-01-20 17:16 52224 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}\components\FFExternalAlert.dll

2010-02-25 04:06 . 2010-01-20 17:16 101376 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}\components\RadioWMPCore.dll

2010-02-25 04:05 . 2010-02-25 04:05 -------- d-----w- c:\program files\Alcohol Soft

2010-02-25 04:02 . 2010-02-25 04:02 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-02-25 03:29 . 2010-02-28 05:13 -------- d-----w- c:\program files\eMule

2010-02-16 04:40 . 2010-02-16 04:40 -------- d-----w- c:\program files\Common Files\xing shared

2010-02-16 04:39 . 2010-02-16 04:39 -------- d-----w- c:\program files\Real

2010-02-16 04:39 . 2010-02-16 04:40 -------- d-----w- c:\program files\Common Files\Real

2010-02-10 02:16 . 2010-02-10 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

1601-01-01 00:00 . 1601-01-01 00:00 0 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\temp\~Upg0\setup.exe

1601-01-01 00:00 . 1601-01-01 00:00 0 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\temp\~Upg0\install.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-10 05:18 . 2008-10-09 03:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2

2010-03-10 05:03 . 2008-10-09 06:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\SlimBrowser

2010-03-10 04:54 . 2010-02-07 03:17 -------- d-----w- c:\program files\SlimBrowser

2010-03-07 05:45 . 2008-10-09 12:42 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys

2010-03-05 07:21 . 2009-11-30 03:48 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-05 05:20 . 2008-09-23 07:42 48488 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-05 04:49 . 2009-12-20 03:56 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-01 04:25 . 2008-10-23 01:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss

2010-02-26 02:19 . 2008-12-21 18:53 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-22 19:04 . 2009-11-30 03:47 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-02-16 04:39 . 2008-05-09 04:01 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-02-16 04:39 . 2008-05-09 04:01 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-02-11 18:53 . 2008-12-12 03:18 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-02-11 18:53 . 2008-12-12 03:17 153184 ----a-w- c:\windows\system32\aswBoot.exe

2010-02-11 18:42 . 2008-12-12 03:18 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-02-11 18:42 . 2008-12-12 03:18 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-02-11 18:39 . 2008-12-12 03:18 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-02-11 18:38 . 2008-12-12 03:18 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-02-11 18:38 . 2008-12-12 03:18 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-02-11 18:38 . 2008-12-12 03:18 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-02-11 18:38 . 2008-12-12 03:18 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-02-10 02:18 . 2008-10-22 04:50 -------- d-----w- c:\program files\Alwil Software

2010-02-08 03:46 . 2010-02-08 03:46 -------- d-----w- c:\program files\Common Files\Webroot Shared

2010-02-08 03:46 . 2008-11-08 04:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot

2010-02-08 03:46 . 2010-02-08 03:46 -------- d-----w- c:\program files\Webroot

2010-02-07 05:00 . 2009-11-07 03:31 -------- d-----w- c:\program files\My.Freeze.com NetAssistant

2010-01-23 04:25 . 2008-10-09 13:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2010-01-23 02:56 . 2008-10-19 04:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2010-01-21 04:37 . 2008-05-09 03:12 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-05 10:00 . 2004-08-12 13:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-12 13:19 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2004-08-12 13:18 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2004-08-12 13:30 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-16 18:43 . 2006-07-28 17:09 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2004-08-12 13:18 33280 ----a-w- c:\windows\system32\csrsrv.dll

2008-10-09 13:15 . 2008-10-09 13:15 22404904 ----a-w- c:\program files\SkypeSetup.exe

2008-10-09 06:23 . 2008-10-09 06:23 1975910 ----a-w- c:\program files\sbsetup.exe

2008-10-08 21:08 . 2008-10-08 21:08 5047800 ----a-w- c:\program files\magentsetup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{a33fa729-d155-4b23-842b-2c665ecabdb6}"= "c:\program files\The_Pirate_Bay\tbThe1.dll" [2010-02-26 2349080]

"{ca9e4d90-1386-42f8-9f36-df74277aabc2}"= "c:\program files\TV_Mule\tbTV_1.dll" [2010-02-26 2349080]

"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{a33fa729-d155-4b23-842b-2c665ecabdb6}]

[HKEY_CLASSES_ROOT\clsid\{ca9e4d90-1386-42f8-9f36-df74277aabc2}]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a33fa729-d155-4b23-842b-2c665ecabdb6}]

2010-02-26 02:28 2349080 ----a-w- c:\program files\The_Pirate_Bay\tbThe1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca9e4d90-1386-42f8-9f36-df74277aabc2}]

2010-02-26 02:28 2349080 ----a-w- c:\program files\TV_Mule\tbTV_1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]

2009-12-31 16:53 2349080 ----a-w- c:\program files\free-downloads.net\tbfree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{a33fa729-d155-4b23-842b-2c665ecabdb6}"= "c:\program files\The_Pirate_Bay\tbThe1.dll" [2010-02-26 2349080]

"{ca9e4d90-1386-42f8-9f36-df74277aabc2}"= "c:\program files\TV_Mule\tbTV_1.dll" [2010-02-26 2349080]

"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{a33fa729-d155-4b23-842b-2c665ecabdb6}]

[HKEY_CLASSES_ROOT\clsid\{ca9e4d90-1386-42f8-9f36-df74277aabc2}]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{A33FA729-D155-4B23-842B-2C665ECABDB6}"= "c:\program files\The_Pirate_Bay\tbThe1.dll" [2010-02-26 2349080]

"{CA9E4D90-1386-42F8-9F36-DF74277AABC2}"= "c:\program files\TV_Mule\tbTV_1.dll" [2010-02-26 2349080]

[HKEY_CLASSES_ROOT\clsid\{a33fa729-d155-4b23-842b-2c665ecabdb6}]

[HKEY_CLASSES_ROOT\clsid\{ca9e4d90-1386-42f8-9f36-df74277aabc2}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-22 2012912]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-01 135664]

"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-04-20 894464]

"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-02 153136]

"MAgent"="c:\program files\Mail.Ru\Agent\MAgent.exe" [2009-10-31 4417016]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-16 198160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5\Belkinwcui.exe [2008-10-8 1564672]

hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\BitLord\\BitLord.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\Program Files\\Mail.Ru\\Agent\\magent.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Documents and Settings\\Administrator\\tetatet\\tetatet.exe"=

"c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=

"c:\\Program Files\\ooVoo\\ooVoo.exe"=

"c:\\Program Files\\Hercules\\Classic Silver\\Station2.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\SlimBrowser\\sbrowser.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443

"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [11/2/2006 1:57 PM 218112]

R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [11/2/2006 1:57 PM 48140]

R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [11/2/2006 1:57 PM 204800]

R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [11/2/2006 1:57 PM 17664]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/24/2010 11:02 PM 691696]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/11/2008 10:18 PM 162512]

R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [10/2/2009 1:07 PM 9600]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 8:43 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 66632]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/11/2008 10:18 PM 19024]

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/8/2008 10:41 PM 38144]

R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [10/12/2009 11:33 AM 46824]

R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [10/8/2008 10:42 PM 238848]

R3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [12/4/2009 8:13 PM 94720]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 12872]

S3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\drivers\aveodcnt.sys [10/29/2009 12:53 PM 171520]

S3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [10/9/2008 1:42 AM 1252474]

S3 Rocket;eBook Service;c:\windows\system32\drivers\eRocket.sys [11/14/2008 9:06 AM 44621]

S4 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [11/2/2006 1:57 PM 11029]

.

Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8223500795.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 12:52]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3105199670-2300768646-1652051771-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-01 01:38]

2010-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3105199670-2300768646-1652051771-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-01 01:38]

2010-03-10 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2009-11-07 c:\windows\Tasks\PCConfidential.job

- c:\program files\Winferno\PC Confidential\PCConfidential.exe [2009-11-07 19:10]

2010-03-10 c:\windows\Tasks\RegPowerClean.job

- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2009-11-07 19:48]

2010-03-10 c:\windows\Tasks\RPCReminder.job

- c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2009-11-07 19:34]

.

Posted

there is not all.... here is the second part:

 

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Iaeoe a eioa?iaoa - c:\program files\Mail.Ru\Sputnik\MailRuSputnik.dll/282

IE: Iaeoe a neiaa?yo - c:\program files\Mail.Ru\Sputnik\MailRuSputnik.dll/283

IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\Mail.Ru\Agent\magent.exe

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1098640&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - free-downloads.net Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT1098640&SearchSource=13

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}\components\RadioWMPCore.dll

FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll

FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - c:\program files\My.Freeze.com NetAssistant\NetAssistant.dll

Toolbar-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - c:\program files\My.Freeze.com Toolbar\freeze_sa_us.dll

WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - c:\program files\My.Freeze.com Toolbar\freeze_sa_us.dll

HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe

AddRemove-My.Freeze.com Toolbar - c:\program files\My.Freeze.com Toolbar\settings_uninstall_app.exe

AddRemove-{73317C31-2B6E-4B88-9865-B97C1331A39D} - c:\program files\InstallShield Installation Information\{73317C31-2B6E-4B88-9865-B97C1331A39D}\setup.exe

AddRemove-{D593C72C-435B-4171-8106-9CA8AA34D716} - c:\program files\InstallShield Installation Information\{D593C72C-435B-4171-8106-9CA8AA34D716}\SETUP.EXE

 

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-03-10 00:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys sphq.sys hal.dll >>UNKNOWN [0x8A7BB938]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba91cf28

\Driver\ACPI -> ACPI.sys @ 0xba674cb8

\Driver\atapi -> atapi.sys @ 0xba549b40

\Driver\iaStor -> iaStor.sys @ 0xba590e20

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3924)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\windows\system32\crypserv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\windows\system32\wwSecure.exe

c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe

c:\program files\OpenOffice.org 2.4\program\soffice.exe

c:\program files\OpenOffice.org 2.4\program\soffice.BIN

c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

.

**************************************************************************

.

Completion time: 2010-03-10 00:22:02 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-10 05:21

Pre-Run: 224,936,873,984 bytes free

Post-Run: 225,820,241,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 368996277F1320040CE042C25480B202

Posted

Hi igrek001

 

Step 1

Please download DeFogger to your desktop.

 

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

 

Do not re-enable these drivers until otherwise instructed.

 

Step 2

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
     
    http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
     
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

 

In your next reply, please submit:

Gmer.log

 

 

Thanks.

Member of:

UNITE

Posted

Hello, Starbuck! Thank you for your support. I followed your instruction accurately. Here is copy of the gmer.log:

 

GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover

Rootkit scan 2010-03-13 00:20:00

Windows 5.1.2600 Service Pack 3

Running: 4etrb7jr.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxloifow.sys

 

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA892EC5A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA892EB16]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA892F0CA]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA892EFF4]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA892E6EC]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA892EBF0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA892E62C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA892E690]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA892ED10]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA892F198]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA892ECD0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA892EE50]

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA8A40320]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA893B4FE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA893B322]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA893B45C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 80579608 7 Bytes JMP A893B460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!NtCreateSection 805A076A 7 Bytes JMP A893B326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CEE 5 Bytes JMP A89374BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ObInsertObject 805B8B66 5 Bytes JMP A8938972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F8 7 Bytes JMP A893B502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB92C0F80]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[888] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005C0002

IAT C:\WINDOWS\system32\services.exe[888] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005C0000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x95 0xC1 0xC2 0xED ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xCF 0xC5 0xA8 0x4F ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x5E 0x47 0xF0 0xFA ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x95 0xC1 0xC2 0xED ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xCF 0xC5 0xA8 0x4F ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x5E 0x47 0xF0 0xFA ...

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\FormatFactory (

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\FormatFactory (@SlowInfoCache 0x28 0x02 0x00 0x00 ...

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\FormatFactory (@Changed 0

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (@DisplayName FormatFactory (????????) V1.70 ??????????

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (@UninstallString C:\Program Files\FormatFactory\uninst.exe

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (@DisplayIcon C:\Program Files\FormatFactory\FormatFactory.exe

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (@DisplayVersion V1.70 ??????????

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (@URLInfoAbout formatfactory_¶àÌØÈí¼þËÑË÷_¶àÌØÈí¼þÕ¾ (????????)

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory (@Publisher ??????????

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\FormatFactory (

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\FormatFactory (@Order 0x08 0x00 0x00 0x00 ...

---- EOF - GMER 1.0.15 ----

Posted

Hi igrek001

 

I can't find any information on the 2 following programs, do you know what they are?

 

c:\program files\25 Кадр

c:\program files\25 ????

 

If you have no idea, run this script and we'll take a look at the contents;

 

Close any open browsers.

Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

 

Open Notepad - it must be Notepad, not Wordpad.

Copy the text below in the code box by highlighting all the text and pressing Ctrl+C

DirLook::
c:\program files\25 Кадр
c:\program files\25 ????

Go to the Notepad window and click Edit >> Paste

Then click File >> Save

Name the file "CFScript.txt" (including the quotes)

Save the file to your Desktop

 

The main ComboFix.exe program should be on your Desktop

Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon

as below.

http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/cf.gif

 

Now please wait for ComboFix to finish running.

 

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

 

Thanks

Member of:

UNITE

Posted

Hello, Starbuck!

 

I know the program '25 kadr'... this is a russian program for quickly learn English... it works only with special CD I downloaded and burned from the russian torrent site...

should I still follow to your last recomendation??

Posted

Hi igrek001

 

Thanks for letting me know.

You need not run the script.

 

ComboFix is showing a possible USB infection, we'll take care of that and then a couple of other scans done.

 

Step 1

Temporarily disable your anti-virus, script blocking and any real time protection programs before downloading this tool as it can be falsely flagged as malware.

 

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

 

Step 2

Download CKScanner

 

Important - Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.

After a very short time, when the cursor hourglass disappears, click Save List To File.

A message box will verify the file has been saved.

Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

 

Step 3

  • Download OTL to your desktop.
    if you have problems, try this download link:
    OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check

.

 

.

http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png


    Now copy the lines in the codebox below.
    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT
    

  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
     
    http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
    .
  • Click the Run Scan button.
     
    http://img.photobucket.com/albums/v708/starbuck50/runscan.png
     
  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

 

In your next reply, please submit:

Report from CKScanner

Both reports from OTL

 

 

Thanks.

Member of:

UNITE

Posted

Hello, Starbuck!! Thank you for your detail instruction. For some reason the CK Scanner didn't dowloaded, instead window with message, that it couldn't be found appears.

Therefore, I'm sending only the OTL report:

 

OTL logfile created on: 18.03.2010 23:19:55 - Run 1

OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000419 | Country: Russia | Language: RUS | Date Format: dd.MM.yyyy

 

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 82,00% Memory free

4,00 Gb Paging File | 3,00 Gb Available in Paging File | 89,00% Paging File free

Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 233,76 Gb Total Space | 208,62 Gb Free Space | 89,25% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 232,83 Gb Total Space | 211,49 Gb Free Space | 90,84% Space Free | Partition Type: FAT32

Drive F: | 5,45 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Drive G: | 1,91 Gb Total Space | 0,93 Gb Free Space | 48,55% Space Free | Partition Type: FAT

H: Drive not present or media not loaded

I: Drive not present or media not loaded

 

Computer Name: WXP-F03WF61

Current User Name: Administrator

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

 

========== Processes (SafeList) ==========

 

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

PRC - C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)

PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)

PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)

PRC - C:\Program Files\SlimBrowser\sbrowser.exe (FlashPeak, Inc.)

PRC - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (StarWind Software)

PRC - C:\Program Files\Xobni\XobniService.exe (Xobni Corporation)

PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\OpenOffice.org 2.4\program\soffice.bin (OpenOffice.org)

PRC - C:\Program Files\OpenOffice.org 2.4\program\soffice.exe (OpenOffice.org)

PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)

PRC - C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe (Belkin)

PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

PRC - C:\Program Files\Webroot\Washer\wwDisp.exe (Webroot Software)

PRC - C:\WINDOWS\system32\wwSecure.exe (Webroot Software, Inc.)

PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

PRC - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)

PRC - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)

PRC - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe (Hewlett-Packard Co.)

PRC - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe (Hewlett-Packard Co.)

PRC - C:\WINDOWS\system32\Crypserv.exe (Kenonic Controls Ltd.)

 

 

========== Modules (SafeList) ==========

 

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll (RealPlayer)

MOD - C:\WINDOWS\system32\msvcp71.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\msvcr71.dll (Microsoft Corporation)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll (Microsoft Corporation)

 

 

========== Win32 Services (SafeList) ==========

 

SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)

SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)

SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)

SRV - (StarWindServiceAE) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (StarWind Software)

SRV - (XobniService) -- C:\Program Files\Xobni\XobniService.exe (Xobni Corporation)

SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)

SRV - (wwSecSvc) -- C:\WINDOWS\system32\wwSecure.exe (Webroot Software, Inc.)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)

SRV - (Crypkey License) -- C:\WINDOWS\System32\Crypserv.exe (Kenonic Controls Ltd.)

 

 

========== Driver Services (SafeList) ==========

 

DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys (Duplex Secure Ltd.)

DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software)

DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software)

DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)

DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software)

DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software)

DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software)

DRV - (AVEO) -- C:\WINDOWS\system32\drivers\aveodcnt.sys (AVEO Corp)

DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)

DRV - (Aspi32) -- C:\WINDOWS\system32\drivers\ASPI32.SYS (Adaptec)

DRV - (camfilt2) -- C:\WINDOWS\system32\drivers\camfilt2.sys (Guillemot Corporation)

DRV - (SNPSTD3) -- C:\WINDOWS\system32\drivers\snpstd3.sys (Sonix Co. Ltd.)

DRV - (BELKIN) -- C:\WINDOWS\system32\drivers\BLKWGU.sys (Belkin Corporation. )

DRV - (Symmpi) -- C:\WINDOWS\System32\DRIVERS\symmpi.sys (LSI Logic)

DRV - (iaStor) -- C:\WINDOWS\System32\DRIVERS\iaStor.sys (Intel Corporation)

DRV - (ISODisk) -- C:\WINDOWS\system32\drivers\ISODisk.sys ()

DRV - (megasas) -- C:\WINDOWS\system32\drivers\megasas.sys (LSI Logic Corporation)

DRV - (aarich) -- C:\WINDOWS\system32\DRIVERS\aarich.sys (Adaptec, Inc.)

DRV - (a320raid) -- C:\WINDOWS\System32\DRIVERS\a320raid.sys (Adaptec, Inc.)

DRV - (AFS2K) -- C:\WINDOWS\system32\drivers\AFS2K.SYS (Oak Technology Inc.)

DRV - (senfilt) -- C:\WINDOWS\system32\drivers\senfilt.sys (Creative Technology Ltd.)

DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)

DRV - (aac) -- C:\WINDOWS\System32\DRIVERS\aac.sys (Adaptec, Inc.)

DRV - (adpu320) -- C:\WINDOWS\system32\drivers\adpu320.sys (Adaptec, Inc.)

DRV - (P1120VID) -- C:\WINDOWS\system32\drivers\P1120Vid.sys (Creative Technology Ltd.)

DRV - (P1110VID) -- C:\WINDOWS\system32\drivers\P1110Vid.sys (Creative Technology Ltd.)

DRV - (fasttx2k) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys (Promise Technology, Inc.)

DRV - (vmscsi) -- C:\WINDOWS\system32\drivers\vmscsi.sys (VMware, Inc.)

DRV - (Rocket) -- C:\WINDOWS\system32\drivers\eRocket.sys (GemStar)

DRV - (NetworkX) -- C:\WINDOWS\system32\ckldrv.sys ()

 

 

========== Standard Registry (SafeList) ==========

 

 

========== Internet Explorer ==========

Posted

========== Standard Registry (SafeList) ==========

 

 

========== Internet Explorer ==========

 

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Google

IE - HKCU\..\URLSearchHook: {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll (@Mail.Ru)

IE - HKCU\..\URLSearchHook: {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll (Conduit Ltd.)

IE - HKCU\..\URLSearchHook: {ca9e4d90-1386-42f8-9f36-df74277aabc2} - C:\Program Files\TV_Mule\tbTV_1.dll (Conduit Ltd.)

IE - HKCU\..\URLSearchHook: {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll (Conduit Ltd.)

IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

 

========== FireFox ==========

 

FF - prefs.js..browser.search.defaultthis.engineName: "free-downloads.net Customized Web Search"

FF - prefs.js..browser.search.defaulturl: "{searchTerms - Suchen}"

FF - prefs.js..browser.search.selectedEngine: "free-downloads.net Customized Web Search"

FF - prefs.js..browser.startup.homepage: "Search"

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: paypalfirefoxplugin@orbiscom:2.2.15.0

FF - prefs.js..extensions.enabledItems: {4CFC8387-5FB1-47C1-8AA4-5B7B906A591E}:1.0

FF - prefs.js..extensions.enabledItems: {37964A3C-4EE8-47b1-8321-34DE2C39BA4D}:2.0.1.20

FF - prefs.js..extensions.enabledItems: {ecdee021-0d17-467f-a1ff-c7a115230949}:2.5.6.0

FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0

 

FF - HKLM\software\mozilla\Firefox\Extensions\\paypalfirefoxplugin@orbiscom: C:\Program Files\PayPal\PayPal Plug-In [2008.11.13 06:16:21 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010.03.11 01:16:06 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.03.11 01:15:49 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.03.11 01:16:16 | 000,000,000 | ---D | M]

 

[2008.12.12 00:25:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions

[2010.03.06 03:22:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions

[2009.10.02 23:33:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2009.03.22 08:29:23 | 000,000,000 | ---D | M] (Спутник @Mail.Ru) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{37964A3C-4EE8-47b1-8321-34DE2C39BA4D}

[2010.02.25 00:06:09 | 000,000,000 | ---D | M] (free-downloads.net Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}

[2010.01.20 13:16:28 | 000,000,939 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xtv209is.default\searchplugins\conduit.xml

[2010.03.07 22:57:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010.03.07 22:57:33 | 000,000,000 | ---D | M] (Wyeke) -- C:\Program Files\Mozilla Firefox\extensions\{4CFC8387-5FB1-47C1-8AA4-5B7B906A591E}

[2009.12.09 00:05:41 | 000,002,377 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wyeke127.xml

[2010.03.07 22:57:33 | 000,002,376 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wyeke139.xml

 

O1 HOSTS File: ([2010.03.13 02:08:17 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O2 - BHO: (PCCBHO.CPCCBHO) - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll (Capital Intellect Inc)

O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)

O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)

O2 - BHO: (MailRuBHO Class) - {8984B388-A5BB-4DF7-B274-77B879E179DB} - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll (@Mail.Ru)

O2 - BHO: (greatbar23dec2009 Toolbar) - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll (Conduit Ltd.)

O2 - BHO: (TV Nova Toolbar) - {ca9e4d90-1386-42f8-9f36-df74277aabc2} - C:\Program Files\TV_Mule\tbTV_1.dll (Conduit Ltd.)

O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O2 - BHO: (OToolbarHelper Class) - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll ()

O2 - BHO: (free-downloads.net Toolbar) - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll (Conduit Ltd.)

O2 - BHO: (XBTBPos00 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\My.Freeze.com Toolbar\freeze_sa_us.dll File not found

O3 - HKLM\..\Toolbar: (Ñïóòíèê@Mail.Ru) - {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll (@Mail.Ru)

O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (greatbar23dec2009 Toolbar) - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll (Conduit Ltd.)

O3 - HKLM\..\Toolbar: (TV Nova Toolbar) - {ca9e4d90-1386-42f8-9f36-df74277aabc2} - C:\Program Files\TV_Mule\tbTV_1.dll (Conduit Ltd.)

O3 - HKLM\..\Toolbar: (PayPal Plug-In) - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll ()

O3 - HKLM\..\Toolbar: (free-downloads.net Toolbar) - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll (Conduit Ltd.)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (Ñïóòíèê@Mail.Ru) - {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll (@Mail.Ru)

O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (greatbar23dec2009 Toolbar) - {A33FA729-D155-4B23-842B-2C665ECABDB6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll (Conduit Ltd.)

O3 - HKCU\..\Toolbar\WebBrowser: (TV Nova Toolbar) - {CA9E4D90-1386-42F8-9F36-DF74277AABC2} - C:\Program Files\TV_Mule\tbTV_1.dll (Conduit Ltd.)

O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)

O4 - HKLM..\Run: [MAgent] C:\Program Files\Mail.Ru\Agent\MAgent.exe (Mail.Ru)

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)

O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)

O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

O4 - HKCU..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)

O4 - HKCU..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe (Webroot Software)

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless G USB Adapter Client Utility.lnk = C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe (Belkin)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: Íàéòè â èíòåðíåòå - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll (@Mail.Ru)

O8 - Extra context menu item: Íàéòè â ñëîâàðÿõ - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll (@Mail.Ru)

O9 - Extra Button: Отправка в блог - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : &Отправка в блог Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe (Capital Intellect, Inc)

O9 - Extra Button: Mail.Ru Агент - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\Program Files\Mail.Ru\Agent\magent.exe (Mail.Ru)

O9 - Extra 'Tools' menuitem : Mail.Ru Агент - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\Program Files\Mail.Ru\Agent\magent.exe (Mail.Ru)

O9 - Extra Button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe (Capital Intellect, Inc)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210299458796 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210299513640 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 68.87.71.230 68.87.73.246

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006.07.28 13:13:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2010.03.18 23:09:48 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]

O32 - AutoRun File - [2009.05.20 08:12:16 | 000,000,000 | ---D | M] - E:\autorun -- [ FAT32 ]

O32 - AutoRun File - [2010.03.18 23:09:50 | 000,000,000 | RHSD | M] - E:\autorun.inf -- [ FAT32 ]

O32 - AutoRun File - [2006.12.11 16:03:59 | 000,000,277 | R--- | M] () - F:\autorun.inf -- [ CDFS ]

O32 - AutoRun File - [2010.03.18 23:09:50 | 000,000,000 | RHSD | M] - G:\autorun.inf -- [ FAT ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

 

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2006.07.28 13:13:02 | 000,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

 

MsConfig - State: "system.ini" - 0

MsConfig - State: "win.ini" - 0

MsConfig - State: "bootini" - 0

MsConfig - State: "services" - 0

MsConfig - State: "startup" - 0

 

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (16891891626803200)

 

========== Files/Folders - Created Within 30 Days ==========

Posted

========== Files/Folders - Created Within 30 Days ==========

 

[2010.03.18 23:17:22 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2010.03.18 23:09:48 | 000,000,000 | RHSD | C] -- C:\autorun.inf

[2010.03.15 14:06:18 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010.03.13 01:55:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump

[2010.03.11 01:14:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared

[2010.03.11 00:47:15 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe

[2010.03.10 14:17:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Estsoft

[2010.03.10 14:16:21 | 000,000,000 | ---D | C] -- C:\Program Files\ESTsoft

[2010.03.10 14:16:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\ESTsoft

[2010.03.10 01:06:49 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010.03.10 01:05:23 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010.03.10 01:05:23 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010.03.10 01:05:23 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010.03.10 01:05:23 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010.03.10 01:04:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010.03.10 00:48:28 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010.03.07 01:36:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

[2010.03.07 01:36:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Office Genuine Advantage

[2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW

[2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK

[2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR

[2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE

[2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR

[2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL

[2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO

[2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR

[2010.03.06 00:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT

[2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL

[2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR

[2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI

[2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES

[2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR

[2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE

[2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK

[2010.03.06 00:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA

[2010.03.05 00:53:35 | 000,000,000 | ---D | C] -- C:\Program Files\25 Кадр

[2010.02.28 01:30:01 | 000,000,000 | ---D | C] -- C:\Program Files\stitch_color

[2010.02.28 01:09:53 | 000,286,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\Setup1.exe

[2010.02.28 01:09:52 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\ST6UNST.EXE

[2010.02.28 00:47:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\RyijyApp

[2010.02.28 00:46:52 | 000,000,000 | ---D | C] -- C:\Program Files\Ryijy Stitch Designer

[2010.02.28 00:34:30 | 000,165,888 | ---- | C] (Kenonic Controls) -- C:\WINDOWS\Ckconfig.exe

[2010.02.28 00:34:30 | 000,052,224 | ---- | C] (Kenonic Controls Ltd.) -- C:\WINDOWS\System32\Crypserv.exe

[2010.02.28 00:34:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\PM Patterns

[2010.02.28 00:34:18 | 000,000,000 | ---D | C] -- C:\Program Files\HobbyWare

[2010.02.28 00:33:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations

[2010.02.25 00:17:13 | 000,212,480 | ---- | C] (Eastman Kodak) -- C:\WINDOWS\System32\pcdlib32.dll

[2010.02.25 00:17:10 | 000,000,000 | ---D | C] -- C:\Program Files\STOIK

[2010.02.25 00:16:23 | 000,327,168 | ---- | C] (InstallShield Software Corporation) -- C:\WINDOWS\IsUn0419.exe

[2010.02.25 00:06:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\free-downloads.net

[2010.02.25 00:06:10 | 000,000,000 | ---D | C] -- C:\Program Files\free-downloads.net

[2010.02.25 00:05:44 | 000,000,000 | ---D | C] -- C:\Program Files\Alcohol Soft

[2010.02.25 00:02:37 | 000,691,696 | ---- | C] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys

[2010.02.24 23:29:26 | 000,000,000 | ---D | C] -- C:\Program Files\eMule

[2010.01.20 02:13:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2009.12.04 21:13:31 | 000,057,344 | ---- | C] ( ) -- C:\WINDOWS\System32\vsnpstd3.dll

[2009.12.04 21:13:31 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnpstd3.dll

[2009.11.19 02:39:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Xobni

[2008.10.28 05:20:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2008.10.28 05:20:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2008.10.09 09:15:33 | 022,404,904 | ---- | C] (Skype Technologies S.A.) -- C:\Program Files\SkypeSetup.exe

[2008.10.08 17:08:08 | 005,047,800 | ---- | C] (Mail.Ru) -- C:\Program Files\magentsetup.exe

[2008.05.08 22:58:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2008.05.08 21:29:23 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2006.07.28 13:13:28 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

 

========== Files - Modified Within 30 Days ==========

 

[2010.03.18 23:17:26 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2010.03.18 23:14:08 | 000,000,434 | ---- | M] () -- C:\WINDOWS\tasks\RegPowerClean.job

[2010.03.18 23:14:07 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010.03.18 23:14:05 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job

[2010.03.18 23:14:04 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\RPCReminder.job

[2010.03.18 23:14:04 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3105199670-2300768646-1652051771-500.job

[2010.03.18 23:14:00 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010.03.18 23:13:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010.03.18 23:13:07 | 005,505,024 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2010.03.18 23:13:07 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010.03.18 23:07:23 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

[2010.03.18 22:57:00 | 000,001,056 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3105199670-2300768646-1652051771-500UA.job

[2010.03.18 22:57:00 | 000,001,004 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3105199670-2300768646-1652051771-500Core.job

[2010.03.18 14:59:47 | 000,002,344 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk

[2010.03.18 14:18:03 | 000,002,257 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk

[2010.03.15 00:00:50 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3105199670-2300768646-1652051771-500.job

[2010.03.14 23:52:11 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010.03.14 23:44:30 | 003,889,756 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

[2010.03.14 23:41:20 | 000,013,184 | -HS- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\w3gXo856Mln

[2010.03.14 23:28:05 | 000,512,784 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010.03.14 23:28:05 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010.03.14 23:28:05 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010.03.13 02:08:17 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010.03.12 23:52:48 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\4etrb7jr.exe

[2010.03.12 23:51:43 | 000,000,525 | ---- | M] () -- C:\hpfr3420.xml

[2010.03.12 23:46:52 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Office Word 2003.lnk

[2010.03.12 23:41:57 | 000,000,204 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable

[2010.03.12 23:39:33 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Defogger.exe

[2010.03.12 01:50:09 | 000,000,019 | ---- | M] () -- C:\.systemPath

[2010.03.12 01:50:08 | 000,001,591 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\English 1 (U.S.) Sample.lnk

[2010.03.12 01:30:46 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\Administrator\default.pls

[2010.03.12 01:29:00 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010.03.11 02:15:10 | 000,000,658 | ---- | M] () -- C:\WINDOWS\win.ini

[2010.03.11 01:16:07 | 000,000,747 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk

[2010.03.11 01:15:48 | 000,185,920 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll

[2010.03.11 01:15:18 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll

[2010.03.11 01:15:18 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll

[2010.03.11 01:14:07 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll

[2010.03.10 14:16:24 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ALZip.lnk

[2010.03.10 01:06:57 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2010.03.07 22:03:15 | 000,000,110 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\ax_files.xml

[2010.03.06 02:48:18 | 000,014,476 | -HS- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\05rTajk

[2010.03.06 01:29:41 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Ryijy Designer.lnk

[2010.03.05 01:46:50 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI

[2010.03.05 01:23:56 | 000,092,160 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010.03.05 01:20:27 | 000,048,488 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010.03.05 01:15:43 | 000,000,694 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Stitch20.exe.lnk

[2010.03.05 00:53:50 | 000,000,618 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\25 Кадр.lnk

[2010.03.05 00:48:24 | 000,215,264 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010.03.05 00:45:22 | 000,001,680 | ---- | M] () -- C:\WINDOWS\System32\esnecil.ind

[2010.03.01 00:58:50 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn

[2010.03.01 00:58:50 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for

[2010.02.28 01:29:47 | 000,286,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Setup1.exe

[2010.02.28 01:29:46 | 000,073,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ST6UNST.EXE

[2010.02.28 00:34:45 | 000,001,680 | ---- | M] () -- C:\WINDOWS\System32\esnecil.nlp

[2010.02.28 00:34:33 | 000,000,085 | ---- | M] () -- C:\WINDOWS\Crypkey.ini

[2010.02.25 00:05:57 | 000,000,833 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Alcohol 120%.lnk

[2010.02.25 00:02:37 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys

[2010.02.24 23:29:44 | 000,000,638 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\eMule.lnk

[2010.02.24 14:44:42 | 002,198,016 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\pis'mo v Evercare 19.01.10.doc

[2010.02.24 01:20:12 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

 

========== Files Created - No Company Name ==========

 

[2010.03.18 23:11:14 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe

[2010.03.14 23:39:31 | 000,013,184 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\w3gXo856Mln

[2010.03.12 23:52:45 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\4etrb7jr.exe

[2010.03.12 23:41:43 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable

[2010.03.12 23:39:31 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Defogger.exe

[2010.03.12 01:50:09 | 000,000,019 | ---- | C] () -- C:\.systemPath

[2010.03.11 01:16:09 | 000,000,294 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3105199670-2300768646-1652051771-500.job

[2010.03.11 01:16:08 | 000,000,302 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3105199670-2300768646-1652051771-500.job

[2010.03.11 01:16:07 | 000,000,747 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk

[2010.03.10 14:16:24 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ALZip.lnk

[2010.03.10 01:06:56 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010.03.10 01:06:53 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010.03.10 01:05:23 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010.03.10 01:05:23 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010.03.10 01:05:23 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010.03.10 01:05:23 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010.03.10 01:05:23 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010.03.08 23:21:01 | 003,889,756 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

[2010.03.06 00:58:04 | 000,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job

[2010.03.05 02:28:12 | 000,014,476 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\05rTajk

[2010.03.05 01:15:43 | 000,000,694 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Stitch20.exe.lnk

[2010.03.05 00:53:50 | 000,000,618 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\25 Кадр.lnk

[2010.03.01 00:58:50 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn

[2010.03.01 00:58:50 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for

[2010.02.28 00:46:53 | 000,002,473 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Ryijy Designer.lnk

[2010.02.28 00:34:45 | 000,001,680 | ---- | C] () -- C:\WINDOWS\System32\esnecil.nlp

[2010.02.28 00:34:45 | 000,001,680 | ---- | C] () -- C:\WINDOWS\System32\esnecil.ind

[2010.02.28 00:34:33 | 000,000,085 | ---- | C] () -- C:\WINDOWS\Crypkey.ini

[2010.02.28 00:34:30 | 000,027,648 | R--- | C] () -- C:\WINDOWS\Setup_ck.exe

[2010.02.28 00:34:30 | 000,024,608 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys

[2010.02.28 00:34:30 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll

[2010.02.28 00:34:30 | 000,011,776 | ---- | C] () -- C:\WINDOWS\Ckrfresh.exe

[2010.02.25 03:02:09 | 000,000,110 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\ax_files.xml

[2010.02.25 00:05:57 | 000,000,833 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Alcohol 120%.lnk

[2010.02.24 23:29:44 | 000,000,638 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\eMule.lnk

[2010.02.24 14:44:34 | 002,198,016 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\pis'mo v Evercare 19.01.10.doc

[2009.12.07 01:46:23 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\xobni_installer_updater.log

[2009.12.04 21:13:31 | 000,015,478 | ---- | C] () -- C:\WINDOWS\snpstd3.ini

[2009.11.06 23:32:59 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\xobni_installer_updater.log

[2009.10.29 13:53:13 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\MFC_InstDrvDLL.dll

[2009.10.02 14:07:02 | 000,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\ISODisk.sys

[2009.09.15 15:36:38 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\jmam.dll

[2009.09.15 15:36:38 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\jmfjawt.dll

[2009.09.15 15:36:37 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\jmutil.dll

[2009.08.03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

[2009.06.24 10:53:01 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009.05.15 10:20:53 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI

[2009.03.20 20:52:49 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI

[2008.11.12 00:46:03 | 000,005,876 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\log.txt

[2008.10.09 06:05:14 | 000,092,160 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008.10.09 02:23:35 | 001,975,910 | ---- | C] () -- C:\Program Files\sbsetup.exe

[2008.10.08 23:41:54 | 000,013,768 | ---- | C] () -- C:\WINDOWS\System32\drivers\string.ini

[2008.10.08 23:36:58 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...