Several malware and virus removed, Windows doesn't work well in normal mode

Solved
By evilcaterpillar
Feb 9, 2012
  1. Hi there,
    I hope wou can help me with this problem.

    While I was online a popup window appeared offering me an antivirus, I closed the window and after that my pc was really slow. Sadly, I didn't find this site before and followed a friend instructions, now I'm having problems with windows in normal mode.

    Run Antispyware and found this:
    -Trojan.Agent/Gen-SSHNAS
    -Malware.Trace
    -Disabled.SecurityCenterOption
    -Several Tracking Cookies
    -Trojan.Agent/Gen-FakeAlert[Local]
    -Trojan.Agent/Gen-Pixler
    -Trojan.Agent/Gen-Koobface[Bonkers]
    -Trojan.Agent/Gen-Backdoor
    -Trojan.Agent/Gen-Falcomp[Cont]

    Run Spybot S&D and found this:
    -BraveSentry
    -Win32.Agent.ieu
    -Microsoft Windows Security Center Disabled
    -WildTangent

    Now, when I try to start windows in normal mode a command prompt window appears every second, the window close too fast and cannot see the message. I'm currently running windows in safe mode with networking.

    I own a Compaq Laptop with AMD Turion 64 Mobile Processor and 1Mb RAM, running on Windows XP Home Edition version 2002, Service Pack 3
    I know is and old laptop but is mostly used for web browsing, spreadsheets and some design software.

    Hope you can help me.
    Regards in advance.

    Carlos
  2. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    Thanks bro,
    Just one question to be sure, all this steps needs to be done in normal mode? doesn't matter the messages?

    Carlos
  4. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    If normal mode is not usable use safe mode.
  5. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    Hi Broni,
    I've done all the scans, you will find the logs on the following posts.

    Something is happening when i start Windows in normal mode, the hardware installation wizard pops-up asking for a driver for an unkonwn device, everytime I've closed the wizard without installing anything, at the same time there is a window: C-motech RDEVCHG with a message "Run time device change".
    I dont'n know if this is important, tell me if I have to do something additional for this messages.

    Thanks in advance
    Carlos
  6. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    We'll check it out....
  7. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.09.08

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    carlos :: YOUR-4105E587B6 [administrator]

    09/02/2012 19:47:30
    mbam-log-2012-02-09 (19-47-30).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 200437
    Time elapsed: 33 minute(s), 25 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 1
    C:\Program Files\StartSearch plugin\ssBarLcher.dll (PUP.VShareRedir) -> Delete on reboot.

    Registry Keys Detected: 15
    HKCR\CLSID\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{BB7256DD-EBA9-480B-8441-A00388C2BEC3} (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKCR\Interface\{3D782BB2-F2A5-11D3-BF4C-000000000000} (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKCR\MyNewsBarLauncher.IE5BarLauncherBHO.1 (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKCR\MyNewsBarLauncher.IE5BarLauncherBHO (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKCR\CLSID\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKCR\MyNewsBarLauncher.IE5BarLauncher.1 (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKCR\MyNewsBarLauncher.IE5BarLauncher (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Videocan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\mdhcp32 (Trojan.Winlogon) -> Quarantined and deleted successfully.

    Registry Values Detected: 2
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Data: StartSearchTB -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Data: -> Quarantined and deleted successfully.

    Registry Data Items Detected: 3
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://startsear.ch/?aff=2&cf=06bca87a-2e5e-11e1-81bc-0014a5746f9d) Good: (http://www.google.com) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\guser.YOUR-4105E587B6\kkg.exe \s) Good: (Userinit.exe) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 6
    C:\Program Files\StartSearch plugin\ssBarLcher.dll (PUP.VShareRedir) -> Delete on reboot.
    C:\Documents and Settings\carlos\Application Data\Desktopicon\eBayShortcuts.exe (Adware.ADON) -> Quarantined and deleted successfully.
    c:\documents and settings\carlos\local settings\temp\05a24437.tmp (Backdoor.IRCBot) -> Quarantined and deleted successfully.
    c:\documents and settings\carlos\local settings\temp\led.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\documents and settings\carlos\local settings\temp\lss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\crt.dat (Malware.Trace) -> Quarantined and deleted successfully.

    (end)
  8. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-02-10 13:07:13
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHV2080AT_PL rev.008300A1
    Running: 50tjg7cq.exe; Driver: C:\DOCUME~1\carlos\LOCALS~1\Temp\kfnyyaoc.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEB0812DB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEB0812EF]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEB08131B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEB0812C7]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEB081305]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEB081331]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEB081347]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

    ---- EOF - GMER 1.0.15 ----
  9. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
    Run by carlos at 13:38:47 on 2012-02-10
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.52.1033.18.894.393 [GMT -6:00]
    .
    AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
    C:\Program Files\IUSACELL\CDU680DORA\BIN\RDVCHG.EXE
    C:\Program Files\AutoTask\AutoTask.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = about:blank
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mWinlogon: Userinit=Userinit.exe,
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
    BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Yahoo! IE Suggest: {5a263cf7-56a6-4d68-a8cf-345be45bc911} - c:\program files\yahoo!\search\YSearchSuggest.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
    BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Aim6]
    mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
    mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
    mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
    mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
    mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
    mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
    mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
    mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [PCSuiteTrayApplication] c:\progra~1\nokia\nokiap~1\LAUNCH~1.EXE -startup
    mRun: [IUSACELL_CDU680] c:\program files\iusacell\cdu680dora\bin\RDVCHG.EXE
    mRun: [AutoTask] "c:\program files\autotask\AutoTask.exe" /STARTUP
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\inicio~1.lnk - c:\windows\installer\{ac76ba86-1034-4700-7760-100000000002}\SC_Acrobat.exe
    IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D1792F99-AA90-4D46-8B73-2CE45DADDD3C} - hxxp://www.web-a-file.com/webafiledownloader.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: dimsntfy32 - dimsntfy32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\carlos\application data\mozilla\firefox\profiles\m67w9brq.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://startsear.ch/?aff=2&src=sp&cf=06bca87a-2e5e-11e1-81bc-0014a5746f9d&q=
    FF - plugin: c:\documents and settings\carlos\application data\electronic arts\game face\npGameFacePlugin.dll
    FF - plugin: c:\documents and settings\carlos\application data\facebook\npfbplugin_1_0_0.dll
    FF - plugin: c:\documents and settings\carlos\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\carlos\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npvsharetvplg.dll
    FF - plugin: c:\program files\veetle\player\npvlc.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
    R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
    R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-11-25 104000]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
    R2 PEEK5;PEEK Driver v4.5;c:\windows\system32\drivers\PEEK5.SYS [2009-11-20 13184]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-12 24652]
    R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
    R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-11-25 72264]
    R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-11-25 34152]
    R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-11-25 168776]
    S2 gupdate;Servicio de actualización de Google (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-29 135664]
    S2 Programador de LiveUpdate automático;Programador de LiveUpdate automático;c:\program files\symantec\liveupdate\AluSchedulerSvc.exe [2007-8-31 243064]
    S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]
    S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [2009-5-22 87040]
    S3 gupdatem;Google Update Servicio (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-29 135664]
    S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [2006-11-17 58288]
    S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [2006-11-17 8336]
    S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [2006-11-17 94064]
    S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [2006-11-17 85408]
    S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [2006-11-17 83344]
    S3 SNPP106;PC Camera (6029 CIF);c:\windows\system32\drivers\snpp106.sys [2006-5-13 239488]
    .
    =============== Created Last 30 ================
    .
    2012-02-10 18:57:31 839 ----a-w- c:\documents and settings\all users\application data\aatpaaa.tmp
    2012-02-10 18:57:31 803 ----a-w- c:\documents and settings\all users\application data\wzspaaa.tmp
    2012-02-10 01:50:56 869 ----a-w- c:\documents and settings\all users\application data\nmrpaaa.tmp
    2012-02-10 01:50:40 873 ----a-w- c:\documents and settings\all users\application data\omrpaaa.tmp
    2012-02-10 01:50:06 804 ----a-w- c:\documents and settings\all users\application data\qmrpaaa.tmp
    2012-02-10 01:45:23 -------- d-----w- c:\documents and settings\carlos\application data\Malwarebytes
    2012-02-10 01:43:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-02-10 01:43:54 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-10 01:43:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-10 01:29:14 815 ----a-w- c:\documents and settings\all users\application data\mmrpaaa.tmp
    2012-02-09 23:59:14 890 ----a-w- c:\documents and settings\all users\application data\zpfoaaa.tmp
    2012-02-09 23:59:05 892 ----a-w- c:\documents and settings\all users\application data\xpfoaaa.tmp
    2012-02-04 05:14:41 842 ----a-w- c:\documents and settings\all users\application data\erjqaaa.tmp
    2012-02-04 05:14:40 862 ----a-w- c:\documents and settings\all users\application data\crjqaaa.tmp
    2012-02-04 05:11:46 792 ----a-w- c:\documents and settings\all users\application data\drjqaaa.tmp
    2012-02-03 01:56:16 835 ----a-w- c:\documents and settings\all users\application data\oelqaaa.tmp
    2012-02-03 01:42:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-02-03 01:42:43 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2012-02-03 00:02:49 859 ----a-w- c:\documents and settings\all users\application data\kfoqaaa.tmp
    2012-02-03 00:02:49 845 ----a-w- c:\documents and settings\all users\application data\ifoqaaa.tmp
    2012-02-03 00:02:49 811 ----a-w- c:\documents and settings\all users\application data\jfoqaaa.tmp
    2012-02-03 00:00:34 836 ----a-w- c:\documents and settings\all users\application data\hfoqaaa.tmp
    2012-02-02 23:23:09 868 ----a-w- c:\documents and settings\all users\application data\asmqaaa.tmp
    2012-02-02 23:23:09 846 ----a-w- c:\documents and settings\all users\application data\xrmqaaa.tmp
    2012-02-02 23:21:01 852 ----a-w- c:\documents and settings\all users\application data\zrmqaaa.tmp
    2012-02-02 23:19:04 839 ----a-w- c:\documents and settings\all users\application data\yrmqaaa.tmp
    2012-02-02 22:51:34 830 ----a-w- c:\documents and settings\all users\application data\wrmqaaa.tmp
    2012-01-20 00:39:02 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
    2012-01-20 00:39:01 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2012-01-20 00:39:01 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
    2012-01-20 00:39:01 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2012-01-20 00:39:00 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    .
    ==================== Find3M ====================
    .
    2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
    2011-11-15 23:28:29 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2010-02-27 00:53:30 2110728 ----a-w- c:\program files\Install_Facebook_Plug-In_1.0.3.exe
    .
    ============= FINISH: 13:41:36.35 ===============
  10. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 29/04/2006 20:36:47
    System Uptime: 10/02/2012 13:31:58 (0 hours ago)
    .
    Motherboard: Hewlett-Packard | | 30AE
    Processor: AMD Turion(tm) 64 Mobile Technology ML-32 | U23 | 1794/mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 67 GiB total, 14.233 GiB free.
    D: is FIXED (FAT32) - 7 GiB total, 0.831 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 31/01/2012 19:15:20 - System Checkpoint
    RP2: 31/01/2012 20:25:17 - Software Distribution Service 3.0
    RP3: 02/02/2012 13:00:11 - Software Distribution Service 3.0
    RP4: 02/02/2012 16:17:42 - Software Distribution Service 3.0
    RP5: 02/02/2012 17:18:30 - Software Distribution Service 3.0
    RP6: 02/02/2012 18:28:07 - Software Distribution Service 3.0
    RP7: 02/02/2012 19:50:42 - Software Distribution Service 3.0
    RP8: 03/02/2012 23:24:06 - System Checkpoint
    RP9: 09/02/2012 14:56:40 - Software Distribution Service 3.0
    RP10: 10/02/2012 12:16:41 - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    .
    32 Bit HP CIO Components Installer
    Adobe Acrobat 7.0 Professional - Español, Italiano, Português
    Adobe Bridge 1.0
    Adobe Common File Installer
    Adobe Creative Suite 2
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe GoLive CS2
    Adobe Help Center 1.0
    Adobe Illustrator CS2
    Adobe InDesign CS2
    Adobe Photoshop CS2
    Adobe Shockwave Player
    Adobe Stock Photos 1.0
    Adobe SVG Viewer 3.0
    Adobe Version Cue CS2
    AIM 6
    AIO_Scan
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Athlon 64 Processor Driver
    ATI Display Driver
    aTube Catcher 1.0
    Audio MP3 Editor 2.20
    Banda Ancha Móvil (CDU680DORA)
    Bing Bar
    Bonjour
    BufferChm
    Canon MP Navigator 2.0
    Canon MP150
    Canon Utilities Easy-PhotoPrint
    Compatibility Pack for the 2007 Office system
    Conexant AC-Link Audio
    CP_AtenaShokunin1Config
    CP_CalendarTemplates1
    cp_LightScribeConfig
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CP_Panorama1Config
    cp_PosterPrintConfig
    cp_UpdateProjectsConfig
    Critical Update for Windows Media Player 11 (KB959772)
    CueTour
    Customer Experience Enhancement
    Destinations
    DeviceManagementQFolder
    DivX Converter
    DivX Setup
    DJ_AIO_Software_min
    EA SPORTS Game Face Browser Plugin 1.5.2.0
    EA SPORTS Gameface Browser Plugin 1.3.1.0
    Easy Internet Sign-up
    Facebook Plug-In
    FlashGet 1.9.2.1028
    FullDPAppQFolder
    Galería fotográfica de Windows Live
    Google Toolbar for Internet Explorer
    Google Update Helper
    Herramienta de carga de Windows Live
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP DVD Play 2.0
    HP Help and Support
    HP Imaging Device Functions 6.0
    HP Photosmart Premier Software 6.0
    HP Software Update
    HP User Guides--System Recovery
    HP User Guides 0025
    HP Wireless Assistant 2.00 C1
    HpSdpAppCoreApp
    InstantShareDevices
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 2
    Java(TM) 6 Update 22
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
    Junk Mail filter update
    Knots3D
    Lemonade Tycoon 2
    LightScribe 1.4.62.1
    LiveUpdate (Symantec Corporation)
    LiveUpdate Notice (Symantec Corporation)
    LiveVDO plugin 1.3
    Macromedia Dreamweaver 8
    Macromedia Extension Manager
    Macromedia Fireworks 8
    Macromedia Flash 8
    Macromedia Flash 8 Video Encoder
    Malwarebytes Anti-Malware version 1.60.1.1000
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 97 Professional
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Monopoly Tycoon
    Monopoly Tycoon v1.4 Patch
    Mozilla Firefox 9.0.1 (x86 es-AR)
    MSN
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML4 Parser
    Music Rescue 3.1
    muvee autoProducer 4.5
    Nokia Connectivity Cable Driver
    Nokia Lifeblog 2.1
    Nokia MTP driver
    Nokia N73 highlights
    Nokia Nseries Skin for Microsoft Windows Media Player
    Nokia PC Connectivity Solution
    Nokia PC Suite
    Nokia themes for your device
    Office 2003 Trial Assistant
    OmniPage SE
    OptionalContentQFolder
    Panel de Control de ATI
    PC Camera (6029 CIF)
    PhotoGallery
    Polar Bowler from Big Fish Games (remove only)
    Quick Launch Buttons 5.20 F2
    Quicken 2006
    QuickTime
    RandMap
    Real Alternative 1.9.0
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    SkinsHP1
    Soft Data Fax Modem with SmartCP
    Sonic Audio Module
    Sonic Copy Module
    Sonic Data Module
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic Update Manager
    Sonic_PrimoSDK
    Star Wars Galactic Battlegrounds: Saga
    Subtitle Workshop 2.51
    Suite Specific
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    Toshiba AutoTask
    TourSetup
    Unity Web Player
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.4053
    Veetle TV 0.9.18
    Viewpoint Media Player
    WebFldrs XP
    Winamp
    Windows Driver Package - Nokia Modem (04/06/2006 6.8.0.17)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Asistente para el inicio de sesión
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Sync
    Windows Live Writer
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver
    Wireless Home Network Setup
    Yahoo! Browser Services
    Yahoo! IE Search Suggest
    Yahoo! Install Manager
    Yahoo! Internet Mail
    Yahoo! Messenger
    .
    ==== Event Viewer Messages From Past Week ========
    .
    10/02/2012 13:33:09, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Programador de LiveUpdate automático service to connect.
    10/02/2012 13:33:09, error: Service Control Manager [7000] - The Programador de LiveUpdate automático service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    10/02/2012 13:11:06, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Programador de LiveUpdate automático service to connect.
    10/02/2012 13:11:06, error: Service Control Manager [7000] - The Programador de LiveUpdate automático service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    10/02/2012 12:59:38, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Programador de LiveUpdate automático service to connect.
    10/02/2012 12:59:38, error: Service Control Manager [7000] - The Programador de LiveUpdate automático service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    09/02/2012 20:35:46, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AliIde IntelIde Pcmcia ViaIde
    09/02/2012 20:32:49, error: Service Control Manager [7000] - The Programador de LiveUpdate automático service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    09/02/2012 20:32:48, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Programador de LiveUpdate automático service to connect.
    09/02/2012 19:20:12, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
    09/02/2012 19:19:48, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
    09/02/2012 19:09:23, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ServiceLayer service to connect.
    09/02/2012 19:09:23, error: Service Control Manager [7000] - The ServiceLayer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    09/02/2012 19:09:21, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service ServiceLayer with arguments "" in order to run the server: {ACF50018-41F8-476D-85FD-CD953DAE4A49}
    09/02/2012 19:08:53, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    09/02/2012 19:08:53, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    09/02/2012 19:05:03, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Programador de LiveUpdate automático service to connect.
    09/02/2012 19:05:03, error: Service Control Manager [7000] - The Programador de LiveUpdate automático service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    09/02/2012 18:50:41, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
    09/02/2012 18:11:17, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Programador de LiveUpdate automático service to connect.
    09/02/2012 18:11:17, error: Service Control Manager [7000] - The Programador de LiveUpdate automático service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    09/02/2012 18:00:59, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    09/02/2012 18:00:49, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    09/02/2012 17:43:29, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    09/02/2012 16:11:20, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 eabfiltr eeCtrl Fips SASDIFSV SASKUTIL
    09/02/2012 14:53:06, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Programador de LiveUpdate automático service to connect.
    09/02/2012 14:53:06, error: Service Control Manager [7000] - The Programador de LiveUpdate automático service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================
  11. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==============================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  12. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    Done... here the results

    aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-10 17:51:29
    -----------------------------
    17:51:29.015 OS Version: Windows 5.1.2600 Service Pack 3
    17:51:29.015 Number of processors: 1 586 0x2402
    17:51:29.015 ComputerName: YOUR-4105E587B6 UserName: carlos
    17:51:34.890 Initialize success
    17:51:59.437 AVAST engine defs: 12021001
    17:52:06.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    17:52:06.953 Disk 0 Vendor: FUJITSU_MHV2080AT_PL 008300A1 Size: 76319MB BusType: 3
    17:52:07.015 Disk 0 MBR read successfully
    17:52:07.015 Disk 0 MBR scan
    17:52:07.203 Disk 0 unknown MBR code
    17:52:07.234 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 68723 MB offset 63
    17:52:07.390 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 7585 MB offset 140761530
    17:52:07.484 Disk 0 scanning sectors +156296385
    17:52:07.781 Disk 0 scanning C:\WINDOWS\system32\drivers
    17:53:55.906 Service scanning
    17:54:02.921 Modules scanning
    17:55:06.250 Disk 0 trace - called modules:
    17:55:06.328 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    17:55:06.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85570030]
    17:55:06.734 3 CLASSPNP.SYS[f7532fd7] -> nt!IofCallDriver -> \Device\00000078[0x855749e8]
    17:55:06.750 5 ACPI.sys[f73a9620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x85592940]
    17:55:08.000 AVAST engine scan C:\WINDOWS
    17:55:29.828 File: C:\WINDOWS\explorer.exe **INFECTED** Win32:patched-AET [Trj]
    17:57:21.140 AVAST engine scan C:\WINDOWS\system32
    18:07:39.343 File: C:\WINDOWS\system32\svchost.exe **INFECTED** Win32:patched-AET [Trj]
    18:08:32.500 File: C:\WINDOWS\system32\winlogon.exe **INFECTED** Win32:patched-AET [Trj]
    18:19:18.156 AVAST engine scan C:\WINDOWS\system32\drivers
    18:21:52.390 AVAST engine scan C:\Documents and Settings\carlos
    18:38:45.937 File: C:\Documents and Settings\carlos\Local Settings\Temp\_E0.tmp **INFECTED** Win32:Delf-OXZ [Trj]
    18:49:49.640 Disk 0 MBR has been saved successfully to "C:\Files\New files\MBR.dat"
    18:49:49.859 The log file has been saved successfully to "C:\Files\New files\aswMBR Log.txt"


    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: d3c3d1a705af3d0bec0fc46073d431f4

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
  13. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    Please download and run ListParts by Farbar (for 32-bit system)

    Please download and run ListParts64 by Farbar (for 64-bit system)

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
     
  14. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    ListParts by Farbar
    Ran by carlos on 10-02-2012 at 19:45:57
    Windows XP (X86)
    Running From: C:\Files\New files
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 82%
    Total physical RAM: 894.17 MB
    Available physical RAM: 155.95 MB
    Total Pagefile: 2167.29 MB
    Available Pagefile: 808.75 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1998.16 MB

    ======================= Partitions =========================

    1 Drive c: (CaterpillarDisk) (Fixed) (Total:67.11 GB) (Free:13.81 GB) NTFS ==>[Drive with boot components (Windows XP)]
    2 Drive d: (PRESARIO_RP) (Fixed) (Total:7.39 GB) (Free:0.83 GB) FAT32 ==>[Drive with boot components (Windows XP)]

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 75 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 67 GB 32 KB
    Partition 2 Primary 7585 MB 67 GB

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C Caterpillar NTFS Partition 67 GB Healthy System (partition with boot components)

    Disk: 0
    Partition 2
    Type : 0C
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D PRESARIO_RP FAT32 Partition 7585 MB Healthy


    ****** End Of Log ******
  15. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    Looks good.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  16. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    Done

    ComboFix 12-02-10.03 - carlos 11/02/2012 1:39.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.52.1033.18.894.374 [GMT -6:00]
    Running from: c:\documents and settings\carlos\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    ADS - system32: deleted 12 bytes in 1 streams.
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\asmqaaa.tmp
    c:\documents and settings\All Users\Application Data\crjqaaa.tmp
    c:\documents and settings\All Users\Application Data\drjqaaa.tmp
    c:\documents and settings\All Users\Application Data\erjqaaa.tmp
    c:\documents and settings\All Users\Application Data\gnupaaa.tmp
    c:\documents and settings\All Users\Application Data\hfoqaaa.tmp
    c:\documents and settings\All Users\Application Data\hnupaaa.tmp
    c:\documents and settings\All Users\Application Data\ifoqaaa.tmp
    c:\documents and settings\All Users\Application Data\inupaaa.tmp
    c:\documents and settings\All Users\Application Data\jfoqaaa.tmp
    c:\documents and settings\All Users\Application Data\jnupaaa.tmp
    c:\documents and settings\All Users\Application Data\kfoqaaa.tmp
    c:\documents and settings\All Users\Application Data\knupaaa.tmp
    c:\documents and settings\All Users\Application Data\mmrpaaa.tmp
    c:\documents and settings\All Users\Application Data\nmrpaaa.tmp
    c:\documents and settings\All Users\Application Data\oelqaaa.tmp
    c:\documents and settings\All Users\Application Data\omrpaaa.tmp
    c:\documents and settings\All Users\Application Data\qmrpaaa.tmp
    c:\documents and settings\All Users\Application Data\wrmqaaa.tmp
    c:\documents and settings\All Users\Application Data\xpfoaaa.tmp
    c:\documents and settings\All Users\Application Data\xrmqaaa.tmp
    c:\documents and settings\All Users\Application Data\yrmqaaa.tmp
    c:\documents and settings\All Users\Application Data\zpfoaaa.tmp
    c:\documents and settings\All Users\Application Data\zrmqaaa.tmp
    c:\documents and settings\carlos\Application Data\Desktopicon
    c:\documents and settings\carlos\Application Data\Desktopicon\mc.ico
    c:\documents and settings\carlos\Recent\Thumbs.db
    c:\documents and settings\carlos\WINDOWS
    c:\program files\StartSearch plugin
    c:\program files\StartSearch plugin\IEhelperActiveX.dll
    c:\program files\StartSearch plugin\StartBar.dll
    c:\program files\StartSearch plugin\uninst.exe
    c:\program files\StartSearch plugin\vshareplg.crx
    C:\Thumbs.db
    c:\windows\expl.dat
    c:\windows\offitems.log
    c:\windows\system32\AutoRun.inf
    c:\windows\system32\CddbCdda.dll
    c:\windows\system32\drivers\etc\hosts.ics
    c:\windows\system32\SET5B.tmp
    c:\windows\system32\SET67.tmp
    c:\windows\system32\SET74.tmp
    c:\windows\system32\SETAE.tmp
    c:\windows\system32\shimg.dll
    c:\windows\system32\svch.dat
    c:\windows\system32\winl.dat
    D:\Autorun.inf
    .
    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
    .
    Infected copy of c:\windows\system32\svchost.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
    .
    c:\windows\explorer.exe . . . is infected!!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NPF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-10 01:45 . 2012-02-10 01:45 -------- d-----w- c:\documents and settings\carlos\Application Data\Malwarebytes
    2012-02-10 01:43 . 2012-02-10 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-02-10 01:43 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-10 01:43 . 2012-02-10 01:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-03 01:42 . 2012-02-09 23:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-02-03 01:42 . 2012-02-09 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2012-02-01 01:27 . 2012-02-01 01:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2012-01-20 00:39 . 2012-01-20 00:39 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
    2012-01-20 00:39 . 2012-01-20 00:39 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2012-01-20 00:39 . 2012-01-20 00:39 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
    2012-01-20 00:39 . 2012-01-20 00:39 121816 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2012-01-20 00:39 . 2012-01-20 00:39 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-25 21:57 . 2004-08-04 08:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2004-08-04 08:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2004-08-04 08:00 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-16 14:21 . 2004-08-04 08:00 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 14:21 . 2004-08-04 08:00 152064 ----a-w- c:\windows\system32\schannel.dll
    2011-11-15 23:28 . 2011-06-07 22:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2010-02-27 00:53 . 2010-02-27 00:53 2110728 ----a-w- c:\program files\Install_Facebook_Plug-In_1.0.3.exe
    2012-01-20 00:39 . 2012-01-20 00:39 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
    [-] 2008-04-14 . D8B309610E34D4E2BFA93CAC940B8317 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
    [7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
    .
    [7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
    [-] 2008-04-14 . 7C4EFFFEC2A73C88EBBFFDBCD369CDE6 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
    [7] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
    .
    [7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
    [-] 2008-04-14 . 67DAEC80394AE629F51E86770F34A38B . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
    [-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    [-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
    [7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-07 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
    "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
    "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
    "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
    "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
    "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
    "Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-06 856064]
    "Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
    "OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
    "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-12 517768]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "IUSACELL_CDU680"="c:\program files\IUSACELL\CDU680DORA\BIN\RDVCHG.EXE" [2007-07-30 316664]
    "AutoTask"="c:\program files\AutoTask\AutoTask.exe" [2009-06-22 335872]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
    Inicio rápido de Adobe Acrobat.lnk - c:\windows\Installer\{AC76BA86-1034-4700-7760-100000000002}\SC_Acrobat.exe [2006-5-8 25214]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\FlashGet\\flashget.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [15/06/2011 16:33 249648]
    R2 PEEK5;PEEK Driver v4.5;c:\windows\system32\drivers\PEEK5.SYS [20/11/2009 23:31 13184]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/10/2008 22:06 24652]
    R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [22/08/2005 03:06 231424]
    S2 gupdate;Servicio de actualización de Google (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29/04/2010 16:46 135664]
    S2 Programador de LiveUpdate automático;Programador de LiveUpdate automático;c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe [31/08/2007 11:49 243064]
    S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [07/07/2011 18:31 195336]
    S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [22/05/2009 10:47 87040]
    S3 gupdatem;Google Update Servicio (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [29/04/2010 16:46 135664]
    S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [17/11/2006 10:21 58288]
    S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [17/11/2006 10:21 8336]
    S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [17/11/2006 10:21 94064]
    S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [17/11/2006 10:21 85408]
    S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [17/11/2006 10:21 83344]
    S3 SNPP106;PC Camera (6029 CIF);c:\windows\system32\drivers\snpp106.sys [13/05/2006 16:04 239488]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 18:34]
    .
    2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-29 22:46]
    .
    2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-29 22:46]
    .
    2011-10-20 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
    - c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-11-30 10:04]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = about:blank
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    DPF: {D1792F99-AA90-4D46-8B73-2CE45DADDD3C} - hxxp://www.web-a-file.com/webafiledownloader.cab
    FF - ProfilePath - c:\documents and settings\carlos\Application Data\Mozilla\Firefox\Profiles\m67w9brq.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://startsear.ch/?aff=2&src=sp&cf=06bca87a-2e5e-11e1-81bc-0014a5746f9d&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-Aim6 - (no file)
    Notify-dimsntfy32 - dimsntfy32.dll
    AddRemove-LiveVDO plugin - c:\program files\StartSearch plugin\uninst.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-11 02:06
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????$????????? ???B?????????????hLC? ??????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,36,ee,95,f2,d4,80,46,4a,86,aa,f6,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,36,ee,95,f2,d4,80,46,4a,86,aa,f6,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(852)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(2420)
    c:\windows\system32\WININET.dll
    c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
    c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
    c:\windows\system32\ConnAPI.DLL
    c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_spa-co.nlr
    c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
    c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
    c:\program files\McAfee\Common Framework\McTray.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
    c:\progra~1\hpq\Shared\HPQTOA~1.EXE
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    .
    **************************************************************************
    .
    Completion time: 2012-02-11 02:16:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-02-11 08:16
    .
    Pre-Run: 14,906,269,696 bytes free
    Post-Run: 15,759,544,320 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - F26369867947892C3D5F7DD23EF149AE
  17. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
    c:\windows\ServicePackFiles\i386\svchost.exe | c:\windows\system32\svchost.exe
    c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Symantec PIF AlertEng"=-
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  18. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    ComboFix 12-02-10.03 - carlos 12/02/2012 18:18:00.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.52.1033.18.894.304 [GMT -6:00]
    Running from: c:\documents and settings\carlos\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\carlos\Desktop\CFScript.txt
    AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\expl.dat
    c:\windows\system32\dllc.dat
    c:\windows\system32\svch.dat
    c:\windows\system32\winl.dat
    c:\windows\TEMP\win45.tmp
    .
    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
    .
    Infected copy of c:\windows\system32\svchost.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
    .
    c:\windows\explorer.exe . . . is infected!!
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe
    c:\windows\ServicePackFiles\i386\svchost.exe --> c:\windows\system32\svchost.exe
    c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-13 to 2012-02-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-13 00:27 . 2008-04-14 00:12 1058816 ----a-w- c:\windows\OLD3BA.tmp
    2012-02-13 00:22 . 2008-04-14 00:12 545280 ----a-w- c:\windows\system32\OLD1EA.tmp
    2012-02-10 01:45 . 2012-02-10 01:45 -------- d-----w- c:\documents and settings\carlos\Application Data\Malwarebytes
    2012-02-10 01:43 . 2012-02-10 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-02-10 01:43 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-10 01:43 . 2012-02-10 01:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-03 01:42 . 2012-02-09 23:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-02-03 01:42 . 2012-02-09 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2012-02-01 01:27 . 2012-02-01 01:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2012-01-20 00:39 . 2012-01-20 00:39 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
    2012-01-20 00:39 . 2012-01-20 00:39 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2012-01-20 00:39 . 2012-01-20 00:39 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
    2012-01-20 00:39 . 2012-01-20 00:39 121816 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2012-01-20 00:39 . 2012-01-20 00:39 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-13 00:34 . 2004-08-04 08:00 1058816 ----a-w- c:\windows\explorer.exe
    2011-11-25 21:57 . 2004-08-04 08:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2004-08-04 08:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2004-08-04 08:00 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-16 14:21 . 2004-08-04 08:00 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 14:21 . 2004-08-04 08:00 152064 ----a-w- c:\windows\system32\schannel.dll
    2011-11-15 23:28 . 2011-06-07 22:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2010-02-27 00:53 . 2010-02-27 00:53 2110728 ----a-w- c:\program files\Install_Facebook_Plug-In_1.0.3.exe
    2012-01-20 00:39 . 2012-01-20 00:39 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
    [-] 2008-04-14 . D8B309610E34D4E2BFA93CAC940B8317 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
    [7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
    .
    [7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
    [-] 2008-04-14 . 7C4EFFFEC2A73C88EBBFFDBCD369CDE6 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
    [7] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
    .
    [-] 2012-02-13 . 67DAEC80394AE629F51E86770F34A38B . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
    [7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
    [-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    [-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
    [7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-02-11_08.06.08 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-02-13 00:02 . 2012-02-13 00:02 16384 c:\windows\Temp\Perflib_Perfdata_924.dat
    + 2012-02-13 00:39 . 2012-02-13 00:39 16384 c:\windows\Temp\Perflib_Perfdata_1fc.dat
    + 2012-02-12 23:33 . 2012-02-12 23:52 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012021220120213\index.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 27648 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871C6-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 10752 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871B4-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:45 . 2012-02-12 23:52 12288 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{99D9B951-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:47 . 2012-02-12 23:51 19456 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F89A6E21-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:33 . 2012-02-12 23:39 21504 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E1F365BF-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:32 . 2012-02-12 23:37 23552 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E1F0B544-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:46 . 2012-02-12 23:52 22528 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CD721CF7-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:46 . 2012-02-12 23:52 10752 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CD721CF6-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:46 . 2012-02-12 23:46 10240 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C2B9EA50-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:52 . 2012-02-12 23:59 31744 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A4A57E84-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:45 . 2012-02-12 23:52 31232 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{99D9B954-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:37 . 2012-02-12 23:39 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{82CC5D70-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:37 . 2012-02-12 23:39 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{755BFC22-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:43 . 2012-02-12 23:43 10752 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5D980AB5-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:36 . 2012-02-12 23:39 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5CD66C78-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:43 . 2012-02-12 23:43 10240 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{579FC758-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:35 . 2012-02-12 23:39 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{508DAEC2-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:35 . 2012-02-12 23:37 11264 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4D3A8740-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:42 . 2012-02-12 23:44 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{447EA94A-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:35 . 2012-02-12 23:39 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{39027602-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:56 . 2012-02-12 23:59 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{32C8F017-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:48 . 2012-02-12 23:52 11264 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1C58EF6D-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:48 . 2012-02-12 23:48 10240 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{14C69795-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:48 . 2012-02-12 23:48 10240 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{14C69794-55D4-11E1-81F0-0014A5746F9D}.dat
    - 2012-02-01 01:48 . 2012-02-11 01:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
    + 2012-02-01 01:48 . 2012-02-12 23:53 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
    - 2012-02-01 01:30 . 2012-02-11 07:33 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
    + 2012-02-01 01:30 . 2012-02-12 23:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
    + 2012-02-12 23:21 . 2012-02-12 23:57 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871C9-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871C7-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871C5-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871C3-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871C1-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871BF-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871BD-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871BB-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871B9-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871B7-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871B5-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871B3-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{8D8871B1-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:41 . 2012-02-12 23:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{1A6AE8E8-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871CA-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871C8-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871C4-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871C2-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871C0-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871BE-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871BC-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871BA-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871B8-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 9216 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871B6-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871B2-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:59 . 2012-02-12 23:59 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{8D8871B0-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:26 . 2012-02-12 23:26 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F3D8FF8F-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:26 . 2012-02-12 23:26 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F39B026B-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:26 . 2012-02-12 23:26 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F393DB5D-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:26 . 2012-02-12 23:26 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F387EF9B-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:26 . 2012-02-12 23:26 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F1BBC9C1-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:32 . 2012-02-12 23:37 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E1F365BE-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:32 . 2012-02-12 23:33 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E1F3179E-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:32 . 2012-02-12 23:37 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E1F0B543-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:32 . 2012-02-12 23:37 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E1EE52E9-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:31 . 2012-02-12 23:31 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BBCFD9F7-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:38 . 2012-02-12 23:44 9216 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{9DDA6CBE-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:38 . 2012-02-12 23:38 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{9D9ED1F1-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:30 . 2012-02-12 23:30 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{99E4A593-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:30 . 2012-02-12 23:30 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{99E24339-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:30 . 2012-02-12 23:30 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{99DD7E85-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:52 . 2012-02-12 23:52 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{99381927-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:23 . 2012-02-12 23:23 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{9463180E-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:23 . 2012-02-12 23:23 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8EB4BD9A-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:51 . 2012-02-12 23:52 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8C97246E-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:23 . 2012-02-12 23:23 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8BF567E3-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:23 . 2012-02-12 23:23 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8BCF4243-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{75BF9F29-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{75BD3CCF-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{75BADA75-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{75B8781B-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{75B615C1-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:22 . 2012-02-12 23:22 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{68073790-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:22 . 2012-02-12 23:22 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{66F9CDD5-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:50 . 2012-02-12 23:51 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{65D4293E-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:50 . 2012-02-12 23:50 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5FCB356A-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:50 . 2012-02-12 23:50 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5F83AEE2-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:50 . 2012-02-12 23:50 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5C9BD132-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:22 . 2012-02-12 23:22 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{58642B47-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:22 . 2012-02-12 23:22 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{585AA1DF-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5482766F-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{547B9D81-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{547B7671-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{547B4F61-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:28 . 2012-02-12 23:29 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{546A9EEB-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:28 . 2012-02-12 23:28 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{46A92DA7-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:28 . 2012-02-12 23:28 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{463B817B-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:28 . 2012-02-12 23:28 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{462AD105-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:28 . 2012-02-12 23:28 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{461C82E9-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:28 . 2012-02-12 23:28 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{444DFAB5-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:49 . 2012-02-12 23:49 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{4061599C-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:49 . 2012-02-12 23:49 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{3A1CCB02-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:27 . 2012-02-12 23:27 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1E6BB8CC-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:27 . 2012-02-12 23:27 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1E6B91BC-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:27 . 2012-02-12 23:27 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1E6B6AAC-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:27 . 2012-02-12 23:27 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1E6B439C-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:27 . 2012-02-12 23:27 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1E6B1C8C-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:54 . 2012-02-12 23:59 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F31EA4C8-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:47 . 2012-02-12 23:47 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F0FE8CE2-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:47 . 2012-02-12 23:52 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F0FE8CE0-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:54 . 2012-02-12 23:59 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EBB0103C-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:47 . 2012-02-12 23:47 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E6A0F396-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:33 . 2012-02-12 23:33 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E1F3179F-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:32 . 2012-02-12 23:37 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E1EE52EA-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:46 . 2012-02-12 23:52 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D3A5FB28-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:53 . 2012-02-12 23:59 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CF569A14-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:53 . 2012-02-12 23:59 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C7A7A60A-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:31 . 2012-02-12 23:32 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BBCFDA00-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:31 . 2012-02-12 23:32 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BBCFD9FE-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:31 . 2012-02-12 23:31 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BBCFD9FC-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:31 . 2012-02-12 23:32 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BBCFD9FA-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:31 . 2012-02-12 23:31 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BBCFD9F8-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:45 . 2012-02-12 23:45 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B10F1D6D-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:52 . 2012-02-12 23:59 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AB804144-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:45 . 2012-02-12 23:52 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A97F27EE-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:52 . 2012-02-12 23:59 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9EA8767A-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:38 . 2012-02-12 23:38 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9DDA6CBF-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:38 . 2012-02-12 23:38 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9D9ED1F2-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:23 . 2012-02-12 23:23 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9CA37B86-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:30 . 2012-02-12 23:30 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{99E4A594-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:30 . 2012-02-12 23:30 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{99E2433A-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:30 . 2012-02-12 23:30 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{99DD7E86-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:45 . 2012-02-12 23:45 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{99D9B952-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:52 . 2012-02-12 23:52 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{99466742-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:52 . 2012-02-12 23:52 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{99381928-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:23 . 2012-02-12 23:23 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{97C9525E-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:23 . 2012-02-12 23:23 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{97C9525C-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:23 . 2012-02-12 23:23 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{97BB2B50-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:23 . 2012-02-12 23:23 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{97BB0440-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:52 . 2012-02-12 23:52 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{910F8D2E-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:44 . 2012-02-12 23:44 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8D63AEF1-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:44 . 2012-02-12 23:44 8704 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8766A6DE-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:44 . 2012-02-12 23:44 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8766A6DD-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:44 . 2012-02-12 23:44 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8766A6DC-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:51 . 2012-02-12 23:51 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{82051769-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:51 . 2012-02-12 23:51 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{82051768-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:37 . 2012-02-12 23:37 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7C12FB9C-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:44 . 2012-02-12 23:44 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7B382304-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:51 . 2012-02-12 23:51 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7B2A54A8-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{75BF9F2A-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{75BD3CD0-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{75BADA76-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{75B8781C-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{75B615C2-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:22 . 2012-02-12 23:22 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6E0DC904-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:22 . 2012-02-12 23:22 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6E0DC902-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:22 . 2012-02-12 23:22 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{68073791-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:43 . 2012-02-12 23:43 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{67DB6A2C-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:22 . 2012-02-12 23:22 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{66F9CDD8-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:22 . 2012-02-12 23:22 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{66F9CDD6-55D0-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:50 . 2012-02-12 23:50 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{65DDB2A2-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:51 . 2012-02-12 23:51 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{65D4293F-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:50 . 2012-02-12 23:50 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6397F4DA-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:50 . 2012-02-12 23:50 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5FCB356B-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:50 . 2012-02-12 23:50 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5F83AEE3-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5E4F3C84-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5E4F1574-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5E4EEE64-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5E4EC754-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:29 . 2012-02-12 23:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5E4EA044-55D1-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:43 . 2012-02-12 23:43 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5D980AB6-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:50 . 2012-02-12 23:50 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5CBD321B-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:50 . 2012-02-12 23:50 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5CBD321A-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:49 . 2012-02-12 23:49 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4061599D-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:57 . 2012-02-12 23:59 8192 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{405128E2-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:42 . 2012-02-12 23:42 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3E2E2EE1-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:42 . 2012-02-12 23:42 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3E2E2EE0-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:49 . 2012-02-12 23:50 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3A1CCB03-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:49 . 2012-02-12 23:49 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3889DD95-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:49 . 2012-02-12 23:52 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3889DD94-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:42 . 2012-02-12 23:42 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{33AF34AA-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:49 . 2012-02-12 23:49 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2E3108FE-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:56 . 2012-02-12 23:59 8704 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2CC985A8-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:34 . 2012-02-12 23:35 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2968F324-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:56 . 2012-02-12 23:59 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1CD56975-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:55 . 2012-02-12 23:59 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{151CEC00-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:48 . 2012-02-12 23:52 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{14C69796-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:55 . 2012-02-12 23:59 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0F24A8A2-55D5-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:34 . 2012-02-12 23:37 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0B64B80E-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:48 . 2012-02-12 23:48 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0A453B04-55D4-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-01 01:29 . 2012-02-12 23:56 540672 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
    + 2012-02-12 23:45 . 2012-02-12 23:52 111104 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A97F27EF-55D3-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:34 . 2012-02-12 23:39 147968 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{218A5013-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2012-02-12 23:34 . 2012-02-12 23:39 148992 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{218A5012-55D2-11E1-81F0-0014A5746F9D}.dat
    + 2006-04-30 01:31 . 2012-02-12 23:57 1589248 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    .
    -- Snapshot reset to current date --
    .
  19. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-07 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
    "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
    "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
    "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
    "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
    "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
    "Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-06 856064]
    "Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
    "OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "IUSACELL_CDU680"="c:\program files\IUSACELL\CDU680DORA\BIN\RDVCHG.EXE" [2007-07-30 316664]
    "AutoTask"="c:\program files\AutoTask\AutoTask.exe" [2009-06-22 335872]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
    Inicio rápido de Adobe Acrobat.lnk - c:\windows\Installer\{AC76BA86-1034-4700-7760-100000000002}\SC_Acrobat.exe [2006-5-8 25214]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\FlashGet\\flashget.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [15/06/2011 16:33 249648]
    R2 PEEK5;PEEK Driver v4.5;c:\windows\system32\drivers\PEEK5.SYS [20/11/2009 23:31 13184]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/10/2008 22:06 24652]
    R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [22/08/2005 03:06 231424]
    S2 gupdate;Servicio de actualización de Google (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29/04/2010 16:46 135664]
    S2 Programador de LiveUpdate automático;Programador de LiveUpdate automático;c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe [31/08/2007 11:49 243064]
    S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [07/07/2011 18:31 195336]
    S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [22/05/2009 10:47 87040]
    S3 gupdatem;Google Update Servicio (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [29/04/2010 16:46 135664]
    S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [17/11/2006 10:21 58288]
    S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [17/11/2006 10:21 8336]
    S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [17/11/2006 10:21 94064]
    S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [17/11/2006 10:21 85408]
    S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [17/11/2006 10:21 83344]
    S3 SNPP106;PC Camera (6029 CIF);c:\windows\system32\drivers\snpp106.sys [13/05/2006 16:04 239488]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 18:34]
    .
    2012-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-29 22:46]
    .
    2012-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-29 22:46]
    .
    2011-10-20 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
    - c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-11-30 10:04]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = about:blank
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    DPF: {D1792F99-AA90-4D46-8B73-2CE45DADDD3C} - hxxp://www.web-a-file.com/webafiledownloader.cab
    FF - ProfilePath - c:\documents and settings\carlos\Application Data\Mozilla\Firefox\Profiles\m67w9brq.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://startsear.ch/?aff=2&src=sp&cf=06bca87a-2e5e-11e1-81bc-0014a5746f9d&q=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-12 18:40
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????$????`???? ???B?????????????hLC? ??????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,36,ee,95,f2,d4,80,46,4a,86,aa,f6,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,36,ee,95,f2,d4,80,46,4a,86,aa,f6,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(848)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(2220)
    c:\windows\system32\WININET.dll
    c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
    c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
    c:\windows\system32\ConnAPI.DLL
    c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_spa-co.nlr
    c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
    c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\windows\system32\wscntfy.exe
    c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
    c:\program files\McAfee\Common Framework\McTray.exe
    c:\progra~1\hpq\Shared\HPQTOA~1.EXE
    c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    .
    **************************************************************************
    .
    Completion time: 2012-02-12 18:48:03 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-02-13 00:47
    ComboFix2.txt 2012-02-11 08:16
    .
    Pre-Run: 15,581,986,816 bytes free
    Post-Run: 15,763,591,168 bytes free
    .
    - - End Of File - - B19D8FCC5F57608C999F11959A31637E
  20. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    OK, the infection won't let us replace those infected files while in Windows so we have to use another way.

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Under the Custom Scan box paste this in:

      /md5start
      explorer.exe
      winlogon.exe
      userinit.exe
      svchost.exe
      /md5stop

    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.

    P. S. I'll be gone for couple of hours so I'll check on you later or tomorrow.
  21. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    Thanks man, no worry, I know we all have a life

    Here is the Log

    OTL logfile created on: 2/13/2012 12:01:29 AM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    894.00 Mb Total Physical Memory | 685.00 Mb Available Physical Memory | 77.00% Memory free
    806.00 Mb Paging File | 720.00 Mb Available in Paging File | 89.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 67.11 Gb Total Space | 14.41 Gb Free Space | 21.47% Space Free | Partition Type: NTFS
    Drive D: | 7.39 Gb Total Space | 0.83 Gb Free Space | 11.24% Space Free | Partition Type: FAT32
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled] -- -- (HidServ)
    SRV - File not found [On_Demand] -- -- (AppMgmt)
    SRV - [2011/07/07 19:31:08 | 000,195,336 | ---- | M] (Microsoft Corporation.) [On_Demand] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
    SRV - [2011/06/15 17:33:20 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)
    SRV - [2009/09/03 11:53:00 | 000,048,368 | ---- | M] (NOS Microsystems Ltd.) [On_Demand] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
    SRV - [2007/08/31 12:49:50 | 000,243,064 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Programador de LiveUpdate automático)
    SRV - [2007/08/31 12:49:50 | 000,243,064 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
    SRV - [2007/08/23 07:35:24 | 003,192,184 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate)
    SRV - [2007/03/12 10:22:00 | 000,517,768 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe -- (LiveUpdate Notice Service)
    SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
    SRV - [2006/11/30 09:50:00 | 000,144,960 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
    SRV - [2006/11/30 09:50:00 | 000,054,872 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
    SRV - [2006/11/17 14:37:44 | 000,104,000 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
    SRV - [2006/04/12 12:36:56 | 000,176,640 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe -- (ServiceLayer)
    SRV - [2005/04/06 16:53:02 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) [Auto] -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -- (Adobe Version Cue CS2)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (SymIMMP)
    DRV - File not found [Kernel | On_Demand] -- -- (SymIM)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand] -- -- (NSNDIS5)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand] -- -- (catchme)
    DRV - [2009/11/03 14:21:56 | 000,025,216 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
    DRV - [2008/04/13 13:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
    DRV - [2007/08/31 03:00:00 | 000,395,312 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2006/12/13 17:31:56 | 000,087,040 | ---- | M] (Cmotech Co.,Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\cmusbser.sys -- (cmusbser)
    DRV - [2006/11/30 09:50:00 | 000,168,776 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2006/11/30 09:50:00 | 000,072,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2006/11/30 09:50:00 | 000,064,360 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
    DRV - [2006/11/30 09:50:00 | 000,052,136 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
    DRV - [2006/11/30 09:50:00 | 000,034,152 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2006/11/30 09:50:00 | 000,031,944 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
    DRV - [2006/11/17 11:21:01 | 000,094,064 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\k510mdm.sys -- (k510mdm)
    DRV - [2006/11/17 11:21:01 | 000,085,408 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\k510mgmt.sys -- (k510mgmt) Sony Ericsson K510 USB WMC Device Management Drivers (WDM)
    DRV - [2006/11/17 11:21:01 | 000,083,344 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\k510obex.sys -- (k510obex)
    DRV - [2006/11/17 11:21:00 | 000,058,288 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\k510bus.sys -- (k510bus) Sony Ericsson K510 Driver driver (WDM)
    DRV - [2006/11/17 11:21:00 | 000,008,336 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\k510mdfl.sys -- (k510mdfl)
    DRV - [2006/03/24 09:32:00 | 000,127,488 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcd.sys -- (Nokia USB Phone Parent)
    DRV - [2006/03/24 09:32:00 | 000,013,312 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcdcj.sys -- (Nokia USB Port)
    DRV - [2006/03/24 09:32:00 | 000,013,312 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcdcm.sys -- (Nokia USB Modem)
    DRV - [2006/03/24 09:32:00 | 000,008,704 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcdc.sys -- (Nokia USB Generic)
    DRV - [2005/11/28 04:35:38 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
    DRV - [2005/11/10 17:51:00 | 001,396,224 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2005/09/30 06:11:00 | 000,078,720 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
    DRV - [2005/09/20 05:30:56 | 000,162,432 | ---- | M] (Texas Instruments) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
    DRV - [2005/08/22 04:06:00 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
    DRV - [2005/08/22 04:06:00 | 000,718,464 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2005/08/22 04:06:00 | 000,231,424 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWATI.sys -- (HSFHWATI)
    DRV - [2005/08/18 03:22:54 | 000,056,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
    DRV - [2005/08/02 05:00:00 | 000,349,312 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
    DRV - [2005/08/02 04:58:00 | 000,038,016 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)
    DRV - [2005/05/05 13:04:08 | 000,007,936 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
    DRV - [2005/05/05 13:04:04 | 000,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
    DRV - [2005/03/09 18:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
    DRV - [2003/09/24 11:23:50 | 000,013,184 | ---- | M] (WildPackets, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\PEEK5.SYS -- (PEEK5)
    DRV - [2002/12/05 16:58:58 | 000,239,488 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\snpp106.sys -- (SNPP106) PC Camera (6029 CIF)
    DRV - [2001/08/17 15:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com


    IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = about:blank
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0:
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
    FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
    FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
    FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: File not found

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/05/23 00:08:06 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/05/23 00:08:06 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/19 19:39:02 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/24 13:35:33 | 000,000,000 | ---D | M]

    [2011/11/28 20:10:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/01/19 19:39:01 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2007/04/16 12:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
    [2011/10/27 08:45:50 | 000,083,456 | ---- | M] (LiveVDO ) -- C:\Program Files\mozilla firefox\plugins\npvsharetvplg.dll
    [2012/01/19 19:38:52 | 000,004,080 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\drae.xml
    [2012/01/19 19:38:52 | 000,002,470 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\mercadolibre-ar.xml
    [2012/01/19 19:38:52 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-es.xml
    [2012/01/19 19:38:52 | 000,000,838 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-ar.xml

    O1 HOSTS File: ([2012/02/12 19:39:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (www.flashget.com)
    O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
    O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
    O2 - BHO: (Yahoo! IE Suggest) - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll (Yahoo! Inc.)
    O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)
    O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
    O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O2 - BHO: (FlashGet GetFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (www.flashget.com)
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
    O4 - HKLM..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe (Adobe Sytems Incorporated)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [AutoTask] C:\Program Files\AutoTask\AutoTask.exe (Dura Micro, Inc)
    O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
    O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
    O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
    O4 - HKLM..\Run: [IUSACELL_CDU680] C:\Program Files\IUSACELL\CDU680DORA\Bin\RDVCHG.exe (C-motech Co.,Ltd)
    O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
    O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe (Nokia)
    O4 - HKLM..\Run: [RecGuard] C:\WINDOWS\SMINST\Recguard.exe ()
    O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
    O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Inicio rápido de Adobe Acrobat.lnk = C:\WINDOWS\Installer\{AC76BA86-1034-4700-7760-100000000002}\SC_Acrobat.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
    O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
    O9 - Extra 'Tools' menuitem : FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {D1792F99-AA90-4D46-8B73-2CE45DADDD3C} http://www.web-a-file.com/webafiledownloader.cab (WAFDownloader Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.3.1.100 10.3.1.221
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2001/07/27 23:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/02/12 21:30:03 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\Cookies
    [2012/02/12 19:15:00 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/02/11 02:32:27 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012/02/11 02:28:13 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/02/11 02:28:13 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/02/11 02:28:13 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/02/11 02:28:13 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/02/11 02:28:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2012/02/11 02:27:58 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/02/10 20:30:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Sun
    [2012/02/09 20:44:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/02/09 20:43:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2012/02/09 20:43:54 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2012/02/09 20:43:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/02/02 20:42:43 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
    [2012/02/02 20:42:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    [2012/01/31 20:56:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia
    [2012/01/31 20:30:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe
    [2012/01/31 20:29:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Google
    [2012/01/31 20:27:59 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\PrivacIE
    [2010/02/26 19:53:29 | 002,110,728 | ---- | C] (Facebook, Inc.) -- C:\Program Files\Install_Facebook_Plug-In_1.0.3.exe
    [2005/09/24 03:49:16 | 000,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll
    [4 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/02/13 00:48:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/02/13 00:38:09 | 000,001,020 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2012/02/13 00:38:07 | 000,001,024 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2012/02/12 23:38:01 | 000,002,359 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Inicio rápido de Adobe Acrobat.lnk
    [2012/02/12 23:37:57 | 000,000,297 | ---- | M] () -- C:\hpqp.ini
    [2012/02/12 23:37:56 | 000,000,039 | ---- | M] () -- C:\XP_TV.ini
    [2012/02/12 23:37:39 | 937,676,800 | -HS- | M] () -- C:\hiberfil.sys
    [2012/02/12 19:40:56 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/02/12 19:39:37 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2012/02/12 19:34:30 | 001,058,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    [2012/02/11 02:32:40 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2012/02/10 20:33:04 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/02/09 20:44:12 | 000,000,799 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/09 20:44:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/02/03 15:23:19 | 000,441,096 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-174051.backup
    [2012/02/03 14:36:11 | 000,007,072 | ---- | M] () -- C:\WINDOWS\carlos8.xlb
    [2012/02/02 22:00:26 | 000,004,054 | ---- | M] () -- C:\WINDOWS\WININIT.INI
    [4 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/02/11 02:32:40 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2012/02/11 02:32:31 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2012/02/11 02:28:13 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/02/11 02:28:13 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/02/11 02:28:13 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/02/11 02:28:13 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/02/11 02:28:13 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/02/09 20:44:12 | 000,000,799 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/09 19:10:46 | 937,676,800 | -HS- | C] () -- C:\hiberfil.sys
    [2011/11/22 00:32:40 | 000,163,444 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
    [2010/01/14 10:10:16 | 000,000,215 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
    [2009/12/15 18:03:19 | 000,000,943 | ---- | C] () -- C:\WINDOWS\TATCALL.INI
    [2009/12/15 18:03:19 | 000,000,020 | ---- | C] () -- C:\WINDOWS\TATVER.INI
    [2009/12/15 18:03:18 | 000,000,260 | ---- | C] () -- C:\WINDOWS\TATUNINS.INI
    [2008/05/22 17:22:18 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
    [2007/12/21 22:07:30 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2007/11/25 15:44:22 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
    [2007/06/07 21:37:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2006/08/04 00:47:11 | 000,001,943 | ---- | C] () -- C:\WINDOWS\mozver.dat
    [2006/07/23 23:17:35 | 000,001,747 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
    [2006/07/15 13:52:50 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7K.DLL
    [2006/07/15 13:49:08 | 000,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
    [2006/05/15 00:14:58 | 000,000,551 | ---- | C] () -- C:\WINDOWS\CClient.ini
    [2006/05/13 21:21:12 | 000,007,917 | ---- | C] () -- C:\WINDOWS\extend.dat
    [2006/05/13 17:37:37 | 000,000,617 | ---- | C] () -- C:\WINDOWS\videoimp.ini
    [2006/05/13 17:37:27 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
    [2006/05/13 17:04:26 | 000,120,874 | ---- | C] () -- C:\WINDOWS\usnpp106.exe
    [2006/05/13 17:04:26 | 000,028,672 | ---- | C] () -- C:\WINDOWS\vsnpp106.exe
    [2006/05/13 17:04:26 | 000,015,494 | ---- | C] () -- C:\WINDOWS\snpp106.ini
    [2006/05/13 17:04:25 | 000,239,488 | ---- | C] () -- C:\WINDOWS\System32\drivers\snpp106.sys
    [2006/05/13 17:04:25 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\dsnpp106.dll
    [2006/05/13 17:04:25 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\vsnpp106.dll
    [2006/05/13 17:04:25 | 000,020,480 | ---- | C] () -- C:\WINDOWS\dsnpp106.exe
    [2006/05/10 00:27:26 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
    [2006/05/10 00:15:21 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI
    [2006/05/08 20:46:11 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\FileOps.exe
    [2006/05/08 08:16:49 | 000,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
    [2006/05/06 22:05:58 | 000,000,737 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2006/04/29 20:36:46 | 000,000,128 | ---- | C] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat
    [2006/02/16 05:39:42 | 000,000,166 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
    [2006/02/16 05:36:04 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
    [2006/02/16 05:36:03 | 000,045,929 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
    [2006/02/16 05:19:18 | 000,004,054 | ---- | C] () -- C:\WINDOWS\WININIT.INI
    [2006/02/16 05:04:54 | 000,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
    [2006/02/16 05:02:30 | 000,087,275 | ---- | C] () -- C:\WINDOWS\hpqins69.dat
    [2005/12/02 05:09:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
    [2005/11/08 12:49:00 | 000,112,456 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2004/10/04 20:08:00 | 000,055,808 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
    [2004/08/07 08:16:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2004/08/07 08:16:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2004/08/07 08:10:30 | 000,442,782 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/07 08:10:30 | 000,072,360 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/07 08:10:08 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
    [2004/08/07 08:02:54 | 000,763,712 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2004/08/07 07:57:54 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2004/08/07 07:54:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2004/08/04 03:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 03:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 03:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 03:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 03:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 03:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 03:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/04 03:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/08/07 15:01:52 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
    [2002/05/28 03:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2002/05/28 03:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [1996/12/19 00:00:00 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\WRKGADM.EXE
    [1996/12/19 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
    [1996/12/19 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
    [1996/12/19 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
    [1996/12/19 00:00:00 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\VAES232.DLL

    ========== LOP Check ==========

    [2008/10/12 23:05:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
    [2011/12/01 22:02:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Aiseesoft Studio
    [2006/07/15 13:52:59 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
    [2009/02/16 21:15:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
    [2006/02/16 05:38:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
    [2009/02/16 21:16:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
    [2007/05/27 23:53:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
    [2006/07/15 13:49:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
    [2006/07/15 13:49:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanWizard
    [2008/10/12 23:05:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2011/11/28 00:35:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2010/02/18 20:50:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    [2011/10/20 17:42:50 | 000,001,014 | -H-- | M] () -- C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job

    ========== Purity Check ==========



    ========== Custom Scans ==========



    < MD5 for: EXPLORER.EXE >
    [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
    [2012/02/12 19:34:30 | 001,058,816 | ---- | M] (Microsoft Corporation) MD5=67DAEC80394AE629F51E86770F34A38B -- C:\WINDOWS\explorer.exe
    [2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
    [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
    [2004/08/04 03:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

    < MD5 for: SVCHOST.EXE >
    [2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
    [2012/01/13 15:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
    [2008/04/13 19:12:08 | 000,039,936 | ---- | M] (Microsoft Corporation) MD5=7C4EFFFEC2A73C88EBBFFDBCD369CDE6 -- C:\WINDOWS\system32\svchost.exe
    [2004/08/04 03:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

    < MD5 for: USERINIT.EXE >
    [2004/08/04 03:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
    [2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
    [2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
    [2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

    < MD5 for: WINLOGON.EXE >
    [2004/08/04 03:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
    [2012/01/13 15:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
    [2008/04/13 19:12:08 | 000,545,280 | ---- | M] (Microsoft Corporation) MD5=D8B309610E34D4E2BFA93CAC940B8317 -- C:\WINDOWS\system32\winlogon.exe
    [2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 270784 bytes -> C:\WINDOWS\Temp:temp
    < End of report >
  22. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    One more thing,
    Right before I downloaded OTLPE the computer was really slow and my AV send a warning about a virus named FakeAlert-SecurityTool.ea
    Thanks for your time

    Carlos
  23. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    Those files seem to be OK but we better double check.

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - c:\windows\explorer.exe
    - c:\windows\system32\svchost.exe
    - c:\windows\system32\winlogon.exe
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
  24. evilcaterpillar

    evilcaterpillar Newcomer, in training Topic Starter Posts: 57

    Damn virus, still infected...

    #Bamital #infected



    <p class="codeStyle">more info see http://www.kernelmode.info/forum/viewtopic.php?f=16&p=11413#p11413
    Publicado hace 1 semana, 3 días por EP_X0FF
    XP SP3 explorer.exe infected with Bamital.Q. Winlogon.exe and svchost.exe are also infected. #7c4efffec2a73c88ebbffdbcd369cde6 #d8b309610e34d4e2bfa93cac940b8317 #malware #bamital #patched

    When i did the OTLPE scan, it was just the scan, i didn't click the FIX button, was correct?
  25. Broni

    Broni Malware Annihilator Posts: 45,279   +243

    I need to see full scan results.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.