Solved Virus Problem (Black Internet rootkit)

broni · 2010/06/26

and I dont know if I posted this resource earlier just in case.

http://forums.majorgeeks.com/showthread.php?t=217807
Click to expand...

HelpAssistant is a different kind of rootkit and we tried Bootkit Remover already. It didn't work.

At this point, you can turn system restore on, because it doesn't matter.

I'm pretty sure, the rootkit is causing BSOD, preventing you to boot to recovery console.

I have another idea...
Let's see, if we can reinstall recovery console.

Uninstall recovery console first: http://www.theeldergeek.com/recovery_console.htm (scroll almost all the way down)
Restart computer.

Now, let's try to install it again.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Download the file & save it as it's originally named.

---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

At the next prompt, click 'Yes' to run the full ComboFix scan.

Restart computer and try to access recovery console again.

Pete · 2010/06/26

Still running scan as I write this, about 60 % done.

broni · 2010/06/26

OK. Let me know....

Pete · 2010/06/26

I'm sorry. I've been extremely busy, going through a lot of **** and replied very late most of the time.

I will post with updates later.
Lets get this nasty virus

Pete · 2010/06/26

Update :

i've ran Sophos and it found 5 items. All of which are NOT recommended to clean.
So I did nothing.

Will post with more updates in the morning.

Pete · 2010/06/27

I am not able to delete the cmdcons folder.

I get error :
Cannot delete 1394BUS.SY_:Access is denied

Make sure the disk is not full or write protected
and that the file is not currently in use.

What should i do now ?

broni · 2010/06/27

I'm sorry. I've been extremely busy, going through a lot of **** and replied very late most of the time.
Click to expand...

First of all, don't worry about the above. We all have out private lives

Now, I'm not sure what exactly you're trying to do now:

I am not able to delete the cmdcons folder.

I get error :
Cannot delete 1394BUS.SY_:Access is denied

Make sure the disk is not full or write protected
and that the file is not currently in use.
Click to expand...

...and, I 'd like to see Sophos log.

Did you try to reinstall recovery console yet?

Pete · 2010/06/27

Thats what I'm trying about the recovery console. I'm following the uninstall directions you've provided in that link.

Sophos Log : ( like i said none of these were recommended to clean up )

Sophos Anti-Rootkit Version 1.5.4 (c) 2009 Sophos Plc
Started logging on 6/26/2010 at 22:15:08 PM
User "Pete" on computer "---------- "
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TP47V3US\index[1].htm
Hidden: file C:\WINDOWS\Temp\~DF6F14.tmp
Hidden: file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MIP85ONB\st[5]
Hidden: file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MIP85ONB\st[6]
Hidden: file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\26RBS5A3\iframe3[4].htm
Hidden: file C:\WINDOWS\Temp\fla21.tmp
Hidden: file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MIP85ONB\01[1].htm
Hidden: file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\26RBS5A3\ddc[1].htm
Info: Starting disk scan of D: (NTFS).
Stopped logging on 6/26/2010 at 21:01:05 PM

broni · 2010/06/27

I see no issue with removing the above files, since they're all temporary files, but I doubt it'll have any impact on solving your issue.

Pete · 2010/06/27

What about uninstalling recovery console ?

I'm stuck at the step where I cant delete a certain folder.

Pete · 2010/06/27

Progress !!!

I managed to get into recovery console.
But it only works with booting from HDD rather than the CD.

This is what I tried
I went into BIOS
disabled flash module, switched to ATA from SATA operation,
disabled 1394, switched from LAN PXe to LAN only.

Idont get bsod. I'm in recovery console
( selected no. 1 installation )
I'm at c:windows. And I typed in fixmbr

I get a message about computer appears to have a non standard or invalid boot record
fixmbr may damage ur partition tables if u proceed
this could cause all the partitions on the current hard disk to become inaccessible
if u are not having problems accessing your drive do not continue

Are you sure you wantto write new mbr ?

What should I do ?

broni · 2010/06/27

Please, proceed. Normally, it's a standard warning and you should be OK.

However, I feel obligated to tell you, that, if you feel, 1% of a chance of something going wrong is too big risk for you, because you have valuable data there, I suggest, you back up your data first.
Let me know.

Pete · 2010/06/27

Seems like it worked.
I dont see any iexplore.exe anymore
Volume Bar is fine and I dont get pop ups anymore.
I dont hear any commercials in the background either.

My attempt :

I could not reinstall recovery console.
Like i said i was stuck at a step where it says to delete a certain folder (uninstallation of recovery console) in root directory and it was access denied.

fixmbr (from where we left off )
ran successfully
reboot
f12 - > changed settings back to normal
( ATA to AHCI ( sorry that was AHCI not SATA ) , lan to PXE, flash module enabled, i394 enabled )
save reboot
normal start up.

Still waiting on your final decision / steps to be declared clean.

However now, I seem to be having a bunch of processes in there which i dont recognize/ would not need,
Can you please tell me which i can disable on startup ?
I will try to post a process log

Pete · 2010/06/27

Process Explorer log : ( with command line selected )

Process PID CPU Private Bytes Working Set Description Company Name Command Line
System Idle Process 0 93.85 0 K 16 K
Interrupts n/a 0 K 0 K Hardware Interrupts
DPCs n/a 0 K 0 K Deferred Procedure Calls
System 4 0 K 224 K
smss.exe 624 168 K 396 K Windows NT Session Manager Microsoft Corporation \SystemRoot\System32\smss.exe
csrss.exe 1120 1,724 K 3,908 K Client Server Runtime Process Microsoft Corporation C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
winlogon.exe 1468 6,800 K 1,516 K Windows NT Logon Application Microsoft Corporation winlogon.exe
services.exe 1704 0.77 1,976 K 3,708 K Services and Controller app Microsoft Corporation C:\WINDOWS\system32\services.exe
nvsvc32.exe 2004 3,228 K 4,728 K NVIDIA Driver Helper Service, Version 185.85 NVIDIA Corporation C:\WINDOWS\system32\nvsvc32.exe
svchost.exe 372 3,240 K 5,232 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe 664 1,968 K 4,508 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost -k rpcss
svchost.exe 808 15,400 K 22,576 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k netsvcs
btwdins.exe 880 2,248 K 3,464 K Bluetooth Support Server Broadcom Corporation. "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe "
svchost.exe 1236 1,564 K 3,948 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
AvastSvc.exe 1560 9,600 K 23,948 K avast! Service ALWIL Software "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe "
spoolsv.exe 1692 5,248 K 7,080 K Spooler SubSystem App Microsoft Corporation C:\WINDOWS\system32\spoolsv.exe
AppleMobileDeviceService.exe 740 1,924 K 2,776 K Apple Mobile Device Service Apple Inc. "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe "
jqs.exe 1164 2,128 K 1,404 K Java(TM) Quick Starter Service Sun Microsystems, Inc. "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf "
mdm.exe 1992 984 K 2,976 K Machine Debug Manager Microsoft Corporation "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe "
svchost.exe 264 2,700 K 4,560 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k imgsvc
TuneUpUtilitiesService32.exe 440 2,728 K 6,596 K TuneUp Utilities Service TuneUp Software "C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe "
WDBtnMgrSvc.exe 2244 4,068 K 4,464 K WD Drive Manager Service WDC "C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe "
IAANTmon.exe 2676 2,412 K 4,372 K RAID Monitor Intel Corporation "C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe "
alg.exe 3356 1,268 K 3,672 K Application Layer Gateway Service Microsoft Corporation C:\WINDOWS\System32\alg.exe
lsass.exe 1716 2,368 K 908 K LSA Shell (Export Version) Microsoft Corporation C:\WINDOWS\system32\lsass.exe
explorer.exe 892 25,624 K 16,208 K Windows Explorer Microsoft Corporation C:\WINDOWS\Explorer.EXE
WDBtnMgrUI.exe 1360 2,164 K 4,812 K WD Drive Manager WDC "C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe"
IAAnotif.exe 1648 2,352 K 4,552 K Event Monitor User Notification Tool Intel Corporation "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
stsystra.exe 140 4,752 K 8,392 K Sigmatel Audio system tray application SigmaTel, Inc. "C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe"
AvastUI.exe 960 4,148 K 1,880 K avast! Antivirus ALWIL Software "C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe" /nogui
pg2.exe 1620 15,184 K 1,360 K PeerGuardian 2 Methlabs "C:\Program Files\PeerGuardian2\pg2.exe"
CursorFx.exe 1644 7,856 K 5,252 K CursorFX Stardock Corporation "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
firefox.exe 2624 124,440 K 138,620 K Firefox Mozilla Corporation "C:\Program Files\Mozilla Firefox\firefox.exe"
plugin-container.exe 3060 2.31 35,904 K 39,104 K Plugin Container for Firefox Mozilla Corporation "C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel=2624.6c55320.1857164684 "C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll" 2624 plugin \\.\pipe\gecko-crash-server-pipe.2624
procexp.exe 1708 3.08 17,312 K 21,848 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Documents and Settings\Pete\Desktop\procexp.exe "

broni · 2010/06/27

Wonderful!

Run OTL Quick Scan and post fresh log, please.

Pete · 2010/06/27

OTL quick scan log :

OTL logfile created on: 6/27/2010 6:00:36 PM - Run 8
OTL by OldTimer - Version 3.2.6.1 Folder = C:\Documents and Settings\Pete\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): D:\pagefile.sys 3072 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.00 Gb Total Space | 10.44 Gb Free Space | 20.88% Space Free | Partition Type: NTFS
Drive D: | 61.78 Gb Total Space | 35.34 Gb Free Space | 57.21% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ----------
Current User Name: Pete
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/23 04:09:48 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pete\Desktop\OTL.exe
PRC - [2010/06/23 04:08:10 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/06/23 04:08:07 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/05/06 16:59:42 | 002,815,192 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/02/25 05:59:54 | 001,047,880 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
PRC - [2009/06/26 15:56:58 | 000,102,400 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
PRC - [2009/06/26 15:56:20 | 000,450,560 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
PRC - [2009/06/04 20:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/04/14 08:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/19 18:59:40 | 000,653,128 | ---- | M] (Stardock Corporation) -- C:\Program Files\Stardock\CursorFX\CursorFx.exe
PRC - [2007/05/10 10:22:32 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
PRC - [2005/09/18 18:40:42 | 001,421,824 | ---- | M] (Methlabs) -- C:\Program Files\PeerGuardian2\pg2.exe

========== Modules (SafeList) ==========

MOD - [2010/06/23 04:09:48 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pete\Desktop\OTL.exe
MOD - [2008/04/14 08:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2008/02/01 14:46:20 | 000,035,144 | ---- | M] ( ) -- C:\Program Files\Stardock\CursorFX\CurXP0.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/03/30 20:02:09 | 000,435,016 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2010/02/25 05:59:54 | 001,047,880 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2010/02/25 05:56:02 | 000,030,024 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2009/12/03 19:29:00 | 003,377,880 | ---- | M] (INCA Internet Co., Ltd.) [Disabled | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2009/10/29 11:22:50 | 030,603,640 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2009/09/26 05:28:22 | 004,639,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc)
SRV - [2009/09/25 11:16:00 | 000,655,624 | ---- | M] (Acresso Software Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/09/06 13:38:06 | 000,071,096 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2009/06/26 15:56:58 | 000,102,400 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe -- (WDBtnMgrSvc.exe)
SRV - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2009/03/25 16:11:28 | 001,533,824 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2007/11/13 12:43:00 | 000,580,608 | ---- | M] (PY Software) [Disabled | Stopped] -- C:\Program Files\Active WebCam\Watchdog.exe -- (ACTIVEWEBCAMWATCHDOG)

========== Driver Services (SafeList) ==========

DRV - [2010/06/18 15:32:50 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/06/18 15:32:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/06/18 15:32:50 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/05/06 16:39:23 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/05/06 16:39:00 | 000,164,048 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/05/06 16:34:27 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/05/06 16:33:59 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/05/06 16:33:47 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/05/06 16:33:29 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/12/29 13:42:49 | 000,139,016 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PnkBstrK.sys -- (PnkBstrK)
DRV - [2009/12/03 04:49:10 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/11/12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/10/14 07:24:44 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2009/07/26 22:43:18 | 000,058,908 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2009/06/17 14:21:27 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/06/05 11:42:28 | 000,017,408 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\netaapl.sys -- (Netaapl)
DRV - [2009/06/04 19:43:16 | 000,330,264 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2009/05/01 01:02:00 | 008,055,584 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/12/18 23:43:48 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/12/18 23:43:40 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/05/12 23:06:44 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/04/14 01:06:06 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/10/10 20:03:00 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/09/26 09:01:32 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel(R)
DRV - [2007/06/07 20:00:02 | 000,141,376 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OEM02Afx.sys -- (OEM02Afx)
DRV - [2007/05/23 17:26:34 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2007/05/10 10:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/03/31 16:02:42 | 000,876,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (btkrnl)
DRV - [2007/03/31 16:02:40 | 000,055,352 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2007/03/23 13:50:42 | 000,067,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2007/03/23 13:50:36 | 000,037,280 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwmodem.sys -- (btwmodem)
DRV - [2007/03/23 13:50:24 | 000,149,123 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2007/03/23 13:50:08 | 000,037,424 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2007/03/23 13:49:54 | 000,539,072 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2007/03/05 13:45:04 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2007/01/30 15:12:06 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/11/15 03:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 22:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 20:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/09/18 18:02:52 | 000,005,632 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\PeerGuardian2\pgfilter.sys -- (pgfilter)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 28 1E F6 59 3B DB C9 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com/ncr "
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6.1
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.26
FF - prefs.js..extensions.enabledItems: {cc85cd4e-5a5b-4eda-a25c-bdaffa93b406}:0.4.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: silvermelxt@pardal.de:1.3.5
FF - prefs.js..extensions.enabledItems: {FBF6D7FB-F305-4445-BB3D-FEF66579A033}:4.9
FF - prefs.js..extensions.enabledItems: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8}:1.0.9
FF - prefs.js..extensions.enabledItems: en-US@dictionaries.addons.mozilla.org:4.0.0
FF - prefs.js..extensions.enabledItems: cfxHelper@Triton:1.2
FF - prefs.js..extensions.enabledItems: youtube2mp3@mondayx.de:1.0.7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {e2c58150-9d72-11dd-ad8b-0800200c9a66}:1.3.1
FF - prefs.js..extensions.enabledItems: {6E1A2A2E-AE2A-4A26-A812-46F54288379E}:3.6.0
FF - prefs.js..extensions.enabledItems: {069FB356-C69F-7349-D092-AB28AF836D0E}:0.9.030
FF - prefs.js..extensions.enabledItems: rein@notiz.jp:3.6.1
FF - prefs.js..extensions.enabledItems: silvermel@pardal.de:1.3.5
FF - prefs.js..extensions.enabledItems: {20C3BDFF-DA68-468d-8D9A-F5A6C76B0F9E}:3.13
FF - prefs.js..extensions.enabledItems: Strata40@SpewBoy.au:0.6.2
FF - prefs.js..extensions.enabledItems: chromifox@altmusictv.com:3.6.5
FF - prefs.js..extensions.enabledItems: {5c8bfb7c-9a54-11dc-8314-0800200c9a66}:3.6.3
FF - prefs.js..extensions.enabledItems: {12bc3590-67a6-11de-8a39-0800200c9a66}:3.6
FF - prefs.js..extensions.enabledItems: {00352F14-3F76-4e4d-ACFF-9972D7E4B3B9}:0.7.2
FF - prefs.js..extensions.enabledItems: {b41cb5f0-2e52-11de-8c30-0800200c9a66}:2.1
FF - prefs.js..extensions.enabledItems: {07b2a769-ed19-4483-87ce-c643914c9626}:1.6
FF - prefs.js..extensions.enabledItems: {989e9382-d540-4189-88d1-fc54a949a387}:0.8.7
FF - prefs.js..extensions.enabledItems: devious_green@firefox.theme:0.08
FF - prefs.js..extensions.enabledItems: {13b4437e-b706-11dc-8314-0800200c9a66}:1.36.20100303
FF - prefs.js..extensions.enabledItems: glaze_black@www.theme-oasis.org:3.3
FF - prefs.js..extensions.enabledItems: {251297d0-6e53-11de-8a39-0800200c9a66}:3.6.15.02.10
FF - prefs.js..extensions.enabledItems: cfxe@Triton:3.6.5

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.4\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/23 19:11:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.4\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/23 21:12:35 | 000,000,000 | ---D | M]

[2009/07/24 02:26:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Extensions
[2009/07/24 02:26:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Extensions\IMVUClientXUL@imvu.com
[2010/02/22 19:29:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/06/27 17:42:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions
[2010/03/30 19:50:00 | 000,000,000 | ---D | M] (MacOSX Theme) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{00352F14-3F76-4e4d-ACFF-9972D7E4B3B9}
[2010/06/16 16:40:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
[2010/01/30 17:28:39 | 000,000,000 | ---D | M] (Phoenity Next (formerly Phoenity Reborn)) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{069FB356-C69F-7349-D092-AB28AF836D0E}
[2010/03/30 19:50:18 | 000,000,000 | ---D | M] (ANTHEM) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{07b2a769-ed19-4483-87ce-c643914c9626}
[2010/03/30 19:49:52 | 000,000,000 | ---D | M] (Eclipse) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{12bc3590-67a6-11de-8a39-0800200c9a66}
[2010/03/30 20:28:36 | 000,000,000 | ---D | M] (Simple Green) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{13b4437e-b706-11dc-8314-0800200c9a66}
[2010/06/19 20:11:16 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010/03/30 20:28:53 | 000,000,000 | ---D | M] (Utopia FFSE White) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{20C3BDFF-DA68-468d-8D9A-F5A6C76B0F9E}
[2010/03/30 20:28:47 | 000,000,000 | ---D | M] (Extero 2) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{251297d0-6e53-11de-8a39-0800200c9a66}
[2010/05/23 21:13:02 | 000,000,000 | ---D | M] (Stylish) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
[2010/03/30 19:49:35 | 000,000,000 | ---D | M] (Aero Fox) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
[2010/01/24 01:05:24 | 000,000,000 | ---D | M] (Full Flat) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{6E1A2A2E-AE2A-4A26-A812-46F54288379E}
[2010/03/30 19:50:22 | 000,000,000 | ---D | M] (FennecFox) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{989e9382-d540-4189-88d1-fc54a949a387}
[2010/03/30 19:50:07 | 000,000,000 | ---D | M] (Black Stratini) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{b41cb5f0-2e52-11de-8c30-0800200c9a66}
[2010/02/19 21:31:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{c1dffba0-628e-11d9-9669-0800200c9a66}
[2010/02/10 14:07:08 | 000,000,000 | ---D | M] (Google Redesigned) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{cc85cd4e-5a5b-4eda-a25c-bdaffa93b406}
[2010/05/01 10:50:56 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/11/18 15:14:23 | 000,000,000 | ---D | M] (Black Steel) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{e2c58150-9d72-11dd-ad8b-0800200c9a66}
[2010/03/12 20:54:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
[2010/05/11 08:07:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\cfxe@Triton
[2010/05/11 08:07:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\cfxHelper@Triton
[2010/03/30 19:49:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\chromifox@altmusictv.com
[2010/03/30 20:28:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\devious_green@firefox.theme
[2010/03/30 20:29:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\en-US@dictionaries.addons.mozilla.org
[2010/02/19 21:31:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\Foxdie@tanjihay.com
[2010/02/19 21:31:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\FoxdieGraphite@tanjihay.com
[2010/03/30 20:28:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\glaze_black@www.theme-oasis.org
[2010/02/19 21:31:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\navertheme@nhncorp.com
[2010/02/19 21:31:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\redshift_V2@shift-themes.com
[2010/01/21 01:17:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\rein@notiz.jp
[2010/04/16 08:49:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\silvermel@pardal.de
[2010/04/16 08:49:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\silvermelxt@pardal.de
[2010/04/28 02:25:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\Strata40@SpewBoy.au
[2010/06/22 19:19:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\youtube2mp3@mondayx.de
[2010/03/30 19:49:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{12bc3590-67a6-11de-8a39-0800200c9a66}\chrome\mac\browser\extensions
[2010/03/30 19:49:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{12bc3590-67a6-11de-8a39-0800200c9a66}\chrome\mac\mozapps\extensions
[2010/03/30 19:49:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{12bc3590-67a6-11de-8a39-0800200c9a66}\chrome\win\browser\extensions
[2010/03/30 19:49:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{12bc3590-67a6-11de-8a39-0800200c9a66}\chrome\win\mozapps\extensions
[2010/03/30 20:28:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{13b4437e-b706-11dc-8314-0800200c9a66}\chrome\mozapps\extensions
[2010/03/30 20:28:36 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{13b4437e-b706-11dc-8314-0800200c9a66}\chrome\mozapps\extensionsO
[2010/03/30 19:49:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\mac\browser\extensions
[2010/03/30 19:49:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\mac\mozapps\extensions
[2010/03/30 19:49:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\win\browser\extensions
[2010/03/30 19:49:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\win\mozapps\extensions
[2010/03/30 20:28:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\devious_green@firefox.theme\mozapps\extensions
[2010/04/28 02:25:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\extensions\Strata40@SpewBoy.au\chrome\mozapps\extensions
[2009/11/09 18:57:15 | 000,001,189 | ---- | M] () -- C:\Documents and Settings\Pete\Application Data\Mozilla\Firefox\Profiles\vyo3zjh0.default\searchplugins\winamp-search.xml
[2010/06/27 17:41:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/23 21:12:41 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/23 21:09:48 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/08/17 07:42:14 | 000,073,728 | ---- | M] (NHN USA Inc. ) -- C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

O1 HOSTS File: ([2010/06/26 19:51:49 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (www.flashget.com)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (FlashGet GetFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (www.flashget.com)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe (WDC)
O4 - HKCU..\Run: [CursorFX] C:\Program Files\Stardock\CursorFX\CursorFX.exe (Stardock Corporation)
O4 - HKCU..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe (Methlabs)
O4 - Startup: C:\Documents and Settings\Pete\Start Menu\Programs\Startup\Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWinKeys = 1
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\JC_ALL.HTM ()
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\JC_LINK.HTM ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: microsoft.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.windowsupdate] http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.windowsupdate] https in Trusted sites)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([download] http in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266743745718 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1259328307765 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe) - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Pete\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Pete\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/22 05:18:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/06/26 22:15:01 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/06/26 22:12:14 | 000,164,048 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/06/26 22:12:14 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/06/26 22:12:14 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/06/26 22:12:14 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/06/26 22:12:13 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/06/26 22:12:13 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/06/26 22:12:13 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/06/26 22:12:09 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/06/26 22:12:01 | 000,165,032 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/06/26 22:12:01 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/06/26 22:06:53 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Pete\Recent
[2010/06/26 21:47:34 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/06/26 19:51:49 | 000,552,960 | R--- | C] (OldTimer Tools) -- C:\OTLPE.exe
[2010/06/25 23:11:22 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/06/25 23:03:27 | 000,499,712 | ---- | C] (eSage Lab) -- C:\Documents and Settings\Pete\Desktop\remover.exe
[2010/06/25 14:38:32 | 000,000,000 | ---D | C] -- C:\Rooter$
[2010/06/25 12:54:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/25 12:54:28 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/25 12:54:28 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/25 12:54:28 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/25 12:54:20 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/06/25 12:54:11 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/24 21:15:09 | 003,887,480 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Pete\Desktop\procexp.exe
[2010/06/24 21:02:44 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Pete\PrivacIE
[2010/06/24 20:30:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Pete\DoctorWeb
[2010/06/23 22:20:07 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Pete\Desktop\TFC.exe
[2010/06/23 21:23:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/06/23 21:13:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/23 04:09:47 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Pete\Desktop\OTL.exe
[2010/06/20 21:34:12 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/06/20 21:34:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/06/20 12:02:43 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/06/19 21:36:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Pete\Local Settings\Application Data\Deployment
[2010/06/18 15:37:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Pete\Application Data\Malwarebytes
[2010/06/18 15:37:21 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/18 15:37:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/18 15:37:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/17 17:55:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Pete\Local Settings\Application Data\Painkiller Resurrection
[2010/05/31 19:49:40 | 000,000,000 | ---D | C] -- C:\Program Files\StreamTorrent 1.0
[2010/05/31 19:49:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Pete\Application Data\StreamTorrent
[2010/05/28 00:50:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Pete\Application Data\vlc
[2010/05/27 21:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RosettaStoneLtdBackup
[2010/05/26 19:16:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Pete\Application Data\Canneverbe Limited
[2010/05/13 01:10:10 | 000,000,000 | ---D | C] -- C:\Program Files\Ubisoft
[2010/04/28 23:34:29 | 000,000,000 | ---D | C] -- C:\Program Files\Tunatic
[2010/04/18 13:56:14 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/04/18 13:54:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2010/04/18 12:32:13 | 000,000,000 | -H-D | C] -- C:\Program Files\Uninstall Information
[2010/04/18 12:29:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2010/04/18 12:28:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution.old
[2010/04/18 12:25:17 | 000,000,000 | ---D | C] -- C:\Program Files\MSECACHE
[2010/03/31 12:56:01 | 000,000,000 | ---D | C] -- C:\Program Files\Stardock
[2010/03/31 12:56:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Stardock
[2010/03/30 20:00:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\TuneUp Software
[2010/03/30 19:39:15 | 000,030,536 | ---- | C] (TuneUp Software) -- C:\WINDOWS\System32\TURegOpt.exe
[2010/03/30 19:39:15 | 000,030,024 | ---- | C] (TuneUp Software) -- C:\WINDOWS\System32\uxtuneup.dll
[2010/03/30 19:39:00 | 000,000,000 | ---D | C] -- C:\Program Files\TuneUp Utilities 2010

========== Files - Modified Within 90 Days ==========

[2010/06/27 17:15:59 | 000,525,448 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/27 17:15:59 | 000,444,156 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/27 17:15:59 | 000,072,248 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/27 17:11:47 | 000,230,258 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/06/27 17:11:46 | 000,134,696 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/06/27 17:11:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/27 17:11:01 | 2145,427,456 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/27 16:00:12 | 014,417,920 | ---- | M] () -- C:\Documents and Settings\Pete\ntuser.dat
[2010/06/27 16:00:12 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Pete\ntuser.ini
[2010/06/26 22:12:14 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/06/26 22:12:13 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/26 19:51:49 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/06/25 23:07:08 | 000,043,158 | ---- | M] () -- C:\Documents and Settings\Pete\Desktop\remover results.JPG
[2010/06/25 19:26:46 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Pete\Desktop\mbr.exe
[2010/06/25 13:06:52 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/25 12:51:19 | 003,719,978 | R--- | M] () -- C:\Documents and Settings\Pete\Desktop\ComboFix.exe
[2010/06/25 05:15:42 | 000,142,336 | ---- | M] () -- C:\Documents and Settings\Pete\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/25 03:47:01 | 000,000,637 | ---- | M] () -- C:\Documents and Settings\Pete\Desktop\DrWeb.csv
[2010/06/24 21:12:57 | 001,729,668 | ---- | M] () -- C:\Documents and Settings\Pete\Desktop\ProcessExplorer.zip
[2010/06/24 20:14:23 | 048,049,392 | ---- | M] () -- C:\Documents and Settings\Pete\Desktop\drweb-cureit.exe
[2010/06/23 22:20:07 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pete\Desktop\TFC.exe
[2010/06/23 04:09:48 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pete\Desktop\OTL.exe
[2010/06/20 22:30:01 | 000,158,243 | ---- | M] () -- C:\Documents and Settings\Pete\Desktop\avast results.JPG
[2010/06/20 12:08:31 | 000,000,250 | ---- | M] () -- C:\WINDOWS\BissHM.ini
[2010/06/20 12:08:25 | 000,000,686 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100620-121323.backup
[2010/06/20 12:02:43 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Pete\Desktop\HijackThis.lnk
[2010/06/19 19:58:26 | 000,000,582 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/19 19:58:26 | 000,000,460 | RHS- | M] () -- C:\boot.ini
[2010/06/18 17:22:52 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/18 17:14:36 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/18 15:34:38 | 002,742,748 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100618-153531.backup
[2010/06/17 18:29:44 | 000,134,696 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/06/16 15:08:51 | 000,078,612 | ---- | M] () -- C:\ReactorException.dmp
[2010/06/15 19:31:35 | 002,738,686 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100618-153438.backup
[2010/06/15 00:45:01 | 002,647,070 | -H-- | M] () -- C:\Documents and Settings\Pete\Local Settings\Application Data\IconCache.db
[2010/06/14 23:08:41 | 000,000,107 | ---- | M] () -- C:\Documents and Settings\Pete\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2010/06/11 00:50:08 | 002,738,686 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100615-193135.backup
[2010/06/07 16:16:56 | 003,887,480 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Pete\Desktop\procexp.exe
[2010/05/31 19:49:40 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Pete\Desktop\StreamTorrent 1.0.lnk
[2010/05/27 21:43:55 | 000,002,477 | ---- | M] () -- C:\Documents and Settings\Pete\Desktop\Rosetta Stone Version 3.lnk
[2010/05/26 19:16:33 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CDBurnerXP.lnk
[2010/05/20 08:46:48 | 002,729,613 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100611-005008.backup
[2010/05/15 11:53:36 | 002,729,515 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100520-084648.backup
[2010/05/12 19:52:31 | 000,552,960 | R--- | M] (OldTimer Tools) -- C:\OTLPE.exe
[2010/05/06 17:07:48 | 002,727,447 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100515-115336.backup
[2010/05/06 16:59:57 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/05/06 16:59:36 | 000,165,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/05/06 16:39:23 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/05/06 16:39:00 | 000,164,048 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/05/06 16:34:27 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/05/06 16:33:59 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/05/06 16:33:55 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/05/06 16:33:47 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/05/06 16:33:29 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 23:34:29 | 000,001,478 | ---- | M] () -- C:\Documents and Settings\Pete\Desktop\Tunatic.lnk
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/26 13:03:37 | 002,727,087 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100506-170748.backup
[2010/04/19 16:18:53 | 000,001,908 | ---- | M] () -- C:\WINDOWS\diagwrn.xml
[2010/04/19 16:18:53 | 000,001,908 | ---- | M] () -- C:\WINDOWS\diagerr.xml
[2010/04/18 14:03:13 | 002,726,329 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100426-130337.backup
[2010/04/08 19:24:36 | 000,095,800 | ---- | M] () -- C:\Documents and Settings\Pete\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/31 13:02:38 | 000,345,016 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/30 23:07:09 | 002,715,341 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100418-140312.backup

========== Files Created - No Company Name ==========

[2010/06/26 22:12:14 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/06/25 23:41:03 | 000,000,169 | ---- | C] () -- C:\Documents and Settings\Pete\mbr.log
[2010/06/25 23:10:18 | 000,731,136 | ---- | C] () -- C:\Documents and Settings\Pete\Desktop\avenger.exe
[2010/06/25 23:07:08 | 000,043,158 | ---- | C] () -- C:\Documents and Settings\Pete\Desktop\remover results.JPG
[2010/06/25 19:26:46 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\Pete\Desktop\mbr.exe
[2010/06/25 12:54:28 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/25 12:54:28 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/25 12:54:28 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/25 12:54:28 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/25 12:54:28 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/25 12:51:17 | 003,719,978 | R--- | C] () -- C:\Documents and Settings\Pete\Desktop\ComboFix.exe
[2010/06/25 03:43:40 | 000,000,637 | ---- | C] () -- C:\Documents and Settings\Pete\Desktop\DrWeb.csv
[2010/06/24 21:15:09 | 000,072,268 | ---- | C] () -- C:\Documents and Settings\Pete\Desktop\procexp.chm
[2010/06/24 21:12:53 | 001,729,668 | ---- | C] () -- C:\Documents and Settings\Pete\Desktop\ProcessExplorer.zip
[2010/06/24 20:10:38 | 048,049,392 | ---- | C] () -- C:\Documents and Settings\Pete\Desktop\drweb-cureit.exe
[2010/06/20 22:26:41 | 000,158,243 | ---- | C] () -- C:\Documents and Settings\Pete\Desktop\avast results.JPG
[2010/06/20 12:02:43 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Pete\Desktop\HijackThis.lnk
[2010/06/19 21:30:42 | 2145,427,456 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/18 04:40:28 | 000,198,056 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/31 19:49:40 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Pete\Desktop\StreamTorrent 1.0.lnk
[2010/04/28 23:34:29 | 000,001,478 | ---- | C] () -- C:\Documents and Settings\Pete\Desktop\Tunatic.lnk
[2010/04/19 16:18:45 | 000,001,908 | ---- | C] () -- C:\WINDOWS\diagwrn.xml
[2010/04/19 16:18:45 | 000,001,908 | ---- | C] () -- C:\WINDOWS\diagerr.xml
[2010/04/05 00:24:12 | 000,078,612 | ---- | C] () -- C:\ReactorException.dmp
[2009/12/07 02:10:43 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/12/07 02:10:43 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/12/07 02:10:42 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/12/07 02:10:42 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/12/07 02:10:41 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/12/07 02:10:41 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/11/06 11:58:04 | 000,178,975 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/10/29 16:59:00 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2009/10/27 12:45:30 | 000,000,250 | ---- | C] () -- C:\WINDOWS\BissHM.ini
[2009/08/10 12:35:16 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/01 01:18:22 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/06/25 17:20:28 | 000,139,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009/05/22 17:40:34 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2009/05/01 03:31:06 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/05/01 03:31:06 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/05/01 03:31:06 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/05/01 03:31:06 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/10/07 12:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 12:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2007/05/17 17:52:30 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/05/17 17:23:20 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/02/17 15:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 15:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 16:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

Pete · 2010/06/27

part 2 :

========== LOP Check ==========

[2009/10/18 15:32:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM
[2010/06/26 22:11:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/12/03 04:48:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2009/08/01 01:10:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
[2010/05/27 21:47:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
[2010/05/27 21:22:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RosettaStoneLtdBackup
[2009/07/07 01:44:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Stardock
[2010/06/17 18:29:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/06/02 21:26:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ThumbnailCache4R
[2010/03/30 19:36:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2009/06/02 21:25:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\5600-6600 Series
[2010/05/26 19:16:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Canneverbe Limited
[2009/06/16 23:07:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\DAEMON Tools Lite
[2009/08/01 01:10:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\DAEMON Tools Pro
[2010/03/26 01:15:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\ImgBurn
[2009/09/25 15:03:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\Lexmark Productivity Studio
[2010/04/07 06:35:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\LimeWire
[2010/05/31 19:49:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\StreamTorrent
[2009/12/13 10:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\SystemRequirementsLab
[2010/04/29 20:50:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\TeamViewer
[2009/05/24 20:55:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\TuneUp Software
[2010/06/25 05:01:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pete\Application Data\uTorrent
[2009/12/03 04:29:07 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========

< End of report >

broni · 2010/06/27

Excellent
Looks good

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Pete · 2010/06/27

Kaspersky results :

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, June 27, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, June 27, 2010 13:56:14
Records in database: 4282245
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 103640
Threats found: 6
Infected objects found: 10
Suspicious objects found: 0
Scan duration: 02:43:09

File name / Threat / Threats count
C:\Documents and Settings\Pete\DoctorWeb\Quarantine\Keygen.exe Infected: Trojan-GameThief.Win32.OnLineGames.sfbl 1
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\27c3f96-2cef6799 Infected: Exploit.Java.Agent.ar 1
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\27c3f96-2cef6799 Infected: Exploit.Java.Agent.as 1
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\68e558f5-32056746 Infected: Exploit.Java.Agent.ar 1
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\68e558f5-32056746 Infected: Exploit.Java.Agent.as 1
C:\_OTL\MovedFiles\06242010_193710\C_Program Files\FlashMute\uninstall.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ih 1
C:\_OTL\MovedFiles\06242010_193710\D_Setup Files\Utilities\Windows WGA Patcher Permanent Kit\keyfinder.exe Infected: not-a-virusSWTool.Win32.RAS.g 1
C:\_OTL\MovedFiles\06242010_193710\D_Setup Files\Utilities\Windows WGA Patcher Permanent Kit\keyfinder.exe Infected: not-a-virusSWTool.Win32.RAS.a 1
C:\_OTL\MovedFiles\06242010_193710\D_Setup Files\Utilities\Windows WGA Patcher Permanent Kit\Windows WGA Patcher Permanent Kit.rar Infected: not-a-virusSWTool.Win32.RAS.g 1
C:\_OTL\MovedFiles\06242010_193710\D_Setup Files\Utilities\Windows WGA Patcher Permanent Kit\Windows WGA Patcher Permanent Kit.rar Infected: not-a-virusSWTool.Win32.RAS.a 1

Selected area has been scanned.

broni · 2010/06/27

Run OTL
Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following
Code:
:OTL

:Services

:Reg

:Files
C:\Documents and Settings\Pete\DoctorWeb\Quarantine\Keygen.exe 
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\27c3f96-2cef6799 
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\27c3f96-2cef6799 
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\68e558f5-32056746 
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\68e558f5-32056746

:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]
[Reboot]
Then click the [color= "#FF0000"]Run Fix[/color] button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.

Log in or Sign up

Solved Virus Problem (Black Internet rootkit)

broni Moderator Malware Analyst

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Pete Inactive Thread Starter

Pete Inactive Thread Starter

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Pete Inactive Thread Starter

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Pete Inactive Thread Starter

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Pete Inactive Thread Starter

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Virus Problem (Black Internet rootkit)

broni Moderator Malware Analyst

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Pete Inactive Thread Starter

Pete Inactive Thread Starter

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Pete Inactive Thread Starter

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Pete Inactive Thread Starter

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Pete Inactive Thread Starter

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Pete Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches