1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Some program sending mail from my computer when it's connected to the router

Discussion in 'Virus & Other Malware Removal' started by omer681, Apr 28, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. omer681

    omer681 Thread Starter

    Joined:
    Sep 13, 2007
    Messages:
    24
    When I connect my computer to the router (internet) it seems that it spams it with out coming mails, and slows down the email receiving process.

    HiJack log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:58:26, on 28/04/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
    H:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\system32\taskswitch.exe
    H:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\System32\cisvc.exe
    K:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    C:\Program Files\uTorrent\uTorrent.exe
    K:\Utility Programs\DAEMON Tools Lite\DTLite.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\System32\svchost.exe
    K:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\notepad.exe
    H:\Program Files\Steam\Steam.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\System32\svchost.exe
    h:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\devenv.exe
    C:\WINDOWS\system32\mmc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local;<local>
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
    O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - H:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - H:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: òåæø äëðéñä ùì Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - H:\Program Files\FlashGet\getflash.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - H:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [AVP] "H:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [librtexec] javaw -jar "C:\Program Files\Java\jre6\lib\librtexec.jar"
    O4 - HKLM\..\Run: [Flashget] H:\Program Files\FlashGet\flashget.exe /min
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [StartCCC] "K:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "K:\Utility Programs\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [SteamUp] "K:\Program Files\Cracked Steam\steam.exe" -clientapp SteamUp.dll -silent
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000
    O8 - Extra context menu item: &äåøã áàîöòåú ôìàù-âè - H:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: &äåøã äëì áàîöòåú ôìàù-âè - H:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &éöà ì- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Add to Anti-Banner - H:\Program Files\Kaspersky Anti-Virus 6.0\ie_banner_deny.htm
    O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - H:\Program Files\Kaspersky Anti-Virus 6.0\SCIEPlgn.dll
    O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: îç÷ø - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - H:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214609682843
    O17 - HKLM\System\CCS\Services\Tcpip\..\{803C38B3-87A0-4405-A9EB-8A6AF690E470}: NameServer = 192.168.1.1
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: H:\PROGRA~1\KASPER~1.0\adialhk.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - H:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe

    --
    End of file - 11290 bytes


    I have another problem in my Windows 7 (I have 2 systems on my computer, XP and windows 7) that almost no application wants to start up. It gives this error:
    The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail.

    In the application event log, I found this:

    Activation context generation failed for "E:\Program Files\uTorrent\uTorrent.exe". Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="X86",publi cKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found. Please use sxstrace.exe for detailed diagnosis.


    After you'll solve (hopefully) my problem with the mail sending, I'll try and get a hijack log for the windows 7.

    Thanks
     
  2. omer681

    omer681 Thread Starter

    Joined:
    Sep 13, 2007
    Messages:
    24
    2 days passed..
     
  3. omer681

    omer681 Thread Starter

    Joined:
    Sep 13, 2007
    Messages:
    24
    Up...
     
  4. omer681

    omer681 Thread Starter

    Joined:
    Sep 13, 2007
    Messages:
    24
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
  6. omer681

    omer681 Thread Starter

    Joined:
    Sep 13, 2007
    Messages:
    24
    The program "GMER" crashed the computer somewhere around C:\Documents and Settings\****\Application Data
    For the fraction of the second before it crashed, I (think that I) saw something about Macromedia in the end.



    By the way, drive M is a backup external hard disk.

    The log for the first program:

    DDS.txt


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Omer at 14:16:43.29 on Tue 05/04/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
    Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3582.2869 [GMT 3:00]

    AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Anti-Virus *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    H:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
    H:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\taskswitch.exe
    H:\Program Files\FlashGet\flashget.exe
    C:\WINDOWS\system32\ctfmon.exe
    K:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    K:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\svchost.exe -k HPService
    C:\Program Files\MagicTune Premium\MagicTune.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Omer\Desktop\spyware\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.il/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = local;*.local;<local>
    uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
    BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
    BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - h:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - h:\program files\flashget\jccatch.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: òåæø äëðéñä ùì Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - h:\program files\flashget\getflash.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - h:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - h:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [SteamUp] "k:\program files\cracked steam\steam.exe" -clientapp SteamUp.dll -silent
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [AVP] "h:\program files\kaspersky anti-virus 6.0\avp.exe"
    mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions
    mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [librtexec] javaw -jar "c:\program files\java\jre6\lib\librtexec.jar"
    mRun: [Flashget] h:\program files\flashget\flashget.exe /min
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [StartCCC] "k:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000
    IE: &äåøã áàîöòåú ôìàù-âè - h:\program files\flashget\jc_link.htm
    IE: &äåøã äëì áàîöòåú ôìàù-âè - h:\program files\flashget\jc_all.htm
    IE: &éöà ì- Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Add to Anti-Banner - h:\program files\kaspersky anti-virus 6.0\ie_banner_deny.htm
    IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - h:\program files\flashget\FlashGet.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
    IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - h:\program files\kaspersky anti-virus 6.0\SCIEPlgn.dll
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - h:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214609682843
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: {803C38B3-87A0-4405-A9EB-8A6AF690E470} = 192.168.1.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: klogon - c:\windows\system32\klogon.dll
    AppInit_DLLs: h:\progra~1\kasper~1.0\adialhk.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\omer\applic~1\mozilla\firefox\profiles\3y46ajbd.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\{02549309-0dbb-41e7-8366-768cfe100341}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\{02549309-0dbb-41e7-8366-768cfe100341}\components\RadioWMPCore.dll
    FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\{0d6451b1-a91e-435e-ba58-134ec4797456}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\{0d6451b1-a91e-435e-ba58-134ec4797456}\components\RadioWMPCore.dll
    FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
    FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\[email protected]\platform\winnt_x86-msvc\components\WeaveCrypto.dll
    FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\[email protected]\platform\winnt_x86-msvc\components\lpxpcom.dll
    FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - plugin: h:\program files\itunes\mozilla plugins\npitunes.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.proxy.type - 0
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-7-18 112144]
    R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-11-9 201504]
    R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
    R2 AVP;Kaspersky Anti-Virus 6.0;h:\program files\kaspersky anti-virus 6.0\avp.exe [2007-11-19 231952]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-5-30 24344]
    S2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\microsoft.net\framework\v4.0.21006\mscorsvw.exe [2009-10-7 129856]
    S3 cpuz130;cpuz130;\??\c:\docume~1\omer\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\omer\locals~1\temp\cpuz130\cpuz_x32.sys [?]
    S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-5-27 12672]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\program files\lavalys\everest ultimate edition\kerneld.wnt [2008-4-12 22640]
    S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
    S3 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2009-9-9 55176]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
    S3 VSPerfDrv;Performance Tools Driver;h:\program files\microsoft visual studio 8\team tools\performance tools\VSPerfDrv.sys [2005-9-23 54464]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.21006\wpf\WPFFontCache_v0400.exe [2009-10-7 752984]
    S4 _MySQL;_MySQL;"e:\program files\mysql\copy of mysql server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\mysql\copy of mysql server 5.0\my.ini" _mysql --> e:\program files\mysql\copy of mysql server 5.0\bin\mysqld-nt [?]
    S4 gupdate1c989f4ad069e8c;Google Update Service (gupdate1c989f4ad069e8c);c:\program files\google\update\GoogleUpdate.exe [2009-2-8 133104]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;h:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
    S4 MySQL1;MySQL1;"e:\program files\mysql\copy of mysql server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\mysql\copy of mysql server 5.0\my.ini" mysql1 --> e:\program files\mysql\copy of mysql server 5.0\bin\mysqld-nt [?]
    S4 MySQL4;MySQL4;"e:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\mysql\mysql server 5.0\my.ini" mysql4 --> e:\program files\mysql\mysql server 5.0\bin\mysqld-nt [?]
    S4 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\2.bin\mwssvc.exe [2009-3-27 28762]
    S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
    S4 SoundtrackTurbineMessageService;Turbine Message Service - Soundtrack;h:\program files\turbine\turbine download manager - soundtrack\TurbineMessageService.exe [2009-3-2 249856]
    S4 SoundtrackTurbineNetworkService;Turbine Network Service - Soundtrack;h:\program files\turbine\turbine download manager - soundtrack\TurbineNetworkService.exe [2009-3-2 212992]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

    =============== Created Last 30 ================

    2014-05-01 16:50:25 0 d-----w- C:\PSFONTS
    2010-04-27 12:35:00 0 d-----w- c:\docume~1\omer\applic~1\GetRightToGo
    2010-04-26 13:20:50 4096 ----a-w- c:\windows\d3dx.dat
    2010-04-20 15:55:32 0 d-sh--w- C:\$RECYCLE.BIN
    2010-04-20 11:01:02 0 d-----w- c:\windows\system32\xlive
    2010-04-20 11:01:02 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
    2010-04-20 07:38:32 33616 ----a-w- c:\windows\system32\atiapfxx.blb
    2010-04-20 07:38:32 143360 begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting ----a-w- c:\windows\system32\atiapfxx.exe
    2010-04-20 07:35:42 0 d-----w- c:\program files\ATI
    2010-04-19 13:12:31 0 d-----w- C:\BDS
    2010-04-19 11:22:42 0 d-----w- c:\docume~1\omer\applic~1\DAEMON Tools Lite
    2010-04-19 11:22:37 0 d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
    2010-04-13 11:41:41 0 d-----w- c:\docume~1\alluse~1\applic~1\ArcSoft
    2010-04-13 11:34:50 0 d-----w- c:\docume~1\omer\applic~1\HP SimpleSave Application
    2010-04-11 11:29:39 782336 ----a-r- c:\windows\system32\tmpD38.tmp
    2010-04-11 11:29:39 782336 ----a-r- c:\windows\system32\tmpD37.tmp
    2010-04-10 05:10:01 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-04-09 17:09:33 49152 ----a-w- c:\windows\system32\DirSize.dll
    2010-04-05 08:12:34 1024 ----a-w- C:\.rnd

    ==================== Find3M ====================

    2010-05-04 11:16:23 121063968 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2010-05-04 11:16:17 4978720 --sha-w- c:\windows\system32\drivers\fidbox2.dat
    2010-05-03 14:14:26 473660 --sha-w- c:\windows\system32\drivers\fidbox2.idx
    2010-05-03 14:14:26 1638572 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2010-05-03 14:11:48 97549 ----a-w- c:\windows\system32\drivers\klick.dat
    2010-05-03 14:11:48 113933 ----a-w- c:\windows\system32\drivers\klin.dat
    2010-04-19 11:24:32 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-04-13 13:44:24 92744 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
    2010-03-31 11:51:52 3930788 ----a-w- c:\documents and settings\omer\test.zip
    2010-03-03 04:07:54 311296 ----a-w- c:\windows\system32\atiiiexx.dll
    2010-03-03 04:02:54 45056 ----a-w- c:\windows\system32\aticalrt.dll
    2010-03-03 04:02:40 45056 ----a-w- c:\windows\system32\aticalcl.dll
    2010-03-03 04:01:00 3641344 ----a-w- c:\windows\system32\aticaldd.dll
    2010-03-03 03:44:42 14262272 ----a-w- c:\windows\system32\atioglxx.dll
    2010-03-03 03:40:42 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2010-03-03 03:40:36 3616096 ----a-w- c:\windows\system32\ati3duag.dll
    2010-03-03 03:39:44 301056 ----a-w- c:\windows\system32\ati2dvag.dll
    2010-03-03 03:24:40 208896 ----a-w- c:\windows\system32\atipdlxx.dll
    2010-03-03 03:24:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
    2010-03-03 03:24:22 155648 ----a-w- c:\windows\system32\Oemdspif.dll
    2010-03-03 03:24:12 887724 ----a-w- c:\windows\system32\ativva6x.dat
    2010-03-03 03:24:12 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
    2010-03-03 03:24:02 43520 ----a-w- c:\windows\system32\ati2edxx.dll
    2010-03-03 03:23:50 159744 ----a-w- c:\windows\system32\ati2evxx.dll
    2010-03-03 03:22:34 602112 ----a-w- c:\windows\system32\ati2evxx.exe
    2010-03-03 03:21:10 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
    2010-03-03 03:16:58 565248 ----a-w- c:\windows\system32\atikvmag.dll
    2010-03-03 03:15:10 184320 ----a-w- c:\windows\system32\atiadlxx.dll
    2010-03-03 03:14:40 17408 ----a-w- c:\windows\system32\atitvo32.dll
    2010-03-03 03:14:12 393216 ----a-w- c:\windows\system32\atiok3x2.dll
    2010-03-03 03:09:06 638976 ----a-w- c:\windows\system32\ati2cqag.dll
    2010-03-03 03:07:04 65024 ----a-w- c:\windows\system32\atimpc32.dll
    2010-03-03 03:07:04 65024 ----a-w- c:\windows\system32\amdpcom32.dll
    2010-02-25 19:55:46 201875 ----a-w- c:\windows\system32\atiicdxx.dat
    2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

    ============= FINISH: 14:18:05.03 ===============
     

    Attached Files:

  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully

    Download ComboFix from Here to your Desktop.

    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
     
  8. omer681

    omer681 Thread Starter

    Joined:
    Sep 13, 2007
    Messages:
    24
    ComboFix 10-05-03.06 - Omer 05/04/2010 16:55:20.2.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3582.3052 [GMT 3:00]
    Running from: c:\documents and settings\Omer\Desktop\ComboFix.exe
    AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\$recycle.bin\S-1-5-21-3114903881-2358328619-99713491-1001
    c:\program files\Cheat Engine\dbk32.sys
    c:\program files\FunWebProducts
    c:\program files\FunWebProducts\ScreenSaver\Cache\files.ini
    c:\program files\FunWebProducts\ScreenSaver\Images\04E1C122.urr
    c:\program files\FunWebProducts\ScreenSaver\Images\04E1C1CE.dat
    c:\program files\FunWebProducts\ScreenSaver\Images\04E52B57.dat
    c:\program files\FunWebProducts\ScreenSaver\Images\069B6197.urr
    c:\program files\FunWebProducts\ScreenSaver\Images\101x135\04E1C1CE.jpg
    c:\program files\FunWebProducts\ScreenSaver\Images\101x135\04E52B57.jpg
    c:\program files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
    c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
    c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
    c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
    c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
    c:\program files\Internet Explorer\msimg32.dll
    c:\program files\MyWebSearch
    c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
    c:\program files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3DTactl.dll
    c:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3HTmlmu.dll
    c:\program files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
    c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
    c:\program files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
    c:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
    c:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
    c:\program files\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
    c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR
    c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
    c:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
    c:\program files\MyWebSearch\bar\2.bin\M3HTML.DLL
    c:\program files\MyWebSearch\bar\2.bin\M3IDLE.DLL
    c:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
    c:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
    c:\program files\MyWebSearch\bar\2.bin\M3MSg.dll
    c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR
    c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST
    c:\program files\MyWebSearch\bar\2.bin\M3OUtlcn.dll
    c:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
    c:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
    c:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
    c:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
    c:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
    c:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    c:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
    c:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
    c:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
    c:\program files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
    c:\program files\MyWebSearch\bar\2.bin\MWSSVC.EXE
    c:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
    c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
    c:\program files\MyWebSearch\bar\Cache\04AD5303
    c:\program files\MyWebSearch\bar\Cache\06981D68
    c:\program files\MyWebSearch\bar\Cache\069834E8.bin
    c:\program files\MyWebSearch\bar\Cache\06983D16.bin
    c:\program files\MyWebSearch\bar\Cache\06984D23.bin
    c:\program files\MyWebSearch\bar\Cache\06985522.bin
    c:\program files\MyWebSearch\bar\Cache\12D01396.bin
    c:\program files\MyWebSearch\bar\Cache\12D01D4B
    c:\program files\MyWebSearch\bar\Cache\15DDB7DE.bin
    c:\program files\MyWebSearch\bar\Cache\15DDBF9E.bin
    c:\program files\MyWebSearch\bar\Cache\15DDC74F.bin
    c:\program files\MyWebSearch\bar\Cache\15DDCD1C.bin
    c:\program files\MyWebSearch\bar\Cache\files.ini
    c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
    c:\program files\MyWebSearch\bar\Game\CHESS.F3S
    c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
    c:\program files\MyWebSearch\bar\History\search3
    c:\program files\MyWebSearch\bar\icons\CM.ICO
    c:\program files\MyWebSearch\bar\icons\MFC.ICO
    c:\program files\MyWebSearch\bar\icons\PSS.ICO
    c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
    c:\program files\MyWebSearch\bar\icons\WB.ICO
    c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
    c:\program files\MyWebSearch\bar\Message\COMMON.F3S
    c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
    c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
    c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
    c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
    c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
    c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
    c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
    c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
    c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
    c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
    c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
    c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
    c:\program files\MyWebSearch\bar\Settings\s_pid.dat
    c:\program files\MyWebSearch\bar\Settings\setting2.htm
    c:\program files\MyWebSearch\bar\Settings\settings.dat
    c:\program files\WindowsUpdate
    c:\program files\WinPCap
    c:\program files\WinPCap\install.log
    c:\program files\WinPCap\rpcapd.exe
    c:\program files\WinPCap\WinPcapInstall.dll
    C:\test.txt
    c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
    c:\windows\system32\Cache
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\f3PSSavr.scr
    c:\windows\system32\Packet.dll
    c:\windows\system32\pthreadVC.dll
    c:\windows\system32\wpcap.dll
    D:\check_LSA7.txt
    H:\install.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MYWEBSEARCHSERVICE
    -------\Legacy_NPF
    -------\Service_MyWebSearchService
    -------\Service_NPF


    ((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
    .

    2014-05-01 17:01 . 2014-05-01 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\HPSSUPPLY
    2014-05-01 16:50 . 2014-05-01 16:50 -------- d-----w- C:\PSFONTS
    2010-04-27 12:35 . 2010-04-27 15:12 -------- d-----w- c:\documents and settings\Omer\Application Data\GetRightToGo
    2010-04-26 13:20 . 2010-04-26 13:20 4096 ----a-w- c:\windows\d3dx.dat
    2010-04-20 11:01 . 2010-04-20 11:01 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
    2010-04-20 11:01 . 2010-04-20 11:01 -------- d-----w- c:\windows\system32\xlive
    2010-04-20 07:49 . 2010-04-20 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
    2010-04-20 07:38 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
    2010-04-20 07:35 . 2010-04-20 07:35 -------- d-----w- c:\program files\ATI
    2010-04-19 22:20 . 2010-04-20 10:54 -------- d-----w- c:\documents and settings\Omer\Local Settings\Application Data\Rockstar Games
    2010-04-19 13:22 . 2010-04-19 13:22 -------- d-----w- c:\program files\DIFX
    2010-04-19 13:12 . 2010-04-19 13:17 -------- d-----w- C:\BDS
    2010-04-19 11:22 . 2010-04-19 13:11 -------- d-----w- c:\documents and settings\Omer\Application Data\DAEMON Tools Lite
    2010-04-19 11:22 . 2010-04-19 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
    2010-04-13 11:41 . 2010-04-13 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
    2010-04-13 11:35 . 2010-04-13 11:35 -------- d-----w- c:\documents and settings\Omer\Application Data\ArcSoft
    2010-04-13 11:34 . 2010-04-13 11:35 -------- d-----w- c:\documents and settings\Omer\Application Data\HP SimpleSave Application
    2010-04-12 14:44 . 2010-04-12 14:44 -------- d-----w- c:\program files\Adobe Media Player
    2010-04-10 05:30 . 2010-04-20 10:22 -------- d-----w- c:\documents and settings\Omer\Application Data\Bioshock
    2010-04-10 05:10 . 2010-04-20 11:09 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-04-09 17:09 . 2010-04-09 17:09 49152 ----a-w- c:\windows\system32\DirSize.dll
    2010-04-05 08:41 . 2010-04-05 12:47 -------- d-----w- c:\documents and settings\Omer\Application Data\VMware
    2010-04-05 08:12 . 2010-04-05 08:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
    2010-04-05 08:10 . 2010-04-05 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-04 14:07 . 2009-09-02 12:17 121291552 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2010-05-04 14:07 . 2009-09-02 12:17 4989216 --sha-w- c:\windows\system32\drivers\fidbox2.dat
    2010-05-04 14:01 . 2009-09-02 12:17 474908 --sha-w- c:\windows\system32\drivers\fidbox2.idx
    2010-05-04 14:01 . 2009-09-02 12:17 1641908 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2010-05-04 13:59 . 2009-03-17 14:19 -------- d-----w- c:\program files\Cheat Engine
    2010-05-04 13:44 . 2009-09-02 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2010-05-04 11:12 . 2009-06-14 03:47 -------- d-----w- c:\program files\uTorrent
    2010-05-04 11:12 . 2009-06-14 03:46 -------- d-----w- c:\documents and settings\Omer\Application Data\uTorrent
    2010-05-03 14:11 . 2009-09-02 12:18 97549 ----a-w- c:\windows\system32\drivers\klick.dat
    2010-05-03 14:11 . 2009-09-02 12:18 113933 ----a-w- c:\windows\system32\drivers\klin.dat
    2010-05-01 20:38 . 2009-01-31 10:33 -------- d-----w- c:\documents and settings\Omer\Application Data\HPAppData
    2010-04-28 12:04 . 2009-02-26 14:07 -------- d-----w- c:\program files\Pando Networks
    2010-04-27 11:53 . 2008-10-31 17:27 -------- d-----w- c:\program files\studentmashov
    2010-04-20 16:53 . 2010-02-12 16:35 434360 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-04-20 14:17 . 2008-06-28 00:09 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-04-20 13:13 . 2008-07-21 13:45 -------- d-----w- c:\documents and settings\Omer\Application Data\mIRC
    2010-04-20 13:12 . 2008-07-21 13:45 -------- d-----w- c:\program files\mIRC
    2010-04-20 07:46 . 2009-12-08 15:58 2815932 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1659004503-1592454029-839522115-1003-0.dat
    2010-04-20 07:46 . 2009-12-08 15:58 386298 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
    2010-04-20 07:42 . 2009-05-30 19:02 -------- d-----w- c:\program files\ATI Technologies
    2010-04-20 07:38 . 2010-04-20 07:38 10134 ----a-r- c:\documents and settings\Omer\Application Data\Microsoft\Installer\{F16DCA31-4DB4-F8F6-5ED1-6FAFB7228FFF}\ARPPRODUCTICON.exe
    2010-04-19 11:24 . 2008-06-28 12:58 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-04-16 20:43 . 2010-03-31 16:50 -------- d-----w- c:\documents and settings\Omer\Application Data\wxChecksums
    2010-04-16 00:16 . 2008-06-28 20:47 -------- d-----w- c:\program files\Google
    2010-04-13 13:44 . 2009-02-10 06:01 92744 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
    2010-04-12 14:46 . 2008-06-27 23:19 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-11 11:39 . 2008-07-05 14:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-04-11 11:36 . 2009-03-11 07:45 -------- d-----w- c:\program files\AGEIA Technologies
    2010-04-11 11:30 . 2009-10-25 14:55 -------- d-----w- c:\program files\OpenAL
    2010-04-10 16:28 . 2009-11-14 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
    2010-04-06 02:12 . 2010-04-17 17:07 114360 ----a-w- c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
    2010-04-04 11:23 . 2008-07-02 15:29 -------- d-----w- c:\documents and settings\Omer\Application Data\Skype
    2010-04-04 11:23 . 2008-07-02 15:30 -------- d-----w- c:\documents and settings\Omer\Application Data\skypePM
    2010-04-02 17:18 . 2010-04-03 12:38 52224 ----a-w- c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{02549309-0dbb-41e7-8366-768cfe100341}\components\FFExternalAlert.dll
    2010-04-02 17:18 . 2010-04-03 12:38 101376 ----a-w- c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{02549309-0dbb-41e7-8366-768cfe100341}\components\RadioWMPCore.dll
    2010-04-02 12:09 . 2010-04-03 14:28 52224 ----a-w- c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{0d6451b1-a91e-435e-ba58-134ec4797456}\components\FFExternalAlert.dll
    2010-04-02 12:09 . 2010-04-03 14:28 101376 ----a-w- c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{0d6451b1-a91e-435e-ba58-134ec4797456}\components\RadioWMPCore.dll
    2010-04-02 09:25 . 2010-04-02 09:24 -------- d-----w- c:\program files\TextMe
    2010-04-01 17:22 . 2010-04-01 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HideIPEasy
    2010-04-01 17:22 . 2010-04-01 17:22 -------- d-----w- c:\documents and settings\Omer\Application Data\HideIPEasy
    2010-03-31 11:51 . 2009-09-23 10:54 3930788 ----a-w- c:\documents and settings\Omer\test.zip
    2010-03-31 10:43 . 2008-07-03 14:20 -------- d-----w- c:\program files\SystemRequirementsLab
    2010-03-29 15:16 . 2010-03-29 15:16 185 ----a-w- c:\windows\winnit.reg
    2010-03-24 18:51 . 2010-03-24 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2010-03-24 18:51 . 2010-03-24 18:51 -------- d-----w- c:\documents and settings\Omer\Application Data\Office Genuine Advantage
    2010-03-23 13:04 . 2008-07-01 17:17 -------- d-----w- c:\documents and settings\Omer\Application Data\Ubisoft
    2010-03-23 13:04 . 2008-07-01 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Ubisoft
    2010-03-23 13:01 . 2010-03-23 13:01 -------- d-----w- c:\program files\Ubisoft
    2010-03-23 06:15 . 2009-12-06 04:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-03-10 06:15 . 2001-08-23 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-03 04:21 . 2008-06-27 23:57 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
    2010-03-03 04:07 . 2009-05-30 19:02 311296 ----a-w- c:\windows\system32\atiiiexx.dll
    2010-03-03 04:02 . 2009-04-29 01:20 45056 ----a-w- c:\windows\system32\aticalrt.dll
    2010-03-03 04:02 . 2009-04-29 01:20 45056 ----a-w- c:\windows\system32\aticalcl.dll
    2010-03-03 04:01 . 2009-04-29 01:18 3641344 ----a-w- c:\windows\system32\aticaldd.dll
    2010-03-03 03:44 . 2009-03-04 04:08 14262272 ----a-w- c:\windows\system32\atioglxx.dll
    2010-03-03 03:40 . 2009-05-30 19:02 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2010-03-03 03:40 . 2008-06-27 23:57 3616096 ----a-w- c:\windows\system32\ati3duag.dll
    2010-03-03 03:39 . 2008-06-27 23:57 301056 ----a-w- c:\windows\system32\ati2dvag.dll
    2010-03-03 03:24 . 2009-03-04 04:25 208896 ----a-w- c:\windows\system32\atipdlxx.dll
    2010-03-03 03:24 . 2008-06-27 23:57 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
    2010-03-03 03:24 . 2009-03-04 04:25 155648 ----a-w- c:\windows\system32\Oemdspif.dll
    2010-03-03 03:24 . 2009-05-30 19:02 887724 ----a-w- c:\windows\system32\ativva6x.dat
    2010-03-03 03:24 . 2009-05-30 19:02 3 ----a-w- c:\windows\system32\ativva5x.dat
    2010-03-03 03:24 . 2009-03-04 04:24 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
    2010-03-03 03:24 . 2009-03-04 04:24 43520 ----a-w- c:\windows\system32\ati2edxx.dll
    2010-03-03 03:23 . 2009-03-04 04:24 159744 ----a-w- c:\windows\system32\ati2evxx.dll
    2010-03-03 03:22 . 2009-03-04 04:23 602112 ----a-w- c:\windows\system32\ati2evxx.exe
    2010-03-03 03:21 . 2009-03-04 04:21 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
    2010-03-03 03:16 . 2009-03-04 03:38 565248 ----a-w- c:\windows\system32\atikvmag.dll
    2010-03-03 03:15 . 2009-03-04 03:36 184320 ----a-w- c:\windows\system32\atiadlxx.dll
    2010-03-03 03:14 . 2009-03-04 03:35 17408 ----a-w- c:\windows\system32\atitvo32.dll
    2010-03-03 03:14 . 2009-03-04 03:28 393216 ----a-w- c:\windows\system32\atiok3x2.dll
    2010-03-03 03:09 . 2008-06-27 23:57 638976 ----a-w- c:\windows\system32\ati2cqag.dll
    2010-03-03 03:07 . 2009-03-04 03:35 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2010-03-03 03:07 . 2009-04-29 01:26 65024 ----a-w- c:\windows\system32\atimpc32.dll
    2010-03-03 03:07 . 2009-03-04 03:42 65024 ----a-w- c:\windows\system32\amdpcom32.dll
    2010-02-28 14:59 . 2010-02-28 14:59 58 ----a-w- c:\windows\system32\DonationCoder_ScreenshotCaptor_InstallInfo.dat
    2010-02-28 14:59 . 2010-02-28 14:59 58 ----a-w- c:\documents and settings\Omer\Local Settings\Application Data\DonationCoder_ScreenshotCaptor_InstallInfo.dat
    2010-02-25 19:55 . 2009-05-30 19:02 201875 ----a-w- c:\windows\system32\atiicdxx.dat
    2010-02-25 06:24 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-14 18:17 . 2010-02-20 11:12 651776 ----a-w- c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\[email protected]\platform\WINNT_x86-msvc\components\lpxpcom.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "SteamUp"="k:\program files\Cracked Steam\steam.exe" [2010-04-27 1238352]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "librtexec"="javaw -jar" [X]
    "RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
    "MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]
    "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "Flashget"="h:\program files\FlashGet\flashget.exe" [2007-09-25 2007088]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "StartCCC"="k:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-02 98304]
    "AVP"="h:\program files\Kaspersky Anti-Virus 6.0\avp.exe" [2009-09-02 231952]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=h:\progra~1\KASPER~1.0\adialhk.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Axiom Shift Updater for GuildPortal.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Axiom Shift Updater for GuildPortal.lnk
    backup=c:\windows\pss\Axiom Shift Updater for GuildPortal.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
    backup=c:\windows\pss\GammaTray.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
    backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Omer^Start Menu^Programs^Startup^CurseClientStartup.ccip]
    path=c:\documents and settings\Omer\Start Menu\Programs\Startup\CurseClientStartup.ccip
    backup=c:\windows\pss\CurseClientStartup.ccipStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
    2009-04-30 18:22 2329936 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
    2007-09-25 08:10 2007088 ----a-w- h:\program files\FlashGet\flashget.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-09-21 14:36 305440 ----a-w- h:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2009-07-26 14:43 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-09-04 23:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-10-09 11:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2010-04-22 16:53 1238352 ----a-w- h:\program files\Steam\Steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Turbine Download Manager Tray Icon]
    2008-06-06 10:54 458752 ----a-w- h:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineDownloadManagerIcon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]
    2009-05-11 14:00 9017648 ----a-w- c:\program files\VoipBuster.com\VoipBuster\voipbuster.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "_MySQL"=2 (0x2)
    "SoundtrackTurbineNetworkService"=3 (0x3)
    "SoundtrackTurbineMessageService"=2 (0x2)
    "PnkBstrA"=2 (0x2)
    "npkcmsvc"=2 (0x2)
    "npggsvc"=3 (0x3)
    "nlsvc"=2 (0x2)
    "MyWebSearchService"=2 (0x2)
    "MySQL4"=2 (0x2)
    "MySQL1"=2 (0x2)
    "MySQL"=2 (0x2)
    "gusvc"=2 (0x2)
    "gupdate1c989f4ad069e8c"=2 (0x2)
    "MDM"=2 (0x2)
    "LVPrcSrv"=2 (0x2)
    "idsvc"=3 (0x3)
    "Bonjour Service"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\IEPro\\MiniDM.exe"=
    "h:\\Program Files\\FlashGet\\flashget.exe"=
    "h:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
    "h:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
    "h:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
    "c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
    "e:\\Program Files\\TianCity\\PopKart\\M01\\Patcher.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
    "h:\\Program Files\\Prototype\\prototypef.exe"=
    "h:\\Program Files\\Turbine\\Turbine Download Manager - Soundtrack\\TurbineNetworkService.exe"=
    "h:\\Program Files\\Turbine\\Turbine Download Manager - Soundtrack\\TurbineMessageService.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "h:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
    "h:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
    "h:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
    "h:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedIIGame.exe"=
    "h:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedII.exe"=
    "h:\\Program Files\\Ubisoft\\Assassin's Creed II\\UPlayBrowser.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "h:\\Program Files\\Steam\\steamapps\\common\\r.u.s.e. beta\\Ruse.exe"=
    "h:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
    "h:\\Program Files\\Steam\\Steam.exe"=
    "h:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
    "h:\\Program Files\\Steam\\steamapps\\common\\defensegridtheawakening\\DefenseGrid.exe"=
    "h:\\Program Files\\Steam\\steamapps\\common\\napoleon total war\\Napoleon.exe"=
    "h:\\Program Files\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=
    "h:\\Program Files\\Steam\\steamapps\\common\\rome total war gold\\RomeTW.exe"=
    "h:\\Program Files\\Steam\\steamapps\\common\\rome total war gold\\RomeTW-BI.exe"=
    "h:\\Program Files\\Steam\\steamapps\\common\\medieval ii total war\\Launcher.exe"=
    "k:\\Program Files\\Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58563:TCP"= 58563:TCP:pando Media Booster
    "58563:UDP"= 58563:UDP:pando Media Booster
    "5353:TCP"= 5353:TCP:Adobe CSI CS4

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [28/06/2008 15:58 691696]
    R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [23/04/2007 14:03 82200]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/05/2007 17:49 24344]
    S2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\Microsoft.NET\Framework\v4.0.21006\mscorsvw.exe [07/10/2009 03:44 129856]
    S3 cpuz130;cpuz130;\??\c:\docume~1\Omer\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Omer\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [12/04/2008 19:28 22640]
    S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [10/03/2006 16:55 39424]
    S3 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [09/09/2009 13:13 55176]
    S3 VSPerfDrv;Performance Tools Driver;h:\program files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [23/09/2005 03:42 54464]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe [07/10/2009 03:44 752984]
    S4 _MySQL;_MySQL;"e:\program files\MySQL\Copy of MySQL Server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\MySQL\Copy of MySQL Server 5.0\my.ini" _MySQL --> e:\program files\MySQL\Copy of MySQL Server 5.0\bin\mysqld-nt [?]
    S4 gupdate1c989f4ad069e8c;Google Update Service (gupdate1c989f4ad069e8c);c:\program files\Google\Update\GoogleUpdate.exe [08/02/2009 16:53 133104]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [23/07/2009 06:08 47128]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;h:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 08:01 2799808]
    S4 MySQL1;MySQL1;"e:\program files\MySQL\Copy of MySQL Server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\MySQL\Copy of MySQL Server 5.0\my.ini" MySQL1 --> e:\program files\MySQL\Copy of MySQL Server 5.0\bin\mysqld-nt [?]
    S4 MySQL4;MySQL4;"e:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\MySQL\MySQL Server 5.0\my.ini" MySQL4 --> e:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt [?]
    S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30/03/2009 04:09 239336]
    S4 SoundtrackTurbineMessageService;Turbine Message Service - Soundtrack;h:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineMessageService.exe [02/03/2009 15:48 249856]
    S4 SoundtrackTurbineNetworkService;Turbine Network Service - Soundtrack;h:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineNetworkService.exe [02/03/2009 15:48 212992]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [30/03/2009 04:23 366936]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 13:53]

    2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 13:53]

    2010-05-04 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]

    2014-05-01 c:\windows\Tasks\User_Feed_Synchronization-{6AB3E863-78F6-4D0D-8DEF-1E8590F4DC28}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 01:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.il/
    uInternet Settings,ProxyOverride = local;*.local;<local>
    IE: &äåøã áàîöòåú ôìàù-âè - h:\program files\FlashGet\jc_link.htm
    IE: &äåøã äëì áàîöòåú ôìàù-âè - h:\program files\FlashGet\jc_all.htm
    IE: &éöà ì- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: {803C38B3-87A0-4405-A9EB-8A6AF690E470} = 192.168.1.1
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    FF - ProfilePath - c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{02549309-0dbb-41e7-8366-768cfe100341}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{02549309-0dbb-41e7-8366-768cfe100341}\components\RadioWMPCore.dll
    FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{0d6451b1-a91e-435e-ba58-134ec4797456}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{0d6451b1-a91e-435e-ba58-134ec4797456}\components\RadioWMPCore.dll
    FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
    FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\[email protected]\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
    FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\[email protected]\platform\WINNT_x86-msvc\components\lpxpcom.dll
    FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
    FF - plugin: h:\program files\iTunes\Mozilla Plugins\npitunes.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.proxy.type - 0
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
    MSConfigStartUp-CurseClient - c:\program files\Curse\CurseClient.exe
    MSConfigStartUp-DAEMON Tools - c:\program files\DAEMON Tools\daemon.exe
    MSConfigStartUp-igndlm - c:\program files\Download Manager\DLM.exe
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
    AddRemove-Blue Byte Game Channel - h:\bluebyte\BBGC\uninst.dll
    AddRemove-S4Uninst - h:\bluebyte\The Settlers IV\uninst.isu
    AddRemove-Steam App 21970 - h:\program files\Cracked Steam\steam.exe
    AddRemove-UMS 9.7 demonew - c:\program files\Universal Math Solver\UMS 9.7 demonew\uninstall.exe
    AddRemove-Zygor Guides - h:\program files\World of Warcraft\Interface\Addons\ZygorGuidesViewer\uninst.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-04 17:06
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys spvq.sys >>UNKNOWN [0x8B38C938]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xba0fcf28
    \Driver\ACPI -> ACPI.sys @ 0xb9e74cb8
    \Driver\atapi -> sfsync02.sys @ 0xba0c98b4
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
    SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
    SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
    NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb9cffbb0
    PacketIndicateHandler -> NDIS.sys @ 0xb9d0ca21
    SendHandler -> NDIS.sys @ 0xb9cea87b
    user & kernel MBR OK

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MsDepSvc]
    "ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
    "ImagePath"="\??\d:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0.27\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0.27\my.ini\" MySQL"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL1]
    "ImagePath"="\"e:\program files\MySQL\Copy of MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"e:\program files\MySQL\Copy of MySQL Server 5.0\my.ini\" MySQL1"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL4]
    "ImagePath"="\"e:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"e:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL4"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\_MySQL]
    "ImagePath"="\"e:\program files\MySQL\Copy of MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"e:\program files\MySQL\Copy of MySQL Server 5.0\my.ini\" _MySQL"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1659004503-1592454029-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{119D5155-366B-884A-E2CC-C2F402E6222B}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "halmggnhopndfiaj"=hex:6e,61,69,6e,6e,65,6c,65,67,63,63,64,64,62,6b,68,70,67,
    64,68,66,70,70,6a,68,62,62,70,00,00
    "jammbhniobccffhmbdcp"=hex:6f,61,6d,6d,6f,68,6d,67,6a,6f,65,6f,64,62,66,64,64,
    64,63,6d,6e,6b,62,63,6b,68,67,66,64,6b,00,00

    [HKEY_USERS\S-1-5-21-1659004503-1592454029-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:cb,50,1c,0d,a7,f1,9a,ea,85,4f,85,fe,03,f7,88,18,82,83,70,17,f8,4e,f3,
    95,28,46,fa,26,dc,f9,31,8f,ea,7f,f0,1e,9b,9d,3e,0f,7a,02,75,dc,4b,cf,a6,11,\
    "??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

    [HKEY_USERS\S-1-5-21-1659004503-1592454029-839522115-1003\Software\SecuROM\License information*]
    "datasecu"=hex:44,06,4c,e7,fc,ac,e4,cf,7f,de,db,c0,78,77,01,1e,89,04,6b,65,d2,
    7d,51,d1,6d,f2,1a,a0,96,1c,21,ac,7b,a8,33,05,f3,bc,49,0f,83,dc,24,50,08,87,\
    "rkeysecu"=hex:0c,57,68,4a,90,6c,7b,58,d3,a2,20,d2,6b,00,d4,8f
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(832)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    c:\windows\system32\klogon.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

    - - - - - - - > 'explorer.exe'(1896)
    c:\windows\system32\WININET.dll
    h:\program files\FlashGet\fgmgr.dll
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    c:\program files\TortoiseSVN\bin\TortoiseStub.dll
    c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
    c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\windows\system32\inetsrv\inetinfo.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\MagicTune Premium\MagicTuneEngine.exe
    c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\TortoiseSVN\bin\TSVNCache.exe
    k:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\Windows Live\Contacts\wlcomm.exe
    k:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\MagicTune Premium\MagicTune.exe
    .
    **************************************************************************
    .
    Completion time: 2010-05-04 17:15:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-05-04 14:15

    Pre-Run: 3,544,477,696 bytes free
    Post-Run: 4,051,795,968 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer

    - - End Of File - - 9E0944A84B04E3B58E2CCFDC79034AB7
     
  9. omer681

    omer681 Thread Starter

    Joined:
    Sep 13, 2007
    Messages:
    24
    By the way the problem still exist.
    What's strange is, that in the 1-2 hours after the combofix finished running, it wasn't slow anymore, but now it is slow again. It happened a few times before - the slow comes and go "randomally".
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    first uninstall daemon tools

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

    then run gmer again & see if it will run

    it looks like a rootkit but I am not 100% certain as daemon tools can mask many entries and cause gmer to crash
     
  11. omer681

    omer681 Thread Starter

    Joined:
    Sep 13, 2007
    Messages:
    24
    Strange, I uninstalled Daemon Tools when you asked me to bring GMER log...
    Anyway I'll run the tool.
     
  12. omer681

    omer681 Thread Starter

    Joined:
    Sep 13, 2007
    Messages:
    24
    After I ran the tool to disable the CD emulation driver, it's still crashing my computer (GMER).
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
  14. omer681

    omer681 Thread Starter

    Joined:
    Sep 13, 2007
    Messages:
    24
    I posted the log that was created on C:\


    called TDSSKiller.2.2.8.1_05.05.2010_19.42.48_log.txt


    19:42:48:171 2948 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
    19:42:48:171 2948 ================================================================================
    19:42:48:171 2948 SystemInfo:

    19:42:48:171 2948 OS Version: 5.1.2600 ServicePack: 3.0
    19:42:48:171 2948 Product type: Workstation
    19:42:48:171 2948 ComputerName: OMER2
    19:42:48:171 2948 UserName: Omer
    19:42:48:171 2948 Windows directory: C:\WINDOWS
    19:42:48:171 2948 Processor architecture: Intel x86
    19:42:48:171 2948 Number of processors: 4
    19:42:48:171 2948 Page size: 0x1000
    19:42:48:171 2948 Boot type: Normal boot
    19:42:48:171 2948 ================================================================================
    19:42:48:171 2948 UnloadDriverW: NtUnloadDriver error 2
    19:42:48:171 2948 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    19:42:55:890 2948 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    19:42:55:968 2948 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    19:42:55:968 2948 wfopen_ex: Trying to KLMD file open
    19:42:55:968 2948 wfopen_ex: File opened ok (Flags 2)
    19:42:55:968 2948 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    19:42:56:000 2948 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    19:42:56:000 2948 wfopen_ex: Trying to KLMD file open
    19:42:56:000 2948 wfopen_ex: File opened ok (Flags 2)
    19:42:56:000 2948 Initialize success
    19:42:56:000 2948
    19:42:56:000 2948 Scanning Services ...
    19:42:56:609 2948 Raw services enum returned 404 services
    19:42:56:625 2948
    19:42:56:625 2948 Scanning Kernel memory ...
    19:42:56:625 2948 Devices to scan: 15
    19:42:56:625 2948
    19:42:56:625 2948 Driver Name: Disk
    19:42:56:625 2948 IRP_MJ_CREATE : BA0FEBB0
    19:42:56:625 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:625 2948 IRP_MJ_CLOSE : BA0FEBB0
    19:42:56:625 2948 IRP_MJ_READ : BA0F8D1F
    19:42:56:625 2948 IRP_MJ_WRITE : BA0F8D1F
    19:42:56:625 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:625 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:625 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:625 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:625 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
    19:42:56:625 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:625 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:625 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:625 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:625 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
    19:42:56:625 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
    19:42:56:625 2948 IRP_MJ_SHUTDOWN : BA0F92E2
    19:42:56:625 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:625 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:625 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:625 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:625 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:625 2948 IRP_MJ_POWER : BA0FAC82
    19:42:56:625 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
    19:42:56:625 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:625 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:625 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:656 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    19:42:56:656 2948
    19:42:56:656 2948 Driver Name: USBSTOR
    19:42:56:656 2948 IRP_MJ_CREATE : BA4A5218
    19:42:56:656 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:656 2948 IRP_MJ_CLOSE : BA4A5218
    19:42:56:656 2948 IRP_MJ_READ : BA4A523C
    19:42:56:656 2948 IRP_MJ_WRITE : BA4A523C
    19:42:56:656 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:656 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:656 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:656 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:656 2948 IRP_MJ_FLUSH_BUFFERS : 804F4562
    19:42:56:656 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:656 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:656 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:656 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:656 2948 IRP_MJ_DEVICE_CONTROL : BA4A5180
    19:42:56:656 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0C98B4
    19:42:56:656 2948 IRP_MJ_SHUTDOWN : 804F4562
    19:42:56:656 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:656 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:656 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:656 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:656 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:656 2948 IRP_MJ_POWER : BA4A45F0
    19:42:56:656 2948 IRP_MJ_SYSTEM_CONTROL : BA4A2A6E
    19:42:56:656 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:656 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:656 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:703 2948 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    19:42:56:703 2948
    19:42:56:703 2948 Driver Name: Disk
    19:42:56:703 2948 IRP_MJ_CREATE : BA0FEBB0
    19:42:56:703 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:703 2948 IRP_MJ_CLOSE : BA0FEBB0
    19:42:56:703 2948 IRP_MJ_READ : BA0F8D1F
    19:42:56:703 2948 IRP_MJ_WRITE : BA0F8D1F
    19:42:56:703 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:703 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:703 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:703 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:703 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
    19:42:56:703 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:703 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:703 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:703 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:703 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
    19:42:56:703 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
    19:42:56:703 2948 IRP_MJ_SHUTDOWN : BA0F92E2
    19:42:56:703 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:703 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:703 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:703 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:703 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:703 2948 IRP_MJ_POWER : BA0FAC82
    19:42:56:703 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
    19:42:56:703 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:703 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:703 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:734 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    19:42:56:734 2948
    19:42:56:734 2948 Driver Name: Disk
    19:42:56:734 2948 IRP_MJ_CREATE : BA0FEBB0
    19:42:56:734 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:734 2948 IRP_MJ_CLOSE : BA0FEBB0
    19:42:56:734 2948 IRP_MJ_READ : BA0F8D1F
    19:42:56:734 2948 IRP_MJ_WRITE : BA0F8D1F
    19:42:56:734 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:734 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:734 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:734 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:734 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
    19:42:56:734 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:734 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:734 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:734 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:734 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
    19:42:56:734 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
    19:42:56:734 2948 IRP_MJ_SHUTDOWN : BA0F92E2
    19:42:56:734 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:734 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:734 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:734 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:734 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:734 2948 IRP_MJ_POWER : BA0FAC82
    19:42:56:734 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
    19:42:56:734 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:734 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:734 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:750 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    19:42:56:750 2948
    19:42:56:750 2948 Driver Name: Disk
    19:42:56:750 2948 IRP_MJ_CREATE : BA0FEBB0
    19:42:56:750 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:750 2948 IRP_MJ_CLOSE : BA0FEBB0
    19:42:56:750 2948 IRP_MJ_READ : BA0F8D1F
    19:42:56:750 2948 IRP_MJ_WRITE : BA0F8D1F
    19:42:56:750 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:750 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:750 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:750 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:750 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
    19:42:56:750 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:750 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:750 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:750 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:750 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
    19:42:56:750 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
    19:42:56:750 2948 IRP_MJ_SHUTDOWN : BA0F92E2
    19:42:56:750 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:750 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:750 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:750 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:750 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:750 2948 IRP_MJ_POWER : BA0FAC82
    19:42:56:750 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
    19:42:56:750 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:750 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:750 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:781 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    19:42:56:781 2948
    19:42:56:781 2948 Driver Name: Disk
    19:42:56:781 2948 IRP_MJ_CREATE : BA0FEBB0
    19:42:56:781 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:781 2948 IRP_MJ_CLOSE : BA0FEBB0
    19:42:56:781 2948 IRP_MJ_READ : BA0F8D1F
    19:42:56:781 2948 IRP_MJ_WRITE : BA0F8D1F
    19:42:56:781 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:781 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:781 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:781 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:781 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
    19:42:56:781 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:781 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:781 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:781 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:781 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
    19:42:56:781 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
    19:42:56:781 2948 IRP_MJ_SHUTDOWN : BA0F92E2
    19:42:56:781 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:781 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:781 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:781 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:781 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:781 2948 IRP_MJ_POWER : BA0FAC82
    19:42:56:781 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
    19:42:56:781 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:781 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:781 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:781 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    19:42:56:781 2948
    19:42:56:781 2948 Driver Name: Disk
    19:42:56:781 2948 IRP_MJ_CREATE : BA0FEBB0
    19:42:56:781 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:781 2948 IRP_MJ_CLOSE : BA0FEBB0
    19:42:56:781 2948 IRP_MJ_READ : BA0F8D1F
    19:42:56:781 2948 IRP_MJ_WRITE : BA0F8D1F
    19:42:56:781 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:781 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:781 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:781 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:781 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
    19:42:56:781 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:781 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:781 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:781 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:781 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
    19:42:56:781 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
    19:42:56:781 2948 IRP_MJ_SHUTDOWN : BA0F92E2
    19:42:56:781 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:781 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:781 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:781 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:781 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:781 2948 IRP_MJ_POWER : BA0FAC82
    19:42:56:781 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
    19:42:56:781 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:781 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:781 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:796 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    19:42:56:796 2948
    19:42:56:796 2948 Driver Name: Disk
    19:42:56:796 2948 IRP_MJ_CREATE : BA0FEBB0
    19:42:56:796 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:796 2948 IRP_MJ_CLOSE : BA0FEBB0
    19:42:56:796 2948 IRP_MJ_READ : BA0F8D1F
    19:42:56:796 2948 IRP_MJ_WRITE : BA0F8D1F
    19:42:56:796 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:796 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:796 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:796 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:796 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
    19:42:56:796 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:796 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:796 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:796 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:796 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
    19:42:56:796 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
    19:42:56:796 2948 IRP_MJ_SHUTDOWN : BA0F92E2
    19:42:56:796 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:796 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:796 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:796 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:796 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:796 2948 IRP_MJ_POWER : BA0FAC82
    19:42:56:796 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
    19:42:56:796 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:796 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:796 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:812 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    19:42:56:812 2948
    19:42:56:812 2948 Driver Name: Disk
    19:42:56:812 2948 IRP_MJ_CREATE : BA0FEBB0
    19:42:56:812 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:812 2948 IRP_MJ_CLOSE : BA0FEBB0
    19:42:56:812 2948 IRP_MJ_READ : BA0F8D1F
    19:42:56:812 2948 IRP_MJ_WRITE : BA0F8D1F
    19:42:56:812 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:812 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:812 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:812 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:812 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
    19:42:56:812 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:812 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:812 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:812 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:812 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
    19:42:56:812 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
    19:42:56:812 2948 IRP_MJ_SHUTDOWN : BA0F92E2
    19:42:56:812 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:812 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:812 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:812 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:812 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:812 2948 IRP_MJ_POWER : BA0FAC82
    19:42:56:812 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
    19:42:56:812 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:812 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:812 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:812 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    19:42:56:812 2948
    19:42:56:812 2948 Driver Name: Disk
    19:42:56:812 2948 IRP_MJ_CREATE : BA0FEBB0
    19:42:56:812 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:812 2948 IRP_MJ_CLOSE : BA0FEBB0
    19:42:56:812 2948 IRP_MJ_READ : BA0F8D1F
    19:42:56:812 2948 IRP_MJ_WRITE : BA0F8D1F
    19:42:56:812 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:812 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:812 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:812 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:812 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
    19:42:56:812 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:812 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:812 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:812 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:812 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
    19:42:56:812 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
    19:42:56:812 2948 IRP_MJ_SHUTDOWN : BA0F92E2
    19:42:56:812 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:812 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:812 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:812 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:812 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:812 2948 IRP_MJ_POWER : BA0FAC82
    19:42:56:812 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
    19:42:56:812 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:812 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:812 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:828 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    19:42:56:828 2948
    19:42:56:828 2948 Driver Name: Disk
    19:42:56:828 2948 IRP_MJ_CREATE : BA0FEBB0
    19:42:56:828 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:828 2948 IRP_MJ_CLOSE : BA0FEBB0
    19:42:56:828 2948 IRP_MJ_READ : BA0F8D1F
    19:42:56:828 2948 IRP_MJ_WRITE : BA0F8D1F
    19:42:56:828 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:828 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:828 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:828 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:828 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
    19:42:56:828 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:828 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:828 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:828 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:828 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
    19:42:56:828 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
    19:42:56:828 2948 IRP_MJ_SHUTDOWN : BA0F92E2
    19:42:56:828 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:828 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:828 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:828 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:828 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:828 2948 IRP_MJ_POWER : BA0FAC82
    19:42:56:828 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
    19:42:56:828 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:828 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:828 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:843 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    19:42:56:843 2948
    19:42:56:843 2948 Driver Name: atapi
    19:42:56:843 2948 IRP_MJ_CREATE : B9F156F2
    19:42:56:843 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:843 2948 IRP_MJ_CLOSE : B9F156F2
    19:42:56:843 2948 IRP_MJ_READ : 804F4562
    19:42:56:843 2948 IRP_MJ_WRITE : 804F4562
    19:42:56:843 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:843 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:843 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:843 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:843 2948 IRP_MJ_FLUSH_BUFFERS : 804F4562
    19:42:56:843 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:843 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:843 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:843 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:843 2948 IRP_MJ_DEVICE_CONTROL : B9F15712
    19:42:56:843 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0C98B4
    19:42:56:843 2948 IRP_MJ_SHUTDOWN : 804F4562
    19:42:56:843 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:843 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:843 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:843 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:843 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:843 2948 IRP_MJ_POWER : B9F1573C
    19:42:56:843 2948 IRP_MJ_SYSTEM_CONTROL : B9F1C336
    19:42:56:843 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:843 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:843 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:859 2948 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
    19:42:56:859 2948
    19:42:56:859 2948 Driver Name: atapi
    19:42:56:859 2948 IRP_MJ_CREATE : B9F156F2
    19:42:56:859 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:859 2948 IRP_MJ_CLOSE : B9F156F2
    19:42:56:859 2948 IRP_MJ_READ : 804F4562
    19:42:56:859 2948 IRP_MJ_WRITE : 804F4562
    19:42:56:859 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:859 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:859 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:859 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:859 2948 IRP_MJ_FLUSH_BUFFERS : 804F4562
    19:42:56:859 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:859 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:859 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:859 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:859 2948 IRP_MJ_DEVICE_CONTROL : B9F15712
    19:42:56:859 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0C98B4
    19:42:56:859 2948 IRP_MJ_SHUTDOWN : 804F4562
    19:42:56:859 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:859 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:859 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:859 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:859 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:859 2948 IRP_MJ_POWER : B9F1573C
    19:42:56:859 2948 IRP_MJ_SYSTEM_CONTROL : B9F1C336
    19:42:56:859 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:859 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:859 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:875 2948 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
    19:42:56:875 2948
    19:42:56:875 2948 Driver Name: atapi
    19:42:56:875 2948 IRP_MJ_CREATE : B9F156F2
    19:42:56:875 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:875 2948 IRP_MJ_CLOSE : B9F156F2
    19:42:56:875 2948 IRP_MJ_READ : 804F4562
    19:42:56:875 2948 IRP_MJ_WRITE : 804F4562
    19:42:56:875 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:875 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:875 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:875 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:875 2948 IRP_MJ_FLUSH_BUFFERS : 804F4562
    19:42:56:875 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:875 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:875 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:875 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:875 2948 IRP_MJ_DEVICE_CONTROL : B9F15712
    19:42:56:875 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0C98B4
    19:42:56:875 2948 IRP_MJ_SHUTDOWN : 804F4562
    19:42:56:875 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:875 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:875 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:875 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:875 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:875 2948 IRP_MJ_POWER : B9F1573C
    19:42:56:875 2948 IRP_MJ_SYSTEM_CONTROL : B9F1C336
    19:42:56:875 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:875 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:875 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:906 2948 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
    19:42:56:906 2948
    19:42:56:906 2948 Driver Name: atapi
    19:42:56:906 2948 IRP_MJ_CREATE : B9F156F2
    19:42:56:906 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:42:56:906 2948 IRP_MJ_CLOSE : B9F156F2
    19:42:56:906 2948 IRP_MJ_READ : 804F4562
    19:42:56:906 2948 IRP_MJ_WRITE : 804F4562
    19:42:56:906 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
    19:42:56:906 2948 IRP_MJ_SET_INFORMATION : 804F4562
    19:42:56:906 2948 IRP_MJ_QUERY_EA : 804F4562
    19:42:56:906 2948 IRP_MJ_SET_EA : 804F4562
    19:42:56:906 2948 IRP_MJ_FLUSH_BUFFERS : 804F4562
    19:42:56:906 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:42:56:906 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:42:56:906 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:42:56:906 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:42:56:906 2948 IRP_MJ_DEVICE_CONTROL : B9F15712
    19:42:56:906 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0C98B4
    19:42:56:906 2948 IRP_MJ_SHUTDOWN : 804F4562
    19:42:56:906 2948 IRP_MJ_LOCK_CONTROL : 804F4562
    19:42:56:906 2948 IRP_MJ_CLEANUP : 804F4562
    19:42:56:906 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:42:56:906 2948 IRP_MJ_QUERY_SECURITY : 804F4562
    19:42:56:906 2948 IRP_MJ_SET_SECURITY : 804F4562
    19:42:56:906 2948 IRP_MJ_POWER : B9F1573C
    19:42:56:906 2948 IRP_MJ_SYSTEM_CONTROL : B9F1C336
    19:42:56:906 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
    19:42:56:906 2948 IRP_MJ_QUERY_QUOTA : 804F4562
    19:42:56:906 2948 IRP_MJ_SET_QUOTA : 804F4562
    19:42:56:906 2948 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
    19:42:56:906 2948
    19:42:56:906 2948 Completed
    19:42:56:906 2948
    19:42:56:906 2948 Results:
    19:42:56:906 2948 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
    19:42:56:906 2948 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    19:42:56:906 2948 File objects infected / cured / cured on reboot: 0 / 0 / 0
    19:42:56:906 2948
    19:42:56:921 2948 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    19:42:56:921 2948 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    19:42:56:937 2948 KLMD(ARK) unloaded successfully
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    nothing showing there

    is it still sending mail
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - program sending mail
  1. christab88
    Replies:
    1
    Views:
    514
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/919802

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice