Some program sending mail from my computer when it's connected to the router

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

omer681

Thread Starter
Joined
Sep 13, 2007
Messages
24
When I connect my computer to the router (internet) it seems that it spams it with out coming mails, and slows down the email receiving process.

HiJack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:26, on 28/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
H:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\taskswitch.exe
H:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\cisvc.exe
K:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\uTorrent\uTorrent.exe
K:\Utility Programs\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
H:\Program Files\Steam\Steam.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
h:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\devenv.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local;<local>
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - H:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - H:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: òåæø äëðéñä ùì Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - H:\Program Files\FlashGet\getflash.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - H:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVP] "H:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [librtexec] javaw -jar "C:\Program Files\Java\jre6\lib\librtexec.jar"
O4 - HKLM\..\Run: [Flashget] H:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [StartCCC] "K:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "K:\Utility Programs\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [SteamUp] "K:\Program Files\Cracked Steam\steam.exe" -clientapp SteamUp.dll -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000
O8 - Extra context menu item: &äåøã áàîöòåú ôìàù-âè - H:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &äåøã äëì áàîöòåú ôìàù-âè - H:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &éöà ì- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Add to Anti-Banner - H:\Program Files\Kaspersky Anti-Virus 6.0\ie_banner_deny.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - H:\Program Files\Kaspersky Anti-Virus 6.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: îç÷ø - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - H:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214609682843
O17 - HKLM\System\CCS\Services\Tcpip\..\{803C38B3-87A0-4405-A9EB-8A6AF690E470}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: H:\PROGRA~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - H:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe

--
End of file - 11290 bytes


I have another problem in my Windows 7 (I have 2 systems on my computer, XP and windows 7) that almost no application wants to start up. It gives this error:
The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail.

In the application event log, I found this:

Activation context generation failed for "E:\Program Files\uTorrent\uTorrent.exe". Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="X86",publi cKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found. Please use sxstrace.exe for detailed diagnosis.


After you'll solve (hopefully) my problem with the mail sending, I'll try and get a hijack log for the windows 7.

Thanks
 

omer681

Thread Starter
Joined
Sep 13, 2007
Messages
24
The program "GMER" crashed the computer somewhere around C:\Documents and Settings\****\Application Data
For the fraction of the second before it crashed, I (think that I) saw something about Macromedia in the end.



By the way, drive M is a backup external hard disk.

The log for the first program:

DDS.txt


DDS (Ver_10-03-17.01) - NTFSx86
Run by Omer at 14:16:43.29 on Tue 05/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3582.2869 [GMT 3:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
H:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\taskswitch.exe
H:\Program Files\FlashGet\flashget.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
K:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Omer\Desktop\spyware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.il/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = local;*.local;<local>
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - h:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - h:\program files\flashget\jccatch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: òåæø äëðéñä ùì Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - h:\program files\flashget\getflash.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - h:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - h:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SteamUp] "k:\program files\cracked steam\steam.exe" -clientapp SteamUp.dll -silent
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AVP] "h:\program files\kaspersky anti-virus 6.0\avp.exe"
mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [librtexec] javaw -jar "c:\program files\java\jre6\lib\librtexec.jar"
mRun: [Flashget] h:\program files\flashget\flashget.exe /min
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [StartCCC] "k:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000
IE: &äåøã áàîöòåú ôìàù-âè - h:\program files\flashget\jc_link.htm
IE: &äåøã äëì áàîöòåú ôìàù-âè - h:\program files\flashget\jc_all.htm
IE: &éöà ì- Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Add to Anti-Banner - h:\program files\kaspersky anti-virus 6.0\ie_banner_deny.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - h:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - h:\program files\kaspersky anti-virus 6.0\SCIEPlgn.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - h:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214609682843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {803C38B3-87A0-4405-A9EB-8A6AF690E470} = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: h:\progra~1\kasper~1.0\adialhk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\omer\applic~1\mozilla\firefox\profiles\3y46ajbd.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\{02549309-0dbb-41e7-8366-768cfe100341}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\{02549309-0dbb-41e7-8366-768cfe100341}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\{0d6451b1-a91e-435e-ba58-134ec4797456}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\{0d6451b1-a91e-435e-ba58-134ec4797456}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\[email protected]\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\omer\application data\mozilla\firefox\profiles\3y46ajbd.default\extensions\[email protected]\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: h:\program files\itunes\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-7-18 112144]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-11-9 201504]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
R2 AVP;Kaspersky Anti-Virus 6.0;h:\program files\kaspersky anti-virus 6.0\avp.exe [2007-11-19 231952]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-5-30 24344]
S2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\microsoft.net\framework\v4.0.21006\mscorsvw.exe [2009-10-7 129856]
S3 cpuz130;cpuz130;\??\c:\docume~1\omer\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\omer\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-5-27 12672]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\program files\lavalys\everest ultimate edition\kerneld.wnt [2008-4-12 22640]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
S3 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2009-9-9 55176]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 VSPerfDrv;Performance Tools Driver;h:\program files\microsoft visual studio 8\team tools\performance tools\VSPerfDrv.sys [2005-9-23 54464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.21006\wpf\WPFFontCache_v0400.exe [2009-10-7 752984]
S4 _MySQL;_MySQL;"e:\program files\mysql\copy of mysql server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\mysql\copy of mysql server 5.0\my.ini" _mysql --> e:\program files\mysql\copy of mysql server 5.0\bin\mysqld-nt [?]
S4 gupdate1c989f4ad069e8c;Google Update Service (gupdate1c989f4ad069e8c);c:\program files\google\update\GoogleUpdate.exe [2009-2-8 133104]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;h:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 MySQL1;MySQL1;"e:\program files\mysql\copy of mysql server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\mysql\copy of mysql server 5.0\my.ini" mysql1 --> e:\program files\mysql\copy of mysql server 5.0\bin\mysqld-nt [?]
S4 MySQL4;MySQL4;"e:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\mysql\mysql server 5.0\my.ini" mysql4 --> e:\program files\mysql\mysql server 5.0\bin\mysqld-nt [?]
S4 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\2.bin\mwssvc.exe [2009-3-27 28762]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SoundtrackTurbineMessageService;Turbine Message Service - Soundtrack;h:\program files\turbine\turbine download manager - soundtrack\TurbineMessageService.exe [2009-3-2 249856]
S4 SoundtrackTurbineNetworkService;Turbine Network Service - Soundtrack;h:\program files\turbine\turbine download manager - soundtrack\TurbineNetworkService.exe [2009-3-2 212992]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2014-05-01 16:50:25 0 d-----w- C:\PSFONTS
2010-04-27 12:35:00 0 d-----w- c:\docume~1\omer\applic~1\GetRightToGo
2010-04-26 13:20:50 4096 ----a-w- c:\windows\d3dx.dat
2010-04-20 15:55:32 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-20 11:01:02 0 d-----w- c:\windows\system32\xlive
2010-04-20 11:01:02 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-04-20 07:38:32 33616 ----a-w- c:\windows\system32\atiapfxx.blb
2010-04-20 07:38:32 143360 begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************32 143360******end_of_the_skype_highlighting ----a-w- c:\windows\system32\atiapfxx.exe
2010-04-20 07:35:42 0 d-----w- c:\program files\ATI
2010-04-19 13:12:31 0 d-----w- C:\BDS
2010-04-19 11:22:42 0 d-----w- c:\docume~1\omer\applic~1\DAEMON Tools Lite
2010-04-19 11:22:37 0 d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2010-04-13 11:41:41 0 d-----w- c:\docume~1\alluse~1\applic~1\ArcSoft
2010-04-13 11:34:50 0 d-----w- c:\docume~1\omer\applic~1\HP SimpleSave Application
2010-04-11 11:29:39 782336 ----a-r- c:\windows\system32\tmpD38.tmp
2010-04-11 11:29:39 782336 ----a-r- c:\windows\system32\tmpD37.tmp
2010-04-10 05:10:01 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-04-09 17:09:33 49152 ----a-w- c:\windows\system32\DirSize.dll
2010-04-05 08:12:34 1024 ----a-w- C:\.rnd

==================== Find3M ====================

2010-05-04 11:16:23 121063968 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-04 11:16:17 4978720 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-03 14:14:26 473660 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-03 14:14:26 1638572 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-03 14:11:48 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-03 14:11:48 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-19 11:24:32 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-13 13:44:24 92744 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-03-31 11:51:52 3930788 ----a-w- c:\documents and settings\omer\test.zip
2010-03-03 04:07:54 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 04:02:54 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-03 04:02:40 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-03 04:01:00 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-03 03:44:42 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40:42 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40:36 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39:44 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24:40 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24:22 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24:12 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24:12 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24:02 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23:50 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22:34 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21:10 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16:58 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15:10 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14:40 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14:12 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09:06 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07:04 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-03 03:07:04 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-02-25 19:55:46 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 14:18:05.03 ===============
 

Attachments

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Delete any existing version of ComboFix you have sitting on your desktop
Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
  • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on combofix.exe & follow the prompts.​
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
 

omer681

Thread Starter
Joined
Sep 13, 2007
Messages
24
ComboFix 10-05-03.06 - Omer 05/04/2010 16:55:20.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3582.3052 [GMT 3:00]
Running from: c:\documents and settings\Omer\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3114903881-2358328619-99713491-1001
c:\program files\Cheat Engine\dbk32.sys
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Cache\files.ini
c:\program files\FunWebProducts\ScreenSaver\Images\04E1C122.urr
c:\program files\FunWebProducts\ScreenSaver\Images\04E1C1CE.dat
c:\program files\FunWebProducts\ScreenSaver\Images\04E52B57.dat
c:\program files\FunWebProducts\ScreenSaver\Images\069B6197.urr
c:\program files\FunWebProducts\ScreenSaver\Images\101x135\04E1C1CE.jpg
c:\program files\FunWebProducts\ScreenSaver\Images\101x135\04E52B57.jpg
c:\program files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\2.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTmlmu.dll
c:\program files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\2.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MSg.dll
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3OUtlcn.dll
c:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\04AD5303
c:\program files\MyWebSearch\bar\Cache\06981D68
c:\program files\MyWebSearch\bar\Cache\069834E8.bin
c:\program files\MyWebSearch\bar\Cache\06983D16.bin
c:\program files\MyWebSearch\bar\Cache\06984D23.bin
c:\program files\MyWebSearch\bar\Cache\06985522.bin
c:\program files\MyWebSearch\bar\Cache\12D01396.bin
c:\program files\MyWebSearch\bar\Cache\12D01D4B
c:\program files\MyWebSearch\bar\Cache\15DDB7DE.bin
c:\program files\MyWebSearch\bar\Cache\15DDBF9E.bin
c:\program files\MyWebSearch\bar\Cache\15DDC74F.bin
c:\program files\MyWebSearch\bar\Cache\15DDCD1C.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\WindowsUpdate
c:\program files\WinPCap
c:\program files\WinPCap\install.log
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\WinPcapInstall.dll
C:\test.txt
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\Cache
c:\windows\system32\drivers\npf.sys
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
D:\check_LSA7.txt
H:\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_NPF
-------\Service_MyWebSearchService
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2014-05-01 17:01 . 2014-05-01 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\HPSSUPPLY
2014-05-01 16:50 . 2014-05-01 16:50 -------- d-----w- C:\PSFONTS
2010-04-27 12:35 . 2010-04-27 15:12 -------- d-----w- c:\documents and settings\Omer\Application Data\GetRightToGo
2010-04-26 13:20 . 2010-04-26 13:20 4096 ----a-w- c:\windows\d3dx.dat
2010-04-20 11:01 . 2010-04-20 11:01 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-04-20 11:01 . 2010-04-20 11:01 -------- d-----w- c:\windows\system32\xlive
2010-04-20 07:49 . 2010-04-20 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-04-20 07:38 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-04-20 07:35 . 2010-04-20 07:35 -------- d-----w- c:\program files\ATI
2010-04-19 22:20 . 2010-04-20 10:54 -------- d-----w- c:\documents and settings\Omer\Local Settings\Application Data\Rockstar Games
2010-04-19 13:22 . 2010-04-19 13:22 -------- d-----w- c:\program files\DIFX
2010-04-19 13:12 . 2010-04-19 13:17 -------- d-----w- C:\BDS
2010-04-19 11:22 . 2010-04-19 13:11 -------- d-----w- c:\documents and settings\Omer\Application Data\DAEMON Tools Lite
2010-04-19 11:22 . 2010-04-19 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-04-13 11:41 . 2010-04-13 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-04-13 11:35 . 2010-04-13 11:35 -------- d-----w- c:\documents and settings\Omer\Application Data\ArcSoft
2010-04-13 11:34 . 2010-04-13 11:35 -------- d-----w- c:\documents and settings\Omer\Application Data\HP SimpleSave Application
2010-04-12 14:44 . 2010-04-12 14:44 -------- d-----w- c:\program files\Adobe Media Player
2010-04-10 05:30 . 2010-04-20 10:22 -------- d-----w- c:\documents and settings\Omer\Application Data\Bioshock
2010-04-10 05:10 . 2010-04-20 11:09 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-04-09 17:09 . 2010-04-09 17:09 49152 ----a-w- c:\windows\system32\DirSize.dll
2010-04-05 08:41 . 2010-04-05 12:47 -------- d-----w- c:\documents and settings\Omer\Application Data\VMware
2010-04-05 08:12 . 2010-04-05 08:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2010-04-05 08:10 . 2010-04-05 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 14:07 . 2009-09-02 12:17 121291552 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-04 14:07 . 2009-09-02 12:17 4989216 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-04 14:01 . 2009-09-02 12:17 474908 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-04 14:01 . 2009-09-02 12:17 1641908 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-04 13:59 . 2009-03-17 14:19 -------- d-----w- c:\program files\Cheat Engine
2010-05-04 13:44 . 2009-09-02 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-05-04 11:12 . 2009-06-14 03:47 -------- d-----w- c:\program files\uTorrent
2010-05-04 11:12 . 2009-06-14 03:46 -------- d-----w- c:\documents and settings\Omer\Application Data\uTorrent
2010-05-03 14:11 . 2009-09-02 12:18 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-03 14:11 . 2009-09-02 12:18 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-05-01 20:38 . 2009-01-31 10:33 -------- d-----w- c:\documents and settings\Omer\Application Data\HPAppData
2010-04-28 12:04 . 2009-02-26 14:07 -------- d-----w- c:\program files\Pando Networks
2010-04-27 11:53 . 2008-10-31 17:27 -------- d-----w- c:\program files\studentmashov
2010-04-20 16:53 . 2010-02-12 16:35 434360 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-20 14:17 . 2008-06-28 00:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-20 13:13 . 2008-07-21 13:45 -------- d-----w- c:\documents and settings\Omer\Application Data\mIRC
2010-04-20 13:12 . 2008-07-21 13:45 -------- d-----w- c:\program files\mIRC
2010-04-20 07:46 . 2009-12-08 15:58 2815932 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1659004503-1592454029-839522115-1003-0.dat
2010-04-20 07:46 . 2009-12-08 15:58 386298 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2010-04-20 07:42 . 2009-05-30 19:02 -------- d-----w- c:\program files\ATI Technologies
2010-04-20 07:38 . 2010-04-20 07:38 10134 ----a-r- c:\documents and settings\Omer\Application Data\Microsoft\Installer\{F16DCA31-4DB4-F8F6-5ED1-6FAFB7228FFF}\ARPPRODUCTICON.exe
2010-04-19 11:24 . 2008-06-28 12:58 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-16 20:43 . 2010-03-31 16:50 -------- d-----w- c:\documents and settings\Omer\Application Data\wxChecksums
2010-04-16 00:16 . 2008-06-28 20:47 -------- d-----w- c:\program files\Google
2010-04-13 13:44 . 2009-02-10 06:01 92744 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-04-12 14:46 . 2008-06-27 23:19 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 11:39 . 2008-07-05 14:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-11 11:36 . 2009-03-11 07:45 -------- d-----w- c:\program files\AGEIA Technologies
2010-04-11 11:30 . 2009-10-25 14:55 -------- d-----w- c:\program files\OpenAL
2010-04-10 16:28 . 2009-11-14 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2010-04-06 02:12 . 2010-04-17 17:07 114360 ----a-w- c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
2010-04-04 11:23 . 2008-07-02 15:29 -------- d-----w- c:\documents and settings\Omer\Application Data\Skype
2010-04-04 11:23 . 2008-07-02 15:30 -------- d-----w- c:\documents and settings\Omer\Application Data\skypePM
2010-04-02 17:18 . 2010-04-03 12:38 52224 ----a-w- c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{02549309-0dbb-41e7-8366-768cfe100341}\components\FFExternalAlert.dll
2010-04-02 17:18 . 2010-04-03 12:38 101376 ----a-w- c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{02549309-0dbb-41e7-8366-768cfe100341}\components\RadioWMPCore.dll
2010-04-02 12:09 . 2010-04-03 14:28 52224 ----a-w- c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{0d6451b1-a91e-435e-ba58-134ec4797456}\components\FFExternalAlert.dll
2010-04-02 12:09 . 2010-04-03 14:28 101376 ----a-w- c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{0d6451b1-a91e-435e-ba58-134ec4797456}\components\RadioWMPCore.dll
2010-04-02 09:25 . 2010-04-02 09:24 -------- d-----w- c:\program files\TextMe
2010-04-01 17:22 . 2010-04-01 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HideIPEasy
2010-04-01 17:22 . 2010-04-01 17:22 -------- d-----w- c:\documents and settings\Omer\Application Data\HideIPEasy
2010-03-31 11:51 . 2009-09-23 10:54 3930788 ----a-w- c:\documents and settings\Omer\test.zip
2010-03-31 10:43 . 2008-07-03 14:20 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-29 15:16 . 2010-03-29 15:16 185 ----a-w- c:\windows\winnit.reg
2010-03-24 18:51 . 2010-03-24 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-03-24 18:51 . 2010-03-24 18:51 -------- d-----w- c:\documents and settings\Omer\Application Data\Office Genuine Advantage
2010-03-23 13:04 . 2008-07-01 17:17 -------- d-----w- c:\documents and settings\Omer\Application Data\Ubisoft
2010-03-23 13:04 . 2008-07-01 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Ubisoft
2010-03-23 13:01 . 2010-03-23 13:01 -------- d-----w- c:\program files\Ubisoft
2010-03-23 06:15 . 2009-12-06 04:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-10 06:15 . 2001-08-23 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 04:21 . 2008-06-27 23:57 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2009-05-30 19:02 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 04:02 . 2009-04-29 01:20 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-03 04:02 . 2009-04-29 01:20 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-03 04:01 . 2009-04-29 01:18 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-03 03:44 . 2009-03-04 04:08 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2009-05-30 19:02 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2008-06-27 23:57 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2008-06-27 23:57 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2009-03-04 04:25 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2008-06-27 23:57 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2009-03-04 04:25 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2009-05-30 19:02 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2009-05-30 19:02 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2009-03-04 04:24 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2009-03-04 04:24 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2009-03-04 04:24 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2009-03-04 04:23 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2009-03-04 04:21 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2009-03-04 03:38 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2009-03-04 03:36 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2009-03-04 03:35 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2009-03-04 03:28 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2008-06-27 23:57 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2009-03-04 03:35 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2009-04-29 01:26 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-03 03:07 . 2009-03-04 03:42 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-02-28 14:59 . 2010-02-28 14:59 58 ----a-w- c:\windows\system32\DonationCoder_ScreenshotCaptor_InstallInfo.dat
2010-02-28 14:59 . 2010-02-28 14:59 58 ----a-w- c:\documents and settings\Omer\Local Settings\Application Data\DonationCoder_ScreenshotCaptor_InstallInfo.dat
2010-02-25 19:55 . 2009-05-30 19:02 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-25 06:24 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-14 18:17 . 2010-02-20 11:12 651776 ----a-w- c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\[email protected]\platform\WINNT_x86-msvc\components\lpxpcom.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SteamUp"="k:\program files\Cracked Steam\steam.exe" [2010-04-27 1238352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"librtexec"="javaw -jar" [X]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Flashget"="h:\program files\FlashGet\flashget.exe" [2007-09-25 2007088]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"StartCCC"="k:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-02 98304]
"AVP"="h:\program files\Kaspersky Anti-Virus 6.0\avp.exe" [2009-09-02 231952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=h:\progra~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Axiom Shift Updater for GuildPortal.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Axiom Shift Updater for GuildPortal.lnk
backup=c:\windows\pss\Axiom Shift Updater for GuildPortal.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Omer^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\documents and settings\Omer\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccipStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2009-04-30 18:22 2329936 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
2007-09-25 08:10 2007088 ----a-w- h:\program files\FlashGet\flashget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 14:36 305440 ----a-w- h:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 14:43 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 23:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 11:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-22 16:53 1238352 ----a-w- h:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Turbine Download Manager Tray Icon]
2008-06-06 10:54 458752 ----a-w- h:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineDownloadManagerIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]
2009-05-11 14:00 9017648 ----a-w- c:\program files\VoipBuster.com\VoipBuster\voipbuster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"_MySQL"=2 (0x2)
"SoundtrackTurbineNetworkService"=3 (0x3)
"SoundtrackTurbineMessageService"=2 (0x2)
"PnkBstrA"=2 (0x2)
"npkcmsvc"=2 (0x2)
"npggsvc"=3 (0x3)
"nlsvc"=2 (0x2)
"MyWebSearchService"=2 (0x2)
"MySQL4"=2 (0x2)
"MySQL1"=2 (0x2)
"MySQL"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate1c989f4ad069e8c"=2 (0x2)
"MDM"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"h:\\Program Files\\FlashGet\\flashget.exe"=
"h:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"h:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"h:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"e:\\Program Files\\TianCity\\PopKart\\M01\\Patcher.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"h:\\Program Files\\Prototype\\prototypef.exe"=
"h:\\Program Files\\Turbine\\Turbine Download Manager - Soundtrack\\TurbineNetworkService.exe"=
"h:\\Program Files\\Turbine\\Turbine Download Manager - Soundtrack\\TurbineMessageService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"h:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"h:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedIIGame.exe"=
"h:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedII.exe"=
"h:\\Program Files\\Ubisoft\\Assassin's Creed II\\UPlayBrowser.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"h:\\Program Files\\Steam\\steamapps\\common\\r.u.s.e. beta\\Ruse.exe"=
"h:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"h:\\Program Files\\Steam\\Steam.exe"=
"h:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"h:\\Program Files\\Steam\\steamapps\\common\\defensegridtheawakening\\DefenseGrid.exe"=
"h:\\Program Files\\Steam\\steamapps\\common\\napoleon total war\\Napoleon.exe"=
"h:\\Program Files\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=
"h:\\Program Files\\Steam\\steamapps\\common\\rome total war gold\\RomeTW.exe"=
"h:\\Program Files\\Steam\\steamapps\\common\\rome total war gold\\RomeTW-BI.exe"=
"h:\\Program Files\\Steam\\steamapps\\common\\medieval ii total war\\Launcher.exe"=
"k:\\Program Files\\Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58563:TCP"= 58563:TCP:pando Media Booster
"58563:UDP"= 58563:UDP:pando Media Booster
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [28/06/2008 15:58 691696]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [23/04/2007 14:03 82200]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/05/2007 17:49 24344]
S2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\Microsoft.NET\Framework\v4.0.21006\mscorsvw.exe [07/10/2009 03:44 129856]
S3 cpuz130;cpuz130;\??\c:\docume~1\Omer\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Omer\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [12/04/2008 19:28 22640]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [10/03/2006 16:55 39424]
S3 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [09/09/2009 13:13 55176]
S3 VSPerfDrv;Performance Tools Driver;h:\program files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [23/09/2005 03:42 54464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe [07/10/2009 03:44 752984]
S4 _MySQL;_MySQL;"e:\program files\MySQL\Copy of MySQL Server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\MySQL\Copy of MySQL Server 5.0\my.ini" _MySQL --> e:\program files\MySQL\Copy of MySQL Server 5.0\bin\mysqld-nt [?]
S4 gupdate1c989f4ad069e8c;Google Update Service (gupdate1c989f4ad069e8c);c:\program files\Google\Update\GoogleUpdate.exe [08/02/2009 16:53 133104]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [23/07/2009 06:08 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;h:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 08:01 2799808]
S4 MySQL1;MySQL1;"e:\program files\MySQL\Copy of MySQL Server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\MySQL\Copy of MySQL Server 5.0\my.ini" MySQL1 --> e:\program files\MySQL\Copy of MySQL Server 5.0\bin\mysqld-nt [?]
S4 MySQL4;MySQL4;"e:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\MySQL\MySQL Server 5.0\my.ini" MySQL4 --> e:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt [?]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30/03/2009 04:09 239336]
S4 SoundtrackTurbineMessageService;Turbine Message Service - Soundtrack;h:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineMessageService.exe [02/03/2009 15:48 249856]
S4 SoundtrackTurbineNetworkService;Turbine Network Service - Soundtrack;h:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineNetworkService.exe [02/03/2009 15:48 212992]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [30/03/2009 04:23 366936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 13:53]

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 13:53]

2010-05-04 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]

2014-05-01 c:\windows\Tasks\User_Feed_Synchronization-{6AB3E863-78F6-4D0D-8DEF-1E8590F4DC28}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.il/
uInternet Settings,ProxyOverride = local;*.local;<local>
IE: &äåøã áàîöòåú ôìàù-âè - h:\program files\FlashGet\jc_link.htm
IE: &äåøã äëì áàîöòåú ôìàù-âè - h:\program files\FlashGet\jc_all.htm
IE: &éöà ì- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {803C38B3-87A0-4405-A9EB-8A6AF690E470} = 192.168.1.1
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{02549309-0dbb-41e7-8366-768cfe100341}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{02549309-0dbb-41e7-8366-768cfe100341}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{0d6451b1-a91e-435e-ba58-134ec4797456}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{0d6451b1-a91e-435e-ba58-134ec4797456}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\[email protected]\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\Omer\Application Data\Mozilla\Firefox\Profiles\3y46ajbd.default\extensions\[email protected]\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: h:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
MSConfigStartUp-CurseClient - c:\program files\Curse\CurseClient.exe
MSConfigStartUp-DAEMON Tools - c:\program files\DAEMON Tools\daemon.exe
MSConfigStartUp-igndlm - c:\program files\Download Manager\DLM.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-Blue Byte Game Channel - h:\bluebyte\BBGC\uninst.dll
AddRemove-S4Uninst - h:\bluebyte\The Settlers IV\uninst.isu
AddRemove-Steam App 21970 - h:\program files\Cracked Steam\steam.exe
AddRemove-UMS 9.7 demonew - c:\program files\Universal Math Solver\UMS 9.7 demonew\uninstall.exe
AddRemove-Zygor Guides - h:\program files\World of Warcraft\Interface\Addons\ZygorGuidesViewer\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 17:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys spvq.sys >>UNKNOWN [0x8B38C938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0fcf28
\Driver\ACPI -> ACPI.sys @ 0xb9e74cb8
\Driver\atapi -> sfsync02.sys @ 0xba0c98b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb9cffbb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d0ca21
SendHandler -> NDIS.sys @ 0xb9cea87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\d:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0.27\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0.27\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL1]
"ImagePath"="\"e:\program files\MySQL\Copy of MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"e:\program files\MySQL\Copy of MySQL Server 5.0\my.ini\" MySQL1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL4]
"ImagePath"="\"e:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"e:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL4"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\_MySQL]
"ImagePath"="\"e:\program files\MySQL\Copy of MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"e:\program files\MySQL\Copy of MySQL Server 5.0\my.ini\" _MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-1592454029-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{119D5155-366B-884A-E2CC-C2F402E6222B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"halmggnhopndfiaj"=hex:6e,61,69,6e,6e,65,6c,65,67,63,63,64,64,62,6b,68,70,67,
64,68,66,70,70,6a,68,62,62,70,00,00
"jammbhniobccffhmbdcp"=hex:6f,61,6d,6d,6f,68,6d,67,6a,6f,65,6f,64,62,66,64,64,
64,63,6d,6e,6b,62,63,6b,68,67,66,64,6b,00,00

[HKEY_USERS\S-1-5-21-1659004503-1592454029-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:cb,50,1c,0d,a7,f1,9a,ea,85,4f,85,fe,03,f7,88,18,82,83,70,17,f8,4e,f3,
95,28,46,fa,26,dc,f9,31,8f,ea,7f,f0,1e,9b,9d,3e,0f,7a,02,75,dc,4b,cf,a6,11,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1659004503-1592454029-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:44,06,4c,e7,fc,ac,e4,cf,7f,de,db,c0,78,77,01,1e,89,04,6b,65,d2,
7d,51,d1,6d,f2,1a,a0,96,1c,21,ac,7b,a8,33,05,f3,bc,49,0f,83,dc,24,50,08,87,\
"rkeysecu"=hex:0c,57,68,4a,90,6c,7b,58,d3,a2,20,d2,6b,00,d4,8f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\system32\klogon.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1896)
c:\windows\system32\WININET.dll
h:\program files\FlashGet\fgmgr.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\RTHDCPL.EXE
c:\program files\TortoiseSVN\bin\TSVNCache.exe
k:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
k:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\wscntfy.exe
c:\program files\MagicTune Premium\MagicTune.exe
.
**************************************************************************
.
Completion time: 2010-05-04 17:15:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-04 14:15

Pre-Run: 3,544,477,696 bytes free
Post-Run: 4,051,795,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer

- - End Of File - - 9E0944A84B04E3B58E2CCFDC79034AB7
 

omer681

Thread Starter
Joined
Sep 13, 2007
Messages
24
By the way the problem still exist.
What's strange is, that in the 1-2 hours after the combofix finished running, it wasn't slow anymore, but now it is slow again. It happened a few times before - the slow comes and go "randomally".
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
first uninstall daemon tools

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

then run gmer again & see if it will run

it looks like a rootkit but I am not 100% certain as daemon tools can mask many entries and cause gmer to crash
 

omer681

Thread Starter
Joined
Sep 13, 2007
Messages
24
Strange, I uninstalled Daemon Tools when you asked me to bring GMER log...
Anyway I'll run the tool.
 

omer681

Thread Starter
Joined
Sep 13, 2007
Messages
24
After I ran the tool to disable the CD emulation driver, it's still crashing my computer (GMER).
 

omer681

Thread Starter
Joined
Sep 13, 2007
Messages
24
I posted the log that was created on C:\


called TDSSKiller.2.2.8.1_05.05.2010_19.42.48_log.txt


19:42:48:171 2948 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
19:42:48:171 2948 ================================================================================
19:42:48:171 2948 SystemInfo:

19:42:48:171 2948 OS Version: 5.1.2600 ServicePack: 3.0
19:42:48:171 2948 Product type: Workstation
19:42:48:171 2948 ComputerName: OMER2
19:42:48:171 2948 UserName: Omer
19:42:48:171 2948 Windows directory: C:\WINDOWS
19:42:48:171 2948 Processor architecture: Intel x86
19:42:48:171 2948 Number of processors: 4
19:42:48:171 2948 Page size: 0x1000
19:42:48:171 2948 Boot type: Normal boot
19:42:48:171 2948 ================================================================================
19:42:48:171 2948 UnloadDriverW: NtUnloadDriver error 2
19:42:48:171 2948 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:42:55:890 2948 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:42:55:968 2948 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:42:55:968 2948 wfopen_ex: Trying to KLMD file open
19:42:55:968 2948 wfopen_ex: File opened ok (Flags 2)
19:42:55:968 2948 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:42:56:000 2948 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:42:56:000 2948 wfopen_ex: Trying to KLMD file open
19:42:56:000 2948 wfopen_ex: File opened ok (Flags 2)
19:42:56:000 2948 Initialize success
19:42:56:000 2948
19:42:56:000 2948 Scanning Services ...
19:42:56:609 2948 Raw services enum returned 404 services
19:42:56:625 2948
19:42:56:625 2948 Scanning Kernel memory ...
19:42:56:625 2948 Devices to scan: 15
19:42:56:625 2948
19:42:56:625 2948 Driver Name: Disk
19:42:56:625 2948 IRP_MJ_CREATE : BA0FEBB0
19:42:56:625 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:625 2948 IRP_MJ_CLOSE : BA0FEBB0
19:42:56:625 2948 IRP_MJ_READ : BA0F8D1F
19:42:56:625 2948 IRP_MJ_WRITE : BA0F8D1F
19:42:56:625 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:625 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:625 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:625 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:625 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
19:42:56:625 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:625 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:625 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:625 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:625 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
19:42:56:625 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
19:42:56:625 2948 IRP_MJ_SHUTDOWN : BA0F92E2
19:42:56:625 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:625 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:625 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:625 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:625 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:625 2948 IRP_MJ_POWER : BA0FAC82
19:42:56:625 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
19:42:56:625 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:625 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:625 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:656 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:42:56:656 2948
19:42:56:656 2948 Driver Name: USBSTOR
19:42:56:656 2948 IRP_MJ_CREATE : BA4A5218
19:42:56:656 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:656 2948 IRP_MJ_CLOSE : BA4A5218
19:42:56:656 2948 IRP_MJ_READ : BA4A523C
19:42:56:656 2948 IRP_MJ_WRITE : BA4A523C
19:42:56:656 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:656 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:656 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:656 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:656 2948 IRP_MJ_FLUSH_BUFFERS : 804F4562
19:42:56:656 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:656 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:656 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:656 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:656 2948 IRP_MJ_DEVICE_CONTROL : BA4A5180
19:42:56:656 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0C98B4
19:42:56:656 2948 IRP_MJ_SHUTDOWN : 804F4562
19:42:56:656 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:656 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:656 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:656 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:656 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:656 2948 IRP_MJ_POWER : BA4A45F0
19:42:56:656 2948 IRP_MJ_SYSTEM_CONTROL : BA4A2A6E
19:42:56:656 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:656 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:656 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:703 2948 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
19:42:56:703 2948
19:42:56:703 2948 Driver Name: Disk
19:42:56:703 2948 IRP_MJ_CREATE : BA0FEBB0
19:42:56:703 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:703 2948 IRP_MJ_CLOSE : BA0FEBB0
19:42:56:703 2948 IRP_MJ_READ : BA0F8D1F
19:42:56:703 2948 IRP_MJ_WRITE : BA0F8D1F
19:42:56:703 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:703 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:703 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:703 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:703 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
19:42:56:703 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:703 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:703 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:703 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:703 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
19:42:56:703 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
19:42:56:703 2948 IRP_MJ_SHUTDOWN : BA0F92E2
19:42:56:703 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:703 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:703 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:703 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:703 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:703 2948 IRP_MJ_POWER : BA0FAC82
19:42:56:703 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
19:42:56:703 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:703 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:703 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:734 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:42:56:734 2948
19:42:56:734 2948 Driver Name: Disk
19:42:56:734 2948 IRP_MJ_CREATE : BA0FEBB0
19:42:56:734 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:734 2948 IRP_MJ_CLOSE : BA0FEBB0
19:42:56:734 2948 IRP_MJ_READ : BA0F8D1F
19:42:56:734 2948 IRP_MJ_WRITE : BA0F8D1F
19:42:56:734 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:734 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:734 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:734 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:734 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
19:42:56:734 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:734 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:734 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:734 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:734 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
19:42:56:734 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
19:42:56:734 2948 IRP_MJ_SHUTDOWN : BA0F92E2
19:42:56:734 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:734 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:734 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:734 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:734 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:734 2948 IRP_MJ_POWER : BA0FAC82
19:42:56:734 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
19:42:56:734 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:734 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:734 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:750 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:42:56:750 2948
19:42:56:750 2948 Driver Name: Disk
19:42:56:750 2948 IRP_MJ_CREATE : BA0FEBB0
19:42:56:750 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:750 2948 IRP_MJ_CLOSE : BA0FEBB0
19:42:56:750 2948 IRP_MJ_READ : BA0F8D1F
19:42:56:750 2948 IRP_MJ_WRITE : BA0F8D1F
19:42:56:750 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:750 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:750 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:750 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:750 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
19:42:56:750 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:750 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:750 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:750 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:750 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
19:42:56:750 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
19:42:56:750 2948 IRP_MJ_SHUTDOWN : BA0F92E2
19:42:56:750 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:750 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:750 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:750 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:750 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:750 2948 IRP_MJ_POWER : BA0FAC82
19:42:56:750 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
19:42:56:750 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:750 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:750 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:781 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:42:56:781 2948
19:42:56:781 2948 Driver Name: Disk
19:42:56:781 2948 IRP_MJ_CREATE : BA0FEBB0
19:42:56:781 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:781 2948 IRP_MJ_CLOSE : BA0FEBB0
19:42:56:781 2948 IRP_MJ_READ : BA0F8D1F
19:42:56:781 2948 IRP_MJ_WRITE : BA0F8D1F
19:42:56:781 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:781 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:781 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:781 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:781 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
19:42:56:781 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:781 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:781 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:781 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:781 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
19:42:56:781 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
19:42:56:781 2948 IRP_MJ_SHUTDOWN : BA0F92E2
19:42:56:781 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:781 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:781 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:781 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:781 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:781 2948 IRP_MJ_POWER : BA0FAC82
19:42:56:781 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
19:42:56:781 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:781 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:781 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:781 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:42:56:781 2948
19:42:56:781 2948 Driver Name: Disk
19:42:56:781 2948 IRP_MJ_CREATE : BA0FEBB0
19:42:56:781 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:781 2948 IRP_MJ_CLOSE : BA0FEBB0
19:42:56:781 2948 IRP_MJ_READ : BA0F8D1F
19:42:56:781 2948 IRP_MJ_WRITE : BA0F8D1F
19:42:56:781 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:781 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:781 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:781 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:781 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
19:42:56:781 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:781 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:781 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:781 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:781 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
19:42:56:781 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
19:42:56:781 2948 IRP_MJ_SHUTDOWN : BA0F92E2
19:42:56:781 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:781 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:781 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:781 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:781 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:781 2948 IRP_MJ_POWER : BA0FAC82
19:42:56:781 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
19:42:56:781 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:781 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:781 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:796 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:42:56:796 2948
19:42:56:796 2948 Driver Name: Disk
19:42:56:796 2948 IRP_MJ_CREATE : BA0FEBB0
19:42:56:796 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:796 2948 IRP_MJ_CLOSE : BA0FEBB0
19:42:56:796 2948 IRP_MJ_READ : BA0F8D1F
19:42:56:796 2948 IRP_MJ_WRITE : BA0F8D1F
19:42:56:796 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:796 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:796 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:796 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:796 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
19:42:56:796 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:796 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:796 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:796 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:796 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
19:42:56:796 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
19:42:56:796 2948 IRP_MJ_SHUTDOWN : BA0F92E2
19:42:56:796 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:796 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:796 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:796 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:796 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:796 2948 IRP_MJ_POWER : BA0FAC82
19:42:56:796 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
19:42:56:796 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:796 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:796 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:812 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:42:56:812 2948
19:42:56:812 2948 Driver Name: Disk
19:42:56:812 2948 IRP_MJ_CREATE : BA0FEBB0
19:42:56:812 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:812 2948 IRP_MJ_CLOSE : BA0FEBB0
19:42:56:812 2948 IRP_MJ_READ : BA0F8D1F
19:42:56:812 2948 IRP_MJ_WRITE : BA0F8D1F
19:42:56:812 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:812 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:812 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:812 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:812 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
19:42:56:812 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:812 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:812 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:812 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:812 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
19:42:56:812 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
19:42:56:812 2948 IRP_MJ_SHUTDOWN : BA0F92E2
19:42:56:812 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:812 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:812 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:812 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:812 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:812 2948 IRP_MJ_POWER : BA0FAC82
19:42:56:812 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
19:42:56:812 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:812 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:812 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:812 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:42:56:812 2948
19:42:56:812 2948 Driver Name: Disk
19:42:56:812 2948 IRP_MJ_CREATE : BA0FEBB0
19:42:56:812 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:812 2948 IRP_MJ_CLOSE : BA0FEBB0
19:42:56:812 2948 IRP_MJ_READ : BA0F8D1F
19:42:56:812 2948 IRP_MJ_WRITE : BA0F8D1F
19:42:56:812 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:812 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:812 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:812 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:812 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
19:42:56:812 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:812 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:812 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:812 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:812 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
19:42:56:812 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
19:42:56:812 2948 IRP_MJ_SHUTDOWN : BA0F92E2
19:42:56:812 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:812 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:812 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:812 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:812 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:812 2948 IRP_MJ_POWER : BA0FAC82
19:42:56:812 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
19:42:56:812 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:812 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:812 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:828 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:42:56:828 2948
19:42:56:828 2948 Driver Name: Disk
19:42:56:828 2948 IRP_MJ_CREATE : BA0FEBB0
19:42:56:828 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:828 2948 IRP_MJ_CLOSE : BA0FEBB0
19:42:56:828 2948 IRP_MJ_READ : BA0F8D1F
19:42:56:828 2948 IRP_MJ_WRITE : BA0F8D1F
19:42:56:828 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:828 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:828 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:828 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:828 2948 IRP_MJ_FLUSH_BUFFERS : BA0F92E2
19:42:56:828 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:828 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:828 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:828 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:828 2948 IRP_MJ_DEVICE_CONTROL : BA0F93BB
19:42:56:828 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0FCF28
19:42:56:828 2948 IRP_MJ_SHUTDOWN : BA0F92E2
19:42:56:828 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:828 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:828 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:828 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:828 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:828 2948 IRP_MJ_POWER : BA0FAC82
19:42:56:828 2948 IRP_MJ_SYSTEM_CONTROL : BA0FF99E
19:42:56:828 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:828 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:828 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:843 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:42:56:843 2948
19:42:56:843 2948 Driver Name: atapi
19:42:56:843 2948 IRP_MJ_CREATE : B9F156F2
19:42:56:843 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:843 2948 IRP_MJ_CLOSE : B9F156F2
19:42:56:843 2948 IRP_MJ_READ : 804F4562
19:42:56:843 2948 IRP_MJ_WRITE : 804F4562
19:42:56:843 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:843 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:843 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:843 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:843 2948 IRP_MJ_FLUSH_BUFFERS : 804F4562
19:42:56:843 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:843 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:843 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:843 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:843 2948 IRP_MJ_DEVICE_CONTROL : B9F15712
19:42:56:843 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0C98B4
19:42:56:843 2948 IRP_MJ_SHUTDOWN : 804F4562
19:42:56:843 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:843 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:843 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:843 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:843 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:843 2948 IRP_MJ_POWER : B9F1573C
19:42:56:843 2948 IRP_MJ_SYSTEM_CONTROL : B9F1C336
19:42:56:843 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:843 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:843 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:859 2948 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
19:42:56:859 2948
19:42:56:859 2948 Driver Name: atapi
19:42:56:859 2948 IRP_MJ_CREATE : B9F156F2
19:42:56:859 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:859 2948 IRP_MJ_CLOSE : B9F156F2
19:42:56:859 2948 IRP_MJ_READ : 804F4562
19:42:56:859 2948 IRP_MJ_WRITE : 804F4562
19:42:56:859 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:859 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:859 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:859 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:859 2948 IRP_MJ_FLUSH_BUFFERS : 804F4562
19:42:56:859 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:859 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:859 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:859 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:859 2948 IRP_MJ_DEVICE_CONTROL : B9F15712
19:42:56:859 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0C98B4
19:42:56:859 2948 IRP_MJ_SHUTDOWN : 804F4562
19:42:56:859 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:859 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:859 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:859 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:859 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:859 2948 IRP_MJ_POWER : B9F1573C
19:42:56:859 2948 IRP_MJ_SYSTEM_CONTROL : B9F1C336
19:42:56:859 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:859 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:859 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:875 2948 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
19:42:56:875 2948
19:42:56:875 2948 Driver Name: atapi
19:42:56:875 2948 IRP_MJ_CREATE : B9F156F2
19:42:56:875 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:875 2948 IRP_MJ_CLOSE : B9F156F2
19:42:56:875 2948 IRP_MJ_READ : 804F4562
19:42:56:875 2948 IRP_MJ_WRITE : 804F4562
19:42:56:875 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:875 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:875 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:875 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:875 2948 IRP_MJ_FLUSH_BUFFERS : 804F4562
19:42:56:875 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:875 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:875 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:875 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:875 2948 IRP_MJ_DEVICE_CONTROL : B9F15712
19:42:56:875 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0C98B4
19:42:56:875 2948 IRP_MJ_SHUTDOWN : 804F4562
19:42:56:875 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:875 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:875 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:875 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:875 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:875 2948 IRP_MJ_POWER : B9F1573C
19:42:56:875 2948 IRP_MJ_SYSTEM_CONTROL : B9F1C336
19:42:56:875 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:875 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:875 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:906 2948 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
19:42:56:906 2948
19:42:56:906 2948 Driver Name: atapi
19:42:56:906 2948 IRP_MJ_CREATE : B9F156F2
19:42:56:906 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:42:56:906 2948 IRP_MJ_CLOSE : B9F156F2
19:42:56:906 2948 IRP_MJ_READ : 804F4562
19:42:56:906 2948 IRP_MJ_WRITE : 804F4562
19:42:56:906 2948 IRP_MJ_QUERY_INFORMATION : 804F4562
19:42:56:906 2948 IRP_MJ_SET_INFORMATION : 804F4562
19:42:56:906 2948 IRP_MJ_QUERY_EA : 804F4562
19:42:56:906 2948 IRP_MJ_SET_EA : 804F4562
19:42:56:906 2948 IRP_MJ_FLUSH_BUFFERS : 804F4562
19:42:56:906 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:42:56:906 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:42:56:906 2948 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:42:56:906 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:42:56:906 2948 IRP_MJ_DEVICE_CONTROL : B9F15712
19:42:56:906 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0C98B4
19:42:56:906 2948 IRP_MJ_SHUTDOWN : 804F4562
19:42:56:906 2948 IRP_MJ_LOCK_CONTROL : 804F4562
19:42:56:906 2948 IRP_MJ_CLEANUP : 804F4562
19:42:56:906 2948 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:42:56:906 2948 IRP_MJ_QUERY_SECURITY : 804F4562
19:42:56:906 2948 IRP_MJ_SET_SECURITY : 804F4562
19:42:56:906 2948 IRP_MJ_POWER : B9F1573C
19:42:56:906 2948 IRP_MJ_SYSTEM_CONTROL : B9F1C336
19:42:56:906 2948 IRP_MJ_DEVICE_CHANGE : 804F4562
19:42:56:906 2948 IRP_MJ_QUERY_QUOTA : 804F4562
19:42:56:906 2948 IRP_MJ_SET_QUOTA : 804F4562
19:42:56:906 2948 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
19:42:56:906 2948
19:42:56:906 2948 Completed
19:42:56:906 2948
19:42:56:906 2948 Results:
19:42:56:906 2948 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
19:42:56:906 2948 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:42:56:906 2948 File objects infected / cured / cured on reboot: 0 / 0 / 0
19:42:56:906 2948
19:42:56:921 2948 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:42:56:921 2948 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:42:56:937 2948 KLMD(ARK) unloaded successfully
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
nothing showing there

is it still sending mail
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top