Virus XP security!

xryckaxx · March 17, 2010

I have virus named "xp security" C:\Documents and Settings\Vartotojas\Local Settings\Application Data\ave.exe he is there but when i go to C:\Documents and Settings\Vartotojas\Local Settings\Application Data\ there is no file ave.exe. + i malware bytes isint updating i get error error code 732 (12007, 0) . so i cant delete that virus. some one please respond!

here's hijack

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Process Blocker\Process Blocker.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Process Blocker\Tray Informer.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\Thomson SpeedTouch\PPPoE\fts.exe

C:\WINDOWS\FixCamera.exe

C:\WINDOWS\tsnp2std.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\JDK\jdk\bin\javaw.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashSimpl.exe

C:\Documents and Settings\Vartotojas\Local Settings\Application Data\ave.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: GdfrDUEn - {A3CF7606-E683-4375-A372-96B75DA0AEF7} - C:\Program Files\Get Styles\enlbrdr.dll

O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [%FP%PPPoE fts.exe] "C:\Program Files\Thomson SpeedTouch\PPPoE\fts.exe"

O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NT Update] C:\Program Files\Common Files\Microsoft Services\Console\ntupd.exe

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\freda.exe" /runcleanupscript

O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [spyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NT Update] C:\Program Files\Common Files\Microsoft Services\Console\ntupd.exe

O4 - HKCU\..\Run: [syncman] c:\documents and settings\vartotojas\wuaucldt.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [eMuleAutoStart] C:\zMule\zmule.exe -AutoStart

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: monnwb32.exe

O4 - Startup: SDK Tray Menu.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: GetStyles - {14CD42DD-ABCD-3586-DCAB-40E3693E3737} - C:\Program Files\Get Styles\ct.htm

O9 - Extra 'Tools' menuitem: GetStyles - {14CD42DD-ABCD-3586-DCAB-40E3693E3737} - C:\Program Files\Get Styles\ct.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {574940E0-1B7A-4881-8FA3-1E809714B156} - C:\Documents and Settings\Vartotojas\AppData\LocalLow\Micro

Edited March 18, 2010 by Maurice Naggar
emphasis added

xryckaxx · March 17, 2010

So i need to wait? till some one know hot to delete it?

Maurice Naggar · March 17, 2010

Forum rules do not allow other members to reply to a malware removal case. This thread is for xryckaxx. All others may not post. I have deleted the other posts by others.

@xryckaxx

Review and do as much as you can of the required preliminaries, as per forum requirements.

http://forums.malwarebytes.org/index.php?showtopic=9573

Reply back with log files. Again, do as much as possible of the listed directions in the topic.

and please have -patience- there are many, many other members ahead of you. This forum is super-busy.

Most of the authorized helpers are volunteers, so keep that in mind as well.

Maurice Naggar · March 17, 2010

P.S. I must insist you un-install utorrent + emule/zmule and any other peer-to-peer programs before proceeding further.

Peer-to-peer apps are one of the leading causes of transmission of malware.

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It is also forum policy to not support cases having P-2P programs.

and also, turn OFF Spybot's Tea Timer as it will interfere with malware removal.

Just so you are aware, forum policy requires removal of any peer-to-peer programs.

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items.

Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

xryckaxx · March 18, 2010

Thanks

Fixed.

Maurice Naggar · March 18, 2010

Is this pc the same as the one in your other thread --> http://forums.malwarebytes.org/index.php?showtopic=43703

I suspect so, and it would appear it has multiple infections onboard.

I would urge you to do what I suggested AND to do the preliminary steps & reports (reply back here)

as outlined in I'm infected - What do I do now?

xryckaxx · March 19, 2010

Im here. how i remove that rootkits and stuff?

xryckaxx · March 19, 2010

This is dds Log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Vartotojas at 12:37:09.67 on Thu 03/19/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1919.1160 [GMT 2:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Process Blocker\Process Blocker.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\explorer.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Malwarebytes' Anti-Malwares\mbam.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Documents and Settings\Vartotojas\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

BHO: GdfrDUEn Class: {a3cf7606-e683-4375-a372-96b75da0aef7} - c:\program files\get styles\enlbrdr.dll

BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden

uRun: [EleFunAnimatedWallpaper]

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [NT Update] c:\program files\common files\microsoft services\console\ntupd.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray

uRun: [eMuleAutoStart] c:\zmule\zmule.exe -AutoStart

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [%FP%PPPoE fts.exe] "c:\program files\thomson speedtouch\pppoe\fts.exe"

mRun: [FixCamera] c:\windows\FixCamera.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [tsnp2std] c:\windows\tsnp2std.exe

mRun: [snp2std] c:\windows\vsnp2std.exe

mRun: [Amazing3DAquariumWallpaper]

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [NT Update] c:\program files\common files\microsoft services\console\ntupd.exe

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

mRun: [spyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\vartot~1\startm~1\programs\startup\sdktra~1.lnk - c:\program files\jdk\jdk\bin\javaw.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {14CD42DD-ABCD-3586-DCAB-40E3693E3737} - c:\program files\get styles\ct.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

Filter: text/html - {574940E0-1B7A-4881-8FA3-1E809714B156} - c:\documents and settings\vartotojas\appdata\locallow\micro

Attach.zip

Maurice Naggar · March 19, 2010

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Please download Rooter.exe and save to your desktop.

alternate download link

Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
Click the Scan button to begin.
Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
Rooter will automatically close. If it doesn't, just press the Close button.
Copy and paste the contents of Rooter_#.txt in your next reply.

Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

Disconnect from the Internet or physically unplug you Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Copy & Paste the contents of Rooter log

xryckaxx · March 19, 2010

Rooter.exe (v1.0.2) by Eric_71

.

SeDebugPrivilege granted successfully ...

.

Windows XP . (5.1.2600) Service Pack 2

[32_bits] - x86 Family 6 Model 15 Stepping 2, GenuineIntel

.

[wscsvc] STOPPED (state:1) : Security Center -> Disabled !

[sharedAccess] STOPPED (state:1) : Windows Firewall -> Disabled !

.

Internet Explorer 6.0.2900.2180

Mozilla Firefox 3.6 (en-US)

.

C:\ [Fixed-NTFS] .. ( Total:39 Go - Free:5 Go )

D:\ [Fixed-NTFS] .. ( Total:333 Go - Free:136 Go )

E:\ [Removable]

F:\ [Removable]

G:\ [Removable]

H:\ [Removable]

.

Scan : 13:37.07

Path : C:\Documents and Settings\Vartotojas\Desktop\Rooter.exe

User : Vartotojas ( Administrator -> YES )

.

----------------------\\ Processes

.

Locked [system Process] (0)

______ System (4)

______ \SystemRoot\System32\smss.exe (672)

______ \??\C:\WINDOWS\system32\csrss.exe (720)

______ \??\C:\WINDOWS\system32\winlogon.exe (744)

______ C:\WINDOWS\system32\services.exe (788)

______ C:\WINDOWS\system32\lsass.exe (800)

______ C:\WINDOWS\system32\svchost.exe (976)

______ C:\WINDOWS\system32\svchost.exe (1024)

______ C:\WINDOWS\System32\svchost.exe (1120)

______ C:\WINDOWS\system32\svchost.exe (1240)

______ C:\WINDOWS\system32\svchost.exe (1280)

______ C:\WINDOWS\system32\spoolsv.exe (1520)

______ C:\Program Files\TortoiseSVN\bin\TSVNCache.exe (1888)

______ C:\WINDOWS\system32\svchost.exe (1988)

______ C:\WINDOWS\system32\svchost.exe (172)

______ C:\Program Files\Java\jre6\bin\jqs.exe (200)

______ C:\Program Files\Common Files\LightScribe\LSSrvc.exe (232)

______ C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (284)

______ C:\WINDOWS\System32\svchost.exe (528)

______ C:\WINDOWS\System32\svchost.exe (540)

______ C:\Program Files\Process Blocker\Process Blocker.exe (556)

______ C:\WINDOWS\system32\svchost.exe (644)

______ C:\WINDOWS\explorer.exe (1864)

______ C:\Program Files\Skype\Phone\Skype.exe (2236)

______ C:\Program Files\Skype\Plugin Manager\skypePM.exe (2336)

______ C:\Documents and Settings\Vartotojas\Desktop\Rooter.exe (2184)

.

----------------------\\ Device\Harddisk0\

.

\Device\Harddisk0 [sectors : 63 x 512 Bytes]

.

\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:41940670464)

\Device\Harddisk0\Partition0 (Start_Offset:41940702720 | Length:358136916480)

\Device\Harddisk0\Partition2 (Start_Offset:41940734976 | Length:358136884224)

.

----------------------\\ Scheduled Tasks

.

C:\WINDOWS\Tasks\desktop.ini

C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job

C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job

C:\WINDOWS\Tasks\SA.DAT

C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

C:\WINDOWS\Tasks\WGASetup.job

.

----------------------\\ Registry

.

----------------------\\ Files & Folders

.

----------------------\\ Scan completed at 13:37.09

.

C:\Rooter$\Rooter_2.txt - (19/03/2009 | 13:37.09)

Maurice Naggar · March 19, 2010

Close the programs that you have started.

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O4 - HKLM\..\Run: [NT Update] C:\Program Files\Common Files\Microsoft Services\Console\ntupd.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [eMuleAutoStart] C:\zMule\zmule.exe -AutoStart

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

I must insist you un-install utorrent + emule/zmule and any other peer-to-peer programs before proceeding further.

Peer-to-peer apps are one of the leading causes of transmission of malware.

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It is also forum policy to not support cases having P-2P programs.

Go To Control Panel > Add-or-Remove Programs.

Look for emule

uTorrent

zmule

Remove (de-install) each of those.

Make a confirmation in your reply that these are removed.

More needs to be done to look for any leftover malware, but you must remove peer-to-peer first.

Otherwise, I cannot help you further.

xryckaxx · March 19, 2010

they all are deleted. only shoortcuts was left. I deleted all now. what to do now?

Maurice Naggar · March 19, 2010

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Use NOTEPAD. Copy and Paste the contents of C:\Combofix.txt in your next reply

xryckaxx · March 19, 2010

Attaching because list is very big.. Reply fast as you can

ComboFix 10-03-18.02 - Vartotojas 03/19/2009 16:05:08.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1919.1301 [GMT 2:00]

Running from: c:\documents and settings\Vartotojas\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Vartotojas\Local Settings\Temporary Internet Files\86U781VAn.jpg

c:\documents and settings\Vartotojas\Local Settings\Temporary Internet Files\rDT31vaw3.jpg

c:\documents and settings\Vartotojas\Local Settings\Temporary Internet Files\rEn45J.jpg

c:\documents and settings\Vartotojas\Local Settings\Temporary Internet Files\xGe1xKQD1.jpg

c:\program files\Cheat Engine\dbk32.sys

C:\tmp.tmp

C:\tmp2.tmp

c:\windows\f96ac0e5-19d2-42c5-8f68-eb7a99861769.ocx

c:\windows\install.exe

c:\windows\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd

c:\windows\system32\detoured.dll

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\system.dll

c:\windows\system32\tmp.reg

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

c:\windows\system32\drivers\cdrom.sys was missing

Restored copy from - c:\system volume information\_restore{65FDBE99-7781-4DA7-8FA9-79B1712C1C85}\RP16\A0015596.sys

.

((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))

.

2020-01-28 17:59 . 2020-01-28 17:59 50354 ----a-w- c:\documents and settings\Vartotojas\Application Data\Facebook\uninstall.exe

2020-01-28 17:59 . 2020-01-28 17:59 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\Facebook

2020-01-27 14:48 . 2020-01-27 14:48 -------- d-----w- C:\Phenomedia AG

2020-01-24 19:14 . 2020-01-24 19:14 116792 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2020-01-24 16:48 . 2020-01-24 16:48 -------- d-----w- c:\program files\Zeallsoft

2020-01-24 16:32 . 2020-01-24 16:32 85643 ----a-r- c:\documents and settings\Vartotojas\Application Data\Microsoft\Installer\{05FA911F-E9CE-4C36-A272-A45CCE52C1C0}\_6FEFF9B68218417F98F549.exe

2020-01-24 16:32 . 2020-01-24 16:32 370070 ----a-r- c:\documents and settings\Vartotojas\Application Data\Microsoft\Installer\{05FA911F-E9CE-4C36-A272-A45CCE52C1C0}\_BF3C002E03AB416E34DB8F.exe

2020-01-24 16:32 . 2020-01-24 16:32 370070 ----a-r- c:\documents and settings\Vartotojas\Application Data\Microsoft\Installer\{05FA911F-E9CE-4C36-A272-A45CCE52C1C0}\_36C7B9CDD08DEADA24A112.exe

2020-01-24 16:32 . 2020-01-24 16:32 -------- d-----w- c:\program files\FogelSoft

2020-01-20 09:22 . 2020-01-20 09:22 -------- d-----w- c:\program files\Infogrames

2012-02-17 12:34 . 2012-02-17 12:34 -------- d-----w- c:\program files\Common Files\Skype

2012-02-15 10:19 . 2012-02-15 10:19 -------- d-----w- c:\program files\Common Files\3DO Shared

2012-02-15 10:19 . 2012-02-15 10:19 -------- d-----w- c:\program files\3DO

2012-02-14 17:14 . 2012-02-14 17:20 -------- d-----w- C:\.takerevenge_v8

2012-02-14 11:00 . 2012-02-14 11:00 16286 ----a-w- c:\documents and settings\Vartotojas\Application Data\Sun\Java\Deployment\cache\6.0\5\42c06805-2faf84f7-n\ShoddyHelper.dll

2012-02-12 17:47 . 2012-02-12 17:47 -------- d-----w- c:\program files\GetFLV

2012-02-12 15:48 . 2012-02-12 15:48 -------- d-----w- C:\landofescape_file_store_32

2010-02-26 06:41 . 2010-02-26 06:41 847040 ----a-w- c:\documents and settings\Vartotojas\Application Data\Facebook\axfbootloader.dll

2010-02-26 06:41 . 2010-02-26 06:41 5582848 ----a-w- c:\documents and settings\Vartotojas\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-02-06 12:10 . 2010-02-06 12:10 -------- d-----w- c:\program files\Get Styles

2010-02-06 12:10 . 2010-02-06 12:10 -------- d-----w- c:\documents and settings\Vartotojas\AppData

2010-02-04 17:21 . 2010-02-04 17:21 -------- d-----w- c:\program files\TikGames

2010-02-04 12:39 . 2010-02-04 12:57 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\DC++

2010-02-04 12:39 . 2010-02-04 12:39 -------- d-----w- c:\documents and settings\Vartotojas\Local Settings\Application Data\DC++

2010-02-02 15:38 . 2010-02-02 15:38 -------- d-----w- c:\program files\RS2Botv2

2010-02-02 15:38 . 2010-02-02 15:38 -------- d-----w- c:\documents and settings\Vart

2010-02-02 13:13 . 2010-02-02 13:14 151552 ----a-w- c:\documents and settings\Vartotojas\Application Data\elefundesktops\dragonfly_wallpaper\sysinfo.exe

2010-02-02 13:13 . 2010-02-02 13:14 1153816 ----a-w- c:\documents and settings\Vartotojas\Application Data\elefundesktops\dragonfly_wallpaper\flash.exe

2010-02-02 13:13 . 2010-02-02 13:14 1638404 ----a-w- c:\documents and settings\Vartotojas\Application Data\elefundesktops\dragonfly_wallpaper\swfplayer.exe

2010-02-02 13:13 . 2010-02-02 13:13 98304 ----a-w- c:\documents and settings\Vartotojas\Application Data\elefundesktops\dragonfly_wallpaper\wallpaper.exe

2010-02-02 13:13 . 2010-02-02 13:13 57344 ----a-w- c:\documents and settings\Vartotojas\Application Data\elefundesktops\dragonfly_wallpaper\wallpaper.dll

2010-02-02 13:13 . 2010-02-02 13:13 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\elefundesktops

2010-02-02 12:59 . 2010-02-02 13:05 -------- d-----w- c:\program files\Tetris 5000

2010-01-26 18:32 . 2008-03-05 13:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll

2010-01-26 18:32 . 2010-01-26 18:32 -------- d-----w- C:\Games

2010-01-26 14:59 . 2020-01-23 15:32 -------- d-----w- c:\program files\CrisisX

2010-01-26 12:29 . 2010-01-26 12:29 -------- d-----w- c:\documents and settings\Vartotojas\50_Funny_Computer_Pranks_All_In_One

2010-01-26 12:26 . 2009-03-06 18:07 -------- d-----w- c:\documents and settings\Vartotojas\.tucan

2010-01-26 12:26 . 2010-01-26 12:26 -------- d-----w- C:\Tucan

2010-01-26 12:24 . 2010-01-26 12:24 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\URSoft

2010-01-26 12:18 . 2002-12-03 01:10 158208 ----a-w- c:\windows\system32\NCTTextToAudio.dll

2010-01-26 12:18 . 2002-12-03 01:02 491520 ----a-w- c:\windows\system32\NCTAudioFile.dll

2010-01-26 12:18 . 2002-03-19 05:18 120832 ----a-w- c:\windows\system32\lame_enc.dll

2010-01-26 12:18 . 2010-01-26 12:18 -------- d-----w- c:\program files\AliveMedia

2010-01-23 16:36 . 2010-01-23 16:43 -------- d-----w- C:\.trinitypk_file_store_32

2010-01-23 16:35 . 2010-01-23 16:35 -------- d-----w- c:\program files\TrinityPk Client 2.8

2010-01-23 12:01 . 2010-01-23 12:07 -------- d-----w- C:\.sabsabi_store_32

2010-01-23 11:54 . 2010-01-23 12:52 -------- d-----w- C:\.SabsabiOnline_file_store_32

2010-01-22 18:00 . 2010-01-22 18:00 -------- d-----w- c:\program files\BestPractice

2010-01-22 17:42 . 2010-01-22 17:45 118383 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\2B83EECD4CF4910A0260B914BA281BA\wimood-plugins-uninstall.exe

2010-01-22 17:42 . 2010-01-22 17:42 1412608 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\2B83EECD4CF4910A0260B914BA281BA\WiMood.exe

2010-01-22 17:42 . 2010-01-22 17:42 13312 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\2B83EECD4CF4910A0260B914BA281BA\iTunesCollector.dll

2010-01-22 17:42 . 2010-01-22 17:42 1095299 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\2B83EECD4CF4910A0260B914BA281BA\wimood-plugins-setup.exe

2010-01-22 17:36 . 2009-09-04 15:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

2010-01-22 17:36 . 2006-09-28 14:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll

2010-01-22 17:36 . 2010-01-22 17:36 -------- d-----w- c:\windows\Logs

2010-01-22 17:29 . 2010-01-22 17:29 -------- d-----w- c:\program files\WiMood

2010-01-22 13:01 . 2010-01-22 13:01 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\UNOUndercover

2010-01-21 16:16 . 2010-01-21 16:16 98304 ----a-w- c:\windows\system32\CmdLineExt.dll

2010-01-18 18:58 . 2010-01-18 18:58 557107 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\F6E4F248A04D453E940CFCED80F21C48\RichChat4.exe

2010-01-18 18:58 . 2010-01-18 18:58 53248 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\F6E4F248A04D453E940CFCED80F21C48\EmoticonOle.dll

2010-01-18 18:58 . 2010-01-18 18:58 433664 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\F6E4F248A04D453E940CFCED80F21C48\riched20.dll

2010-01-18 18:58 . 2010-01-18 18:58 1712128 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\F6E4F248A04D453E940CFCED80F21C48\GdiPlus.dll

2010-01-18 18:57 . 2010-01-18 18:57 147456 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\FAD056AD55AA4877BB40184CF49E754C\Interop.SKYPE4COMLib.dll

2010-01-18 18:57 . 2010-01-18 18:57 14328 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\FAD056AD55AA4877BB40184CF49E754C\Skype_uzrasai_ENG.vshost.exe

2010-01-18 18:57 . 2010-01-18 18:57 119808 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\FAD056AD55AA4877BB40184CF49E754C\Skype_uzrasai_ENG.exe

2010-01-18 17:01 . 2010-02-02 15:00 -------- d-----w- C:\rscache

2010-01-16 17:06 . 2010-01-16 17:06 -------- d-----w- C:\tob_cache_32

2010-01-14 17:18 . 2010-01-14 17:24 -------- d-----w- c:\documents and settings\Vartotojas\Local Settings\Application Data\Adobe

2010-01-14 17:18 . 2010-01-14 17:18 -------- d-----w- c:\program files\Common Files\Adobe

2010-01-12 16:50 . 2010-01-12 16:50 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\ArcticLine

2010-01-12 16:50 . 2010-01-12 16:50 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\Thinstall

2010-01-12 16:45 . 2010-01-12 16:45 -------- d-----w- c:\program files\Common Files\Totem Shared

2010-01-11 13:53 . 2010-01-11 13:53 -------- d-----w- c:\windows\cache554

2010-01-10 16:37 . 2010-01-10 16:37 -------- d-----w- C:\.jagex_cache_32

2010-01-10 08:54 . 2010-01-18 12:58 69 ----a-w- c:\documents and settings\Vartotojas\jagex_runescape_preferences2.dat

2010-01-09 20:04 . 2010-01-11 13:53 -------- d-----w- C:\cache554

2010-01-09 19:08 . 2010-01-09 19:08 -------- d-----w- c:\program files\Yamicsoft

2010-01-05 10:22 . 2010-01-05 10:22 -------- d-----w- c:\program files\SystemRequirementsLab

2010-01-05 10:22 . 2010-01-05 10:22 138240 ----a-w- c:\documents and settings\Vartotojas\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll

2010-01-05 10:22 . 2010-01-05 10:22 138240 ----a-w- c:\documents and settings\Vartotojas\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll

2010-01-05 10:22 . 2010-01-05 10:22 138240 ----a-w- c:\documents and settings\Vartotojas\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll

2010-01-05 10:22 . 2010-01-05 10:22 138240 ----a-w- c:\documents and settings\Vartotojas\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll

2010-01-05 10:22 . 2010-01-05 10:22 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\SystemRequirementsLab

2010-01-03 14:48 . 2020-01-31 08:12 -------- d-----w- c:\windows\Governor of Poker

2010-01-03 14:48 . 2010-01-03 14:48 -------- d-----w- c:\program files\Governor of Poker

2009-12-31 21:00 . 2009-12-31 21:05 -------- d-----w- C:\tobex_bluurr_32

2009-12-31 19:14 . 2009-12-31 19:14 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\fltk.org

2009-12-28 14:47 . 2009-12-28 14:48 -------- d-----w- c:\program files\Quake III Arena

2009-12-28 14:44 . 1998-10-29 14:45 306688 ----a-w- c:\windows\IsUninst.exe

2009-12-25 20:09 . 2005-01-26 13:45 349472 ----a-w- c:\windows\WindowsXP-KB822603-x86.exe

2009-12-25 20:09 . 2006-11-29 14:11 258048 ----a-w- c:\windows\tsnp2std.exe

2009-12-25 20:09 . 2006-09-15 11:21 675840 ----a-w- c:\windows\vsnp2std.exe

2009-12-25 20:09 . 2007-01-26 14:48 12028032 ----a-w- c:\windows\system32\drivers\snp2sxp.sys

2009-12-25 20:09 . 2007-01-25 16:48 25472 ----a-w- c:\windows\system32\drivers\sncamd.sys

2009-12-25 20:09 . 2007-02-05 13:25 151552 ----a-w- c:\windows\system32\rsnp2std.dll

2009-12-25 20:09 . 2006-10-03 12:35 249856 ----a-w- c:\windows\system32\vsnp2std.dll

2009-12-25 20:09 . 2009-12-25 20:09 -------- d-----w- c:\program files\Common Files\snp2std

2009-12-25 20:09 . 2006-11-16 13:57 77824 ----a-w- c:\windows\system32\csnp2std.dll

2009-12-22 16:52 . 2009-12-22 16:57 -------- d-----w- C:\.paradise_file_store_32

2009-12-22 10:19 . 2009-12-22 10:38 -------- d-----w- C:\DF

2009-12-21 12:30 . 2009-12-21 12:39 -------- d-----w- C:\massacred_store_32

2009-12-17 17:18 . 2009-12-17 17:18 -------- d-----w- c:\program files\GhostMouse 2.0

2009-12-17 17:18 . 1997-01-04 10:23 246272 ----a-w- c:\program files\Gmouse.exe

2009-12-17 17:18 . 1996-02-07 06:07 24576 ----a-w- c:\program files\_ISREG32.DLL

2009-12-17 17:03 . 2009-12-17 17:03 2008576 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\04B85A4AD92F471CB8EC199BEBD26C57\Emotion_detector.dll

2009-12-17 14:34 . 2010-01-14 17:55 -------- d-----w- c:\documents and settings\Vartotojas\hs_cachefiles

2009-12-17 09:58 . 2009-12-13 21:42 364320 ----a-w- C:\WindowsXP-KB825033-x86-ENU.exe

2009-12-17 09:58 . 2009-12-13 21:42 147232 ----a-w- C:\WindowsXP-KB825033-x86-ENU-Symbols.exe

2009-12-16 10:56 . 2009-03-18 08:08 -------- d--h--w- c:\windows\PIF

2009-12-13 18:18 . 2009-12-13 18:18 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\Printer Info Cache

2009-12-13 18:18 . 2009-12-13 18:18 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\Image Zone Express

2009-12-13 18:17 . 2009-12-13 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG

2009-12-13 18:16 . 2009-12-13 08:33 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\HP

2009-12-13 18:15 . 2009-12-13 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2009-12-13 18:14 . 2009-12-13 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\HPSSUPPLY

2009-12-13 18:14 . 2009-12-13 18:16 -------- d-----w- c:\program files\Common Files\HP

2009-12-13 18:14 . 2009-12-13 18:14 -------- d-----w- c:\program files\Hewlett-Packard

2009-12-13 18:14 . 2009-12-13 18:14 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2009-12-13 18:13 . 2009-12-13 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard

2009-12-13 18:13 . 2006-12-15 16:04 258048 ----a-r- c:\windows\system32\hpzids01.dll

2009-12-13 18:13 . 2006-12-30 13:49 117760 ----a-w- c:\windows\system32\hpzll4v2.dll

2009-12-13 18:13 . 2006-12-29 07:57 273920 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp4v2.dll

2009-12-13 18:13 . 2006-12-06 06:02 364544 ----a-r- c:\windows\system32\hppldcoi.dll

2009-12-13 18:13 . 2006-12-06 06:02 309760 ----a-r- c:\windows\system32\difxapi.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2020-01-27 14:20 . 2009-09-28 16:57 39 ----a-w- c:\documents and settings\Vartotojas\jagex_runescape_preferences.dat

2020-01-20 09:17 . 2020-01-20 09:17 339 ----a-w- c:\documents and settings\Vartotojas\Application Data\settings.dat

2012-02-17 12:34 . 2009-09-28 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-02-05 07:25 . 2009-03-17 14:52 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-02-05 07:17 . 2009-03-17 14:52 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-01-23 08:29 . 2010-01-22 17:35 -------- d-----w- c:\program files\Winamp

2010-01-18 18:56 . 2010-01-18 18:56 32 ----a-w- c:\documents and settings\All Users\Application Data\ezsid.dat

2010-01-07 14:07 . 2009-03-18 08:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 14:07 . 2009-03-18 08:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 15:06 . 2005-10-13 20:36 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-22 05:35 . 2006-03-02 07:28 668672 ----a-w- c:\windows\system32\wininet.dll

2009-12-22 05:35 . 2004-08-03 23:56 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-12-17 17:19 . 2009-12-17 17:18 1685 ----a-w- c:\program files\DeIsL1.isu

2009-12-16 12:58 . 2009-09-28 10:00 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:35 . 2004-08-03 23:56 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 18:11 . 2006-02-18 23:47 2142720 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 17:35 . 2005-10-19 18:35 2020864 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 13:37 . 2006-01-16 20:39 456832 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:04 . 2006-01-16 20:39 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:04 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:37 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:37 . 2004-08-03 23:56 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:37 . 2004-08-03 23:56 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:37 . 2001-08-23 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-21 16:36 . 2004-08-03 23:56 470528 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-10-21 05:50 . 2004-08-03 23:56 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:50 . 2004-08-03 23:56 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 14:41 . 2005-10-14 16:17 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-15 16:56 . 2006-01-16 20:39 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-10-15 16:56 . 2006-01-16 20:39 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-10-15 12:46 . 2009-09-28 10:03 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-10-13 10:53 . 2004-08-03 23:56 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54 . 2004-08-03 23:56 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54 . 2004-08-03 23:56 112128 ----a-w- c:\windows\system32\rastls.dll

2009-10-06 14:31 . 2009-03-17 14:52 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-09-29 09:49 . 2009-09-29 09:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Lite

2009-09-29 09:40 . 2009-09-29 09:40 -------- d-----w- c:\program files\Astroburn Toolbar

2009-09-29 09:40 . 2009-09-29 09:40 -------- d-----w- c:\program files\Astroburn Lite

2009-09-29 09:39 . 2009-09-29 09:39 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\Astroburn Lite

2009-09-29 09:29 . 2009-09-28 19:41 -------- d-----w- c:\program files\Common Files\Nero

2009-09-29 09:22 . 2009-09-29 09:22 -------- d-----w- c:\program files\Common Files\LightScribe

2009-09-29 09:08 . 2009-09-29 09:07 -------- d-----w- c:\program files\Philips

2009-09-29 09:07 . 2009-09-29 09:07 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\InstallShield

2009-09-29 07:13 . 2009-09-28 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2009-09-29 06:39 . 2009-09-29 06:39 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\Nero

2009-09-28 19:56 . 2009-09-28 19:41 -------- d-----w- c:\program files\Nero

2009-09-28 19:55 . 2009-09-28 19:55 -------- d-----w- c:\program files\Windows Sidebar

2009-09-28 17:44 . 2009-09-28 17:44 -------- d-----w- c:\program files\AT Screen Thief 3.8

2009-09-28 17:19 . 2009-09-28 13:26 -------- d-----w- c:\program files\InterVideo

2009-09-28 17:11 . 2009-09-28 17:11 -------- d-----w- c:\program files\Ask.com

2009-09-28 17:07 . 2009-09-28 17:07 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\Ahead

2009-09-28 16:30 . 2009-09-28 16:30 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-09-28 16:21 . 2009-09-28 16:21 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\vlc

2009-09-28 16:18 . 2009-09-28 16:18 -------- d-----w- c:\program files\Common Files\FTL Shared

2009-09-28 16:18 . 2009-09-28 16:09 -------- d-----w- c:\program files\Thomson SpeedTouch

2009-09-28 14:02 . 2009-09-28 14:02 -------- d-----w- c:\program files\Realtek

2009-09-28 14:02 . 2009-09-28 14:02 315392 ----a-w- c:\windows\HideWin.exe

2009-09-28 13:58 . 2009-09-28 13:58 -------- d-----w- c:\program files\SiS VGA Utilities V3.80

2009-09-28 13:58 . 2009-09-28 13:58 -------- d-----w- c:\program files\sisagp

2009-09-28 13:34 . 2009-09-28 13:34 -------- d-----w- c:\program files\Microsoft.NET

2009-09-28 13:34 . 2009-09-28 13:34 -------- d-----w- c:\program files\Microsoft ActiveSync

2009-09-28 13:29 . 2009-09-28 13:29 -------- d-----w- c:\program files\VideoLAN

2009-09-28 13:29 . 2009-09-28 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\InterVideo

2009-09-28 13:29 . 2009-09-28 13:29 -------- d-----w- c:\documents and settings\Vartotojas\Application Data\InterVideo

2009-09-28 13:26 . 2009-09-28 13:58 -------- d-----w- c:\program files\Common Files\InstallShield

2009-09-28 10:04 . 2009-09-28 10:04 -------- d-----w- c:\program files\microsoft frontpage

2009-09-28 10:01 . 2009-09-28 10:01 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-09-28 10:01 . 2009-09-28 10:01 -------- d-----w- c:\program files\Windows Media Connect 2

2009-09-23 14:10 . 2009-03-17 14:52 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-09-16 01:20 . 2009-03-17 14:52 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-09-15 04:20 . 2009-03-17 14:52 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat

2009-09-15 00:12 . 2009-03-17 14:52 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat

2009-09-15 00:01 . 2009-03-17 14:52 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat

2009-09-11 14:03 . 2004-08-03 23:56 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 20:45 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-26 08:16 . 2004-08-03 23:56 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-25 09:47 . 2004-08-03 23:56 352256 ----a-w- c:\windows\system32\winhttp.dll

2009-08-19 15:07 . 2009-08-19 15:07 1415000 ----a-w- c:\windows\system32\msxml6.dll

2009-08-14 11:22 . 2005-11-08 22:13 1859328 ----a-w- c:\windows\system32\win32k.sys

2009-08-14 07:59 . 2009-03-17 13:22 33662272 ----a-r- c:\documents and settings\All Users\Application Data\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Setup.exe

2009-08-06 17:24 . 2009-09-28 10:02 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 17:24 . 2009-09-28 10:02 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 17:24 . 2009-09-28 10:02 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 17:24 . 2005-10-12 08:00 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 17:24 . 2009-09-28 10:02 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-06 17:24 . 2005-10-12 08:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 17:23 . 2009-09-28 10:02 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 17:23 . 2009-09-28 10:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-06 17:23 . 2005-10-12 08:00 215920 ----a-w- c:\windows\system32\muweb.dll

2009-08-05 09:11 . 2004-08-03 23:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 17:52 . 2009-08-04 17:52 1193832 ----a-w- c:\windows\system32\FM20.DLL

2009-07-31 13:23 . 2009-09-28 16:46 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-31 04:57 . 2005-10-12 16:14 1172480 ----a-w- c:\windows\system32\msxml3.dll

2009-07-20 22:05 . 2009-07-20 22:05 1348432 ----a-w- c:\windows\system32\msxml4.dll

2009-07-17 18:55 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-17 16:27 . 2004-08-03 23:56 1435648 ----a-w- c:\windows\system32\query.dll

2009-07-13 08:08 . 2006-01-13 18:15 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-25 18:36 . 2004-08-03 23:56 95744 ----a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2004-08-03 23:56 661504 ----a-w- c:\windows\system32\mqqm.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3CF7606-E683-4375-A372-96B75DA0AEF7}]

2010-02-05 17:23 185856 ----a-w- c:\program files\Get Styles\enlbrdr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-09-02 11:56 1175944 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]

@="{C5994560-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]

2009-08-13 15:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]

@="{C5994561-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]

2009-08-13 15:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]

@="{C5994562-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]

2009-08-13 15:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]

@="{C5994563-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]

2009-08-13 15:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]

@="{C5994564-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]

2009-08-13 15:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]

@="{C5994565-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]

2009-08-13 15:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]

@="{C5994566-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]

2009-08-13 15:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]

@="{C5994567-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]

2009-08-13 15:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]

@="{C5994568-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]

2009-08-13 15:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-05-18 2363392]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2007-04-10 53248]

"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 16125440]

"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]

"%FP%PPPoE fts.exe"="c:\program files\Thomson SpeedTouch\PPPoE\fts.exe" [2004-01-07 77312]

"FixCamera"="c:\windows\FixCamera.exe" [2007-01-30 20480]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]

"tsnp2std"="c:\windows\tsnp2std.exe" [2006-11-29 258048]

"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-01-18 1286608]

"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-12-09 866200]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\Vartotojas\Start Menu\Programs\Startup\

SDK Tray Menu.lnk - c:\program files\JDK\jdk\bin\javaw.exe [2009-11-19 139264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-9-28 303104]

Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-9-28 262144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 12:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Vartotojas^Start Menu^Programs^Startup^Ftwscape 508 Client.lnk]

path=c:\documents and settings\Vartotojas\Start Menu\Programs\Startup\Ftwscape 508 Client.lnk

backup=c:\windows\pss\Ftwscape 508 Client.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Vartotojas^Start Menu^Programs^Startup^Ftwscpe 508 Client.lnk]

path=c:\documents and settings\Vartotojas\Start Menu\Programs\Startup\Ftwscpe 508 Client.lnk

backup=c:\windows\pss\Ftwscpe 508 Client.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\cs 2\\hl.exe"=

"d:\\XTCS Counter-Strike 1.6 Final Release\\cstrike.exe"=

"d:\\Empire Earth\\Empire Earth.exe"=

"d:\\cs copy\\XTCS Counter-Strike 1.6 Final Release\\cstrike.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"d:\\kiets zaidas\\Geimas\\age2_x1.exe"=

"d:\\Copyof ECSROeris\\SilkErrSender.exe"=

"c:\\Documents and Settings\\Vartotojas\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"d:\\Counter-Strike Source\\hl2.exe"=

"c:\\Sun\\SDK\\jdk\\bin\\java.exe"=

"c:\\Program Files\\JDK\\jdk\\bin\\java.exe"=

"d:\\Strongholdcrusaders\\Stronghold Crusader.exe"=

"c:\\Documents and Settings\\Vartotojas\\My Documents\\Downloads\\Stronghold.Crusader.Extreme.Full-Rip.Skullptura\\Stronghold Crusader\\Stronghold_Crusader_Extreme.exe"=

"c:\\Documents and Settings\\Vartotojas\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=

"c:\\Documents and Settings\\Vartotojas\\My Documents\\Downloads\\Stronghold.Crusader.Extreme.Full-Rip.Skullptura\\Stronghold Crusader\\Stronghold Crusader.exe"=

"d:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"d:\\sad nub\\WOGAI\\Heroes3.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"d:\\Konami\\Yu-Gi-Oh! Power of Chaos JOEY THE PASSION\\joey_pc.exe"=

"d:\\Left 4 Dead\\left4dead.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"d:\\wormsarm\\WA.exe"=

"d:\\kveikas\\Quake3\\quake3.exe"=

"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=

"c:\\Documents and Settings\\Vartotojas\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=

"d:\\Earth`s Special Forces\\esfas\\ESF\\hl.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4749:TCP"= 4749:TCP:faxdypp

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]

R2 Process Blocker;Process Blocker;c:\program files\Process Blocker\Process Blocker.exe [5/20/2009 6:14 PM 96472]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]

S0 muxv;muxv;c:\windows\system32\drivers\utfyu.sys --> c:\windows\system32\drivers\utfyu.sys [?]

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/29/2009 7:35 PM 722416]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/3/2009 11:57 AM 133104]

S3 XDva279;XDva279;\??\c:\windows\system32\XDva279.sys --> c:\windows\system32\XDva279.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

uvkftj

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-05-18 14:54 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-03 09:57]

2020-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-03 09:57]

2009-03-19 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-09-02 11:56]

2009-03-19 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-12-13 20:18]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {{14CD42DD-ABCD-3586-DCAB-40E3693E3737} - c:\program files\Get Styles\ct.htm

FF - ProfilePath - c:\documents and settings\Vartotojas\Application Data\Mozilla\Firefox\Profiles\nnfj11aw.default\

FF - prefs.js: browser.startup.homepage - google.lt

FF - plugin: c:\documents and settings\Vartotojas\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-EleFunAnimatedWallpaper - (no file)

HKLM-Run-Amazing3DAquariumWallpaper - (no file)

HKLM-Run-NT Update - c:\program files\Common Files\Microsoft Services\Console\ntupd.exe

MSConfigStartUp-ares - c:\program files\Ares\Ares.exe

MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe

MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe

MSConfigStartUp-yahoo! - c:\docume~1\VARTOT~1\LOCALS~1\Temp\5910312956don.dll

AddRemove-Astroburn Toolbar - c:\program files\Astroburn Toolbar\uninst.exe

AddRemove-BoxRune 525 - c:\documents and settings\Vartotojas\Desktop\BoxRune 525\Uninstal.exe

AddRemove-CrisisX_0 - c:\program files\CrisisX\CrisisX Client v8.2.5\Uninstall.exe

AddRemove-CrisisX_1 - c:\program files\CrisisX\CrisisX Client v8.5\Uninstall.exe

AddRemove-CrisisX_2 - c:\program files\CrisisX\CrisisX Client v8.6\Uninstall.exe

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

AddRemove-FarmVille Tools_is1 - c:\farmvilletools\unins000.exe

AddRemove-Magic Ball 3_is1 - c:\documents and settings\Vartotojas\Desktop\Magic Ball 1

AddRemove-ProPilkki2 - c:\program files\ProPilkki2\uninstall.exe

AddRemove-Ricochet Infinity_is1 - c:\documents and settings\Vartotojas\My Documents\Downloads\Reflexive Arcade\Ricochet Infinity 3.68\ReflexiveArcade\unins000.exe

AddRemove-Wild Tangent - Fate - c:\documents and settings\Vartotojas\My Documents\Downloads\FATE 1&2\Fate 1\Uninstal.exe

AddRemove-{8C3727F2-8E37-49E4-820C-03B1677F53B6} - c:\program files\InstallShield Installation Information\{8C3727F2-8E37-49E4-820C-03B1677F53B6}\setup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-19 16:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-03-19 16:11:26

ComboFix-quarantined-files.txt 2009-03-19 14:11

Pre-Run: 5,427,249,152 bytes free

Post-Run: 5,490,040,832 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - 851FBE73B906F1C7813FF6669131BAF6

Edited March 19, 2010 by Maurice Naggar
CF log place In-line

Maurice Naggar · March 19, 2010

Do NOT use the attach mechanism to put your reports. Always use Copy & Paste and put the report into the body of reply box. The other way adds extra steps for your helper AND is unwanted because your system is an infection case.

You will want to print out or copy these instructions to Notepad for offline reference!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Close any open browsers and any other program you started.

Open notepad and copy/paste the text in the quotebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=43642
Suspect::
c:\program files\Common Files\Microsoft Services\Console\ntupd.exe
DirLook::
c:\program files\Common Files\Microsoft Services\Console

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

Please let me know if the file was successfully submitted . Thanks.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

=

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to c:\program files\Common Files\Microsoft Services\Console\ntupd.exe, then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Save the results, and post back here in a reply.

=

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with the latest C:\Combofix.txt

the Virustotal report

and the latest MBAM scan log

and tell me, How is your system now ?

xryckaxx · March 19, 2010

ComboFix 10-03-18.02 - Vartotojas 03/19/2009 17:34:55.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1919.1405 [GMT 2:00]

Running from: c:\documents and settings\Vartotojas\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Vartotojas\Desktop\CFScript.txt

AV: AVG Anti-Virus plus Firewall *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}