posible win32/agent trojan

May 6, 2009 at 14:09:58
Specs: Windows XP
I installed ESET Smart Suite 4 after Mcafee failed to cleaned/delete a trojan. (I think I got it but clicking in a website and Spyware Protect 2009 got installed).
The file name is: wwfcluok.dll
The antivirus says it's marking it for deletion but appears again.
I am thinking of formatting the disk.

Please help.


See More: posible win32/agent trojan

Report •


#1
May 6, 2009 at 15:02:57
Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
May 6, 2009 at 16:54:32
I think it is supposed to delete on reboot but can't. I run the malware and restarted 3 times. This is the last log:

Malwarebytes' Anti-Malware 1.36
Database version: 2085
Windows 5.1.2600 Service Pack 3

5/6/2009 7:41:50 PM
mbam-log-2009-05-06 (19-41-50).txt

Scan type: Quick Scan
Objects scanned: 88636
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07d9420b-3f5b-4aba-86cd-9339d9f52c8b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\voimxisa (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{07d9420b-3f5b-4aba-86cd-9339d9f52c8b} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\peuslnx.dll (Trojan.Vundo.H) -> Delete on reboot.

This is Hijackthis log after restarting the computer:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:04 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {00A0C1C1-3ACB-409C-B09F-D0F68CC18089} - (no file)
O2 - BHO: (no name) - {00DB934C-3E9F-42EE-A623-1D42D14A0D05} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07D9420B-3F5B-4ABA-86CD-9339D9F52C8B} - c:\windows\system32\peuslnx.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1957994488-220523388-1801674531-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'CeciliaPiriz')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - https://webmail.un.int/dwa8W.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: voimxisa - C:\WINDOWS\SYSTEM32\peuslnx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Update Service (gupdate1c9c414f9fc42be) (gupdate1c9c414f9fc42be) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 9949 bytes



Report •

#3
May 6, 2009 at 18:53:45
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Eset antivirus, and any antispyware that you may have.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

Related Solutions

#4
May 8, 2009 at 06:12:04
Sorry I wasn't at my computer yesterday. Here is the ComboFix log:


ComboFix 09-05-06.07 - Cecilia 05/08/2009 8:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.628 [GMT -4:00]
Running from: c:\documents and settings\Cecilia\Desktop\toolb.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\e1000msg.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-08 to 2009-05-08 )))))))))))))))))))))))))))))))
.

2009-05-07 13:05 . 2009-05-07 13:05 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2009-05-06 22:53 . 2009-05-06 22:53 -------- d-----w c:\documents and settings\Cecilia\Application Data\Malwarebytes
2009-05-06 22:53 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-06 22:53 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 22:53 . 2009-05-06 22:53 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 22:53 . 2009-05-06 22:53 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-06 22:32 . 2009-05-06 22:32 -------- d-----w c:\documents and settings\Cecilia\Application Data\jxsygqyr
2009-05-06 22:32 . 2009-05-06 22:32 -------- d-----w c:\documents and settings\Cecilia\Local Settings\Application Data\jxsygqyr
2009-05-06 20:45 . 2009-05-06 20:45 -------- d-----w c:\program files\Trend Micro
2009-05-06 19:27 . 2009-05-06 19:27 -------- d-----w c:\documents and settings\NetworkService\Application Data\jxsygqyr
2009-05-06 19:26 . 2009-05-06 19:27 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\jxsygqyr
2009-05-06 16:44 . 2009-05-06 16:44 -------- d-----w c:\documents and settings\CeciliaPiriz\Local Settings\Application Data\ESET
2009-05-06 16:44 . 2009-05-06 16:44 -------- d-----w c:\documents and settings\CeciliaPiriz\Application Data\ESET
2009-05-06 16:44 . 2009-05-06 20:15 -------- d-----w c:\program files\ESET
2009-05-05 14:44 . 2009-05-05 14:44 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-05-05 14:43 . 2009-05-05 14:43 -------- d-----w c:\documents and settings\Cecilia\Application Data\ESET
2009-05-05 14:43 . 2009-05-05 14:43 -------- d-----w c:\documents and settings\Cecilia\Local Settings\Application Data\ESET
2009-05-05 14:41 . 2009-05-05 14:41 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-05-05 13:20 . 2009-05-05 13:20 -------- d-----w c:\program files\StartCop
2009-05-05 13:07 . 2009-05-05 13:07 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-05 02:45 . 2009-05-05 02:56 -------- d-----w c:\program files\Unlocker
2009-05-04 16:10 . 2009-05-05 02:39 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-04 14:08 . 2009-05-04 14:08 0 ----a-w c:\windows\nsreg.dat
2009-05-04 14:08 . 2009-05-04 14:08 -------- d-----w c:\documents and settings\Cecilia\Local Settings\Application Data\Mozilla
2009-05-01 17:02 . 2009-05-01 17:02 -------- d-----w c:\windows\Downloaded Installations
2009-05-01 14:15 . 2009-05-01 14:15 -------- d-----w c:\documents and settings\CeciliaPiriz\Application Data\Yahoo!
2009-05-01 14:15 . 2009-05-01 14:15 -------- d-----w c:\documents and settings\CeciliaPiriz\Local Settings\Application Data\Google
2009-05-01 13:47 . 2009-05-01 13:47 -------- d-----w c:\documents and settings\CeciliaPiriz\Application Data\Research In Motion
2009-05-01 13:45 . 2009-05-01 13:45 -------- d-----w c:\documents and settings\CeciliaPiriz\Application Data\InstallShield
2009-05-01 07:09 . 2009-05-01 07:09 -------- d-sh--w C:\found.000
2009-05-01 07:00 . 2009-05-01 07:00 -------- d-----w c:\program files\MSXML 4.0
2009-04-30 16:47 . 2009-05-06 16:19 -------- d-----w C:\QUARANTINE
2009-04-30 16:45 . 2009-04-30 16:45 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-30 15:38 . 2009-04-30 15:42 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-30 15:35 . 2009-04-30 15:35 -------- d-----w c:\documents and settings\LocalService\Application Data\Roxio
2009-04-30 15:35 . 2009-04-30 15:35 -------- d-----w c:\documents and settings\Cecilia\Application Data\Roxio
2009-04-30 15:25 . 2009-04-30 15:25 -------- d-----w c:\documents and settings\Cecilia\Application Data\InstallShield
2009-04-30 15:25 . 2009-04-30 15:25 -------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-04-30 15:23 . 2009-04-30 15:38 -------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-04-30 15:23 . 2009-04-30 15:23 -------- d-----w c:\program files\Roxio
2009-04-30 15:23 . 2009-04-30 15:24 -------- d-----w c:\program files\Common Files\Roxio Shared
2009-04-30 15:18 . 2007-01-18 14:24 26496 ----a-r c:\windows\system32\drivers\RimSerial.sys
2009-04-30 15:17 . 2009-04-30 15:17 -------- d-----w c:\program files\Research In Motion
2009-04-30 13:23 . 2009-05-05 13:13 256 ----a-w c:\windows\system32\pool.bin
2009-04-30 13:23 . 2009-04-30 13:23 -------- d-----w c:\documents and settings\Cecilia\Application Data\Research In Motion
2009-04-30 13:22 . 2009-04-30 15:17 -------- d-----w c:\program files\Common Files\Research In Motion
2009-04-29 15:30 . 2009-04-29 15:31 -------- d-----w C:\9be96c78a522f8d8d3dd0469
2009-04-24 13:31 . 2009-02-20 18:09 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-24 13:31 . 2009-02-20 18:09 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-04-24 13:31 . 2009-02-20 10:20 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 13:31 . 2009-02-20 18:09 268288 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-04-24 13:31 . 2009-02-20 18:09 6066176 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-04-24 13:31 . 2009-02-20 18:09 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-24 13:31 . 2008-07-09 14:25 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-24 13:31 . 2009-02-20 18:09 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-04-24 13:30 . 2009-04-24 13:31 -------- d-----w C:\562c8d6f493a28201758e604d9aa2d
2009-04-24 13:29 . 2009-04-24 13:30 -------- d-----w C:\[u]0[/u]3dac92d0daee9bc909c5e90
2009-04-23 13:11 . 2009-04-23 13:11 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-23 13:11 . 2009-05-06 19:39 -------- d-----w c:\documents and settings\Cecilia\Application Data\Skype
2009-04-23 13:10 . 2009-04-23 13:11 -------- d-----r c:\program files\Skype
2009-04-23 13:10 . 2009-04-23 13:11 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-21 15:48 . 2009-04-21 15:48 -------- d-----w c:\documents and settings\Cecilia\Application Data\Sonic
2009-04-21 15:48 . 2009-04-21 15:48 -------- d-----w c:\documents and settings\Cecilia\Application Data\Leadertech
2009-04-21 15:38 . 2009-04-21 15:38 -------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-04-21 15:37 . 2009-04-21 15:37 -------- d-----w c:\program files\Common Files\TiVo Shared
2009-04-21 15:34 . 2004-12-23 06:56 40544 ----a-w c:\windows\system32\drivers\drvnddm.sys
2009-04-21 15:34 . 2005-02-02 07:22 88080 ----a-w c:\windows\system32\drivers\drvmcdb.sys
2009-04-21 15:34 . 2004-12-02 15:04 5627 ----a-w c:\windows\system32\drivers\sscdbhk5.sys
2009-04-21 15:34 . 2004-12-02 15:04 23545 ----a-w c:\windows\system32\drivers\ssrtln.sys
2009-04-21 15:34 . 2005-03-16 09:33 61500 ----a-w c:\windows\system32\tfswapi.dll
2009-04-21 15:34 . 2005-03-16 09:33 98360 ----a-w c:\windows\dla.exe
2009-04-21 15:34 . 2009-04-21 15:42 -------- d-----w c:\windows\system32\dla
2009-04-21 15:34 . 2009-04-21 15:34 -------- d-----w c:\program files\Sonic
2009-04-21 15:33 . 2009-04-21 15:34 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-04-16 19:47 . 2009-04-16 19:47 -------- d-----w c:\documents and settings\CeciliaPiriz\Local Settings\Application Data\Apple Computer
2009-04-16 00:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-09 19:21 . 2009-04-09 19:21 55768 ----a-w c:\windows\system32\drivers\epfwtdi.sys
2009-04-09 19:21 . 2009-04-09 19:21 33096 ----a-w c:\windows\system32\drivers\epfwndis.sys
2009-04-09 19:21 . 2009-04-09 19:21 133000 ----a-w c:\windows\system32\drivers\epfw.sys
2009-04-09 19:18 . 2009-04-09 19:18 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-04-09 19:10 . 2009-04-09 19:10 113960 ----a-w c:\windows\system32\drivers\eamon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-08 12:28 . 2009-04-01 17:42 -------- d-----w c:\program files\LogMeIn
2009-05-06 16:42 . 2009-04-02 14:45 87448 ----a-w c:\documents and settings\CeciliaPiriz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 15:01 . 2009-04-05 23:49 -------- d-----w c:\program files\BPSAtyro
2009-04-30 16:18 . 2009-04-02 14:42 87448 ----a-w c:\documents and settings\Cecilia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 15:18 . 2009-04-01 13:38 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-23 13:11 . 2009-04-03 13:41 -------- d-----w c:\program files\Google
2009-04-07 15:51 . 2009-04-07 15:51 -------- d-----w c:\program files\iTunes
2009-04-07 15:51 . 2009-04-07 15:51 -------- d-----w c:\program files\iPod
2009-04-07 15:51 . 2009-04-07 15:49 -------- d-----w c:\program files\Common Files\Apple
2009-04-07 15:51 . 2009-04-07 15:51 -------- d-----w c:\program files\Bonjour
2009-04-07 15:50 . 2009-04-07 15:50 -------- d-----w c:\program files\QuickTime
2009-04-07 15:50 . 2009-04-07 15:50 -------- d-----w c:\program files\Apple Software Update
2009-04-07 13:02 . 2009-04-07 13:01 -------- d-----w c:\program files\Yahoo!
2009-04-03 16:24 . 2009-04-03 16:24 -------- d-----w c:\program files\Common Files\ARTech
2009-04-03 14:19 . 2009-04-02 16:57 -------- d-----w c:\program files\RMAdmin
2009-04-02 16:17 . 2009-04-02 16:17 -------- d-----w c:\program files\Common Files\RDPrint
2009-04-02 16:17 . 2009-04-01 13:38 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 16:17 . 2009-04-02 16:17 -------- d-----w c:\program files\RDS
2009-04-02 16:17 . 2009-04-02 16:17 2255 ----a-w c:\windows\PmData.Dat
2009-04-02 15:02 . 2009-04-02 15:02 -------- d-----w c:\program files\Dell 720
2009-04-02 14:50 . 2009-04-02 14:45 92787 ----a-w c:\windows\hppins05.dat
2009-04-02 14:48 . 2009-04-02 14:46 -------- d-----w c:\program files\HP
2009-04-02 14:45 . 2009-04-02 14:45 -------- d-----w c:\program files\Common Files\SWF Studio
2009-04-02 13:48 . 2009-04-02 13:48 -------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-04-02 13:48 . 2009-04-02 13:45 -------- d-----w c:\program files\Common Files\Adobe
2009-04-01 17:37 . 2009-04-01 17:34 -------- d-----w c:\program files\Common Files\Intuit
2009-04-01 17:36 . 2009-04-01 17:36 -------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2009-04-01 17:34 . 2009-04-01 17:34 -------- d-----w c:\program files\Intuit
2009-04-01 16:34 . 2009-04-01 16:34 -------- d-----w c:\program files\Common Files\L&H
2009-04-01 16:34 . 2009-04-01 16:34 -------- d-----w c:\program files\Microsoft.NET
2009-04-01 16:34 . 2009-04-01 16:34 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-01 16:33 . 2009-04-01 16:33 -------- d-----w c:\program files\Microsoft Works
2009-04-01 16:12 . 2009-04-01 16:08 -------- d-----w c:\program files\Intel
2009-04-01 16:01 . 2009-04-01 16:01 -------- d-----w c:\program files\SigmaTel
2009-04-01 14:18 . 2009-04-01 14:18 -------- d-----w c:\program files\Dell
2009-04-01 13:49 . 2009-04-01 13:22 87263 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-01 13:38 . 2009-04-01 13:38 -------- d-----w c:\program files\ATI Technologies
2009-04-01 13:23 . 2009-04-01 13:23 -------- d-----w c:\program files\microsoft frontpage
2009-04-01 13:23 . 2008-04-14 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-01 13:20 . 2009-04-01 13:20 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-19 20:32 . 2009-04-07 15:51 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2008-04-14 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2008-04-14 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-04-14 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2008-04-14 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-04-14 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2008-04-14 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-04-14 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-04-14 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}]
2008-04-14 12:00 104960 ----a-w c:\windows\system32\peuslnx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\voimxisa]
2008-04-14 12:00 104960 ----a-w c:\windows\system32\peuslnx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\[u]0[/u]\[u]0[/u]]
"Script"=c:\documents and settings\Cecilia\Desktop\borrar-antes-logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\[u]0[/u]\[u]0[/u]]
"Script"=c:\documents and settings\Cecilia\Desktop\borrar-antes-logon.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"system tool"=c:\windows\sysguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"SigmatelSysTrayApp"=stsystra.exe
"IAAnotif"=c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe
"MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"dla"=c:\windows\system32\dla\tfswctrl.exe
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe"
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 currbsob;currbsob;c:\windows\system32\drivers\currbsob.sys [4/14/2008 8:00 AM 23424]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/9/2009 3:19 PM 731840]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [4/1/2009 1:43 PM 47640]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008 6:40 AM 80256]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [7/24/2008 7:45 PM 12192]
S0 cerc6;cerc6; [x]
S2 gupdate1c9c414f9fc42be;Google Update Service (gupdate1c9c414f9fc42be);c:\program files\Google\Update\GoogleUpdate.exe [4/23/2009 9:11 AM 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vplxdzts

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30e43047-1def-11de-9672-806d6172696f}]
\Shell\AutoRun\command - E:\autoRcd.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-07 c:\windows\Tasks\At1.job
- c:\windows\system32\peuslnx.dll [2008-04-14 12:00]

2009-05-07 c:\windows\Tasks\At2.job
- c:\windows\system32\peuslnx.dll [2008-04-14 12:00]

2009-05-08 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-23 13:11]
.
- - - - ORPHANS REMOVED - - - -

BHO-{00A0C1C1-3ACB-409C-B09F-D0F68CC18089} - (no file)
BHO-{00DB934C-3E9F-42EE-A623-1D42D14A0D05} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://webmail.un.int/dwa8W.cab
FF - ProfilePath - c:\documents and settings\Cecilia\Application Data\Mozilla\Firefox\Profiles\zq5cefss.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-08 08:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-05-08 8:47
ComboFix-quarantined-files.txt 2009-05-08 12:47

Pre-Run: 470,977,806,336 bytes free
Post-Run: 471,066,587,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

277 --- E O F --- 2009-05-01 07:01


Report •

#5
May 8, 2009 at 14:12:03
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\peuslnx.dll
c:\windows\Tasks\At1.job

Driver::
voimxisa

Folder::
c:\documents and settings\Cecilia\Application Data\jxsygqyr
c:\documents and settings\Cecilia\Application Data\jxsygqyr
c:\documents and settings\NetworkService\Local Settings\Application Data\jxsygqyr

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#6
May 8, 2009 at 14:33:35
ComboFix 09-05-06.07 - Cecilia 05/08/2009 17:23.2 -
NTFSx86
Microsoft Windows XP Professional
5.1.2600.3.1252.1.1033.18.1022.575 [GMT -4:00]
Running from: c:\documents and
settings\Cecilia\Desktop\toolb.exe
Command switches used :: c:\documents and
settings\Cecilia\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning
disabled* (Updated)
FW: ESET Personal firewall *enabled*

FILE ::
c:\windows\system32\peuslnx.dll
c:\windows\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Cecilia\Application Data\jxsygqyr
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\profiles.ini
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\cert8.db
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\compatibility.ini
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\compreg.dat
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\cookies.sqlite
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\formhistory.sqlite
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\key3.db
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\localstore.rdf
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\permissions.sqlite
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\places.sqlite-journal
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\places.sqlite
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\pluginreg.dat
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\prefs.js
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\secmod.db
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\webappsstore.sqlite
c:\documents and settings\Cecilia\Application
Data\jxsygqyr\Profiles\rlnu3bh3.default\xpti.dat
c:\documents and settings\NetworkService\Local
Settings\Application Data\jxsygqyr
c:\documents and settings\NetworkService\Local
Settings\Application
Data\jxsygqyr\Profiles\uc8t0xkf.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local
Settings\Application
Data\jxsygqyr\Profiles\uc8t0xkf.default\XPC.mfl
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\system32\peuslnx.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-04-08 to 2009-
05-08 )))))))))))))))))))))))))))))))
.

2009-05-07 13:05 . 2009-05-07 13:05 -------- d-----w
c:\documents and settings\NetworkService\Local
Settings\Application Data\ESET
2009-05-06 22:53 . 2009-05-06 22:53 -------- d-----w
c:\documents and settings\Cecilia\Application
Data\Malwarebytes
2009-05-06 22:53 . 2009-04-06 19:32 15504 ----a-w
c:\windows\system32\drivers\mbam.sys
2009-05-06 22:53 . 2009-04-06 19:32 38496 ----a-w
c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 22:53 . 2009-05-06 22:53 -------- d-----w
c:\documents and settings\All Users\Application
Data\Malwarebytes
2009-05-06 22:53 . 2009-05-06 22:53 -------- d-----w
c:\program files\Malwarebytes' Anti-Malware
2009-05-06 22:32 . 2009-05-06 22:32 -------- d-----w
c:\documents and settings\Cecilia\Local Settings\Application
Data\jxsygqyr
2009-05-06 20:45 . 2009-05-06 20:45 -------- d-----w
c:\program files\Trend Micro
2009-05-06 19:27 . 2009-05-06 19:27 -------- d-----w
c:\documents and settings\NetworkService\Application
Data\jxsygqyr
2009-05-06 16:44 . 2009-05-06 16:44 -------- d-----w
c:\documents and settings\CeciliaPiriz\Local
Settings\Application Data\ESET
2009-05-06 16:44 . 2009-05-06 16:44 -------- d-----w
c:\documents and settings\CeciliaPiriz\Application
Data\ESET
2009-05-06 16:44 . 2009-05-06 20:15 -------- d-----w
c:\program files\ESET
2009-05-05 14:44 . 2009-05-05 14:44 -------- d-----w
c:\documents and settings\LocalService\Local
Settings\Application Data\ESET
2009-05-05 14:43 . 2009-05-05 14:43 -------- d-----w
c:\documents and settings\Cecilia\Application Data\ESET
2009-05-05 14:43 . 2009-05-05 14:43 -------- d-----w
c:\documents and settings\Cecilia\Local Settings\Application
Data\ESET
2009-05-05 14:41 . 2009-05-05 14:41 -------- d-----w
c:\documents and settings\All Users\Application Data\ESET
2009-05-05 13:20 . 2009-05-05 13:20 -------- d-----w
c:\program files\StartCop
2009-05-05 13:07 . 2009-05-05 13:07 -------- d--h--w
c:\windows\system32\GroupPolicy
2009-05-05 02:45 . 2009-05-05 02:56 -------- d-----w
c:\program files\Unlocker
2009-05-04 16:10 . 2009-05-05 02:39 664 ----a-w
c:\windows\system32\d3d9caps.dat
2009-05-04 14:08 . 2009-05-04 14:08 0 ----a-w
c:\windows\nsreg.dat
2009-05-04 14:08 . 2009-05-04 14:08 -------- d-----w
c:\documents and settings\Cecilia\Local Settings\Application
Data\Mozilla
2009-05-01 17:02 . 2009-05-01 17:02 -------- d-----w
c:\windows\Downloaded Installations
2009-05-01 14:15 . 2009-05-01 14:15 -------- d-----w
c:\documents and settings\CeciliaPiriz\Application
Data\Yahoo!
2009-05-01 14:15 . 2009-05-01 14:15 -------- d-----w
c:\documents and settings\CeciliaPiriz\Local
Settings\Application Data\Google
2009-05-01 13:47 . 2009-05-01 13:47 -------- d-----w
c:\documents and settings\CeciliaPiriz\Application
Data\Research In Motion
2009-05-01 13:45 . 2009-05-01 13:45 -------- d-----w
c:\documents and settings\CeciliaPiriz\Application
Data\InstallShield
2009-05-01 07:09 . 2009-05-01 07:09 -------- d-sh--w
C:\found.000
2009-05-01 07:00 . 2009-05-01 07:00 -------- d-----w
c:\program files\MSXML 4.0
2009-04-30 16:47 . 2009-05-06 16:19 -------- d-----w
C:\QUARANTINE
2009-04-30 16:45 . 2009-04-30 16:45 -------- d-----w
c:\documents and settings\NetworkService\Local
Settings\Application Data\Google
2009-04-30 15:38 . 2009-04-30 15:42 -------- d-----w
c:\documents and settings\LocalService\Local
Settings\Application Data\Adobe
2009-04-30 15:35 . 2009-04-30 15:35 -------- d-----w
c:\documents and settings\LocalService\Application
Data\Roxio
2009-04-30 15:35 . 2009-04-30 15:35 -------- d-----w
c:\documents and settings\Cecilia\Application Data\Roxio
2009-04-30 15:25 . 2009-04-30 15:25 -------- d-----w
c:\documents and settings\Cecilia\Application
Data\InstallShield
2009-04-30 15:25 . 2009-04-30 15:25 -------- d-----w
c:\documents and settings\All Users\Application Data\Sonic
2009-04-30 15:23 . 2009-04-30 15:38 -------- d-----w
c:\documents and settings\All Users\Application Data\Roxio
2009-04-30 15:23 . 2009-04-30 15:23 -------- d-----w
c:\program files\Roxio
2009-04-30 15:23 . 2009-04-30 15:24 -------- d-----w
c:\program files\Common Files\Roxio Shared
2009-04-30 15:18 . 2007-01-18 14:24 26496 ----a-r
c:\windows\system32\drivers\RimSerial.sys
2009-04-30 15:17 . 2009-04-30 15:17 -------- d-----w
c:\program files\Research In Motion
2009-04-30 13:23 . 2009-05-05 13:13 256 ----a-w
c:\windows\system32\pool.bin
2009-04-30 13:23 . 2009-04-30 13:23 -------- d-----w
c:\documents and settings\Cecilia\Application
Data\Research In Motion
2009-04-30 13:22 . 2009-04-30 15:17 -------- d-----w
c:\program files\Common Files\Research In Motion
2009-04-29 15:30 . 2009-04-29 15:31 -------- d-----w
C:\9be96c78a522f8d8d3dd0469
2009-04-24 13:31 . 2009-02-20 18:09 52224 -c----w
c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-24 13:31 . 2009-02-20 18:09 459264 -c----w
c:\windows\system32\dllcache\msfeeds.dll
2009-04-24 13:31 . 2009-02-20 10:20 13824 -c----w
c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 13:31 . 2009-02-20 18:09 268288 -c----w
c:\windows\system32\dllcache\iertutil.dll
2009-04-24 13:31 . 2009-02-20 18:09 6066176 -c----w
c:\windows\system32\dllcache\ieframe.dll
2009-04-24 13:31 . 2009-02-20 18:09 383488 -c----w
c:\windows\system32\dllcache\ieapfltr.dll
2009-04-24 13:31 . 2008-07-09 14:25 2455488 -c----w
c:\windows\system32\dllcache\ieapfltr.dat
2009-04-24 13:31 . 2009-02-20 18:09 63488 -c----w
c:\windows\system32\dllcache\icardie.dll
2009-04-24 13:30 . 2009-04-24 13:31 -------- d-----w
C:\562c8d6f493a28201758e604d9aa2d
2009-04-24 13:29 . 2009-04-24 13:30 -------- d-----w
C:\[u]0[/u]3dac92d0daee9bc909c5e90
2009-04-23 13:11 . 2009-04-23 13:11 -------- d-----w
c:\documents and settings\LocalService\Local
Settings\Application Data\Google
2009-04-23 13:11 . 2009-05-06 19:39 -------- d-----w
c:\documents and settings\Cecilia\Application Data\Skype
2009-04-23 13:10 . 2009-04-23 13:11 -------- d-----r
c:\program files\Skype
2009-04-23 13:10 . 2009-04-23 13:11 -------- d-----w
c:\documents and settings\All Users\Application Data\Skype
2009-04-21 15:48 . 2009-04-21 15:48 -------- d-----w
c:\documents and settings\Cecilia\Application Data\Sonic
2009-04-21 15:48 . 2009-04-21 15:48 -------- d-----w
c:\documents and settings\Cecilia\Application
Data\Leadertech
2009-04-21 15:38 . 2009-04-21 15:38 -------- d-----w
c:\documents and settings\All Users\Application
Data\InstallShield
2009-04-21 15:37 . 2009-04-21 15:37 -------- d-----w
c:\program files\Common Files\TiVo Shared
2009-04-21 15:34 . 2004-12-23 06:56 40544 ----a-w
c:\windows\system32\drivers\drvnddm.sys
2009-04-21 15:34 . 2005-02-02 07:22 88080 ----a-w
c:\windows\system32\drivers\drvmcdb.sys
2009-04-21 15:34 . 2004-12-02 15:04 5627 ----a-w
c:\windows\system32\drivers\sscdbhk5.sys
2009-04-21 15:34 . 2004-12-02 15:04 23545 ----a-w
c:\windows\system32\drivers\ssrtln.sys
2009-04-21 15:34 . 2005-03-16 09:33 61500 ----a-w
c:\windows\system32\tfswapi.dll
2009-04-21 15:34 . 2005-03-16 09:33 98360 ----a-w
c:\windows\dla.exe
2009-04-21 15:34 . 2009-04-21 15:42 -------- d-----w
c:\windows\system32\dla
2009-04-21 15:34 . 2009-04-21 15:34 -------- d-----w
c:\program files\Sonic
2009-04-21 15:33 . 2009-04-21 15:34 -------- d-----w
c:\program files\Common Files\Sonic Shared
2009-04-16 19:47 . 2009-04-16 19:47 -------- d-----w
c:\documents and settings\CeciliaPiriz\Local
Settings\Application Data\Apple Computer
2009-04-16 00:32 . 2008-05-03 11:55 2560 ------w
c:\windows\system32\xpsp4res.dll
2009-04-09 19:21 . 2009-04-09 19:21 55768 ----a-w
c:\windows\system32\drivers\epfwtdi.sys
2009-04-09 19:21 . 2009-04-09 19:21 33096 ----a-w
c:\windows\system32\drivers\epfwndis.sys
2009-04-09 19:21 . 2009-04-09 19:21 133000 ----a-w
c:\windows\system32\drivers\epfw.sys
2009-04-09 19:18 . 2009-04-09 19:18 107256 ----a-w
c:\windows\system32\drivers\ehdrv.sys
2009-04-09 19:10 . 2009-04-09 19:10 113960 ----a-w
c:\windows\system32\drivers\eamon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-08 16:11 . 2009-04-05 23:49 -------- d-----w
c:\program files\BPSAtyro
2009-05-08 12:28 . 2009-04-01 17:42 -------- d-----w
c:\program files\LogMeIn
2009-05-06 16:42 . 2009-04-02 14:45 87448 ----a-w
c:\documents and settings\CeciliaPiriz\Local
Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 16:18 . 2009-04-02 14:42 87448 ----a-w
c:\documents and settings\Cecilia\Local Settings\Application
Data\GDIPFONTCACHEV1.DAT
2009-04-30 15:18 . 2009-04-01 13:38 -------- d-----w
c:\program files\Common Files\InstallShield
2009-04-23 13:11 . 2009-04-03 13:41 -------- d-----w
c:\program files\Google
2009-04-07 15:51 . 2009-04-07 15:51 -------- d-----w
c:\program files\iTunes
2009-04-07 15:51 . 2009-04-07 15:51 -------- d-----w
c:\program files\iPod
2009-04-07 15:51 . 2009-04-07 15:49 -------- d-----w
c:\program files\Common Files\Apple
2009-04-07 15:51 . 2009-04-07 15:51 -------- d-----w
c:\program files\Bonjour
2009-04-07 15:50 . 2009-04-07 15:50 -------- d-----w
c:\program files\QuickTime
2009-04-07 15:50 . 2009-04-07 15:50 -------- d-----w
c:\program files\Apple Software Update
2009-04-07 13:02 . 2009-04-07 13:01 -------- d-----w
c:\program files\Yahoo!
2009-04-03 16:24 . 2009-04-03 16:24 -------- d-----w
c:\program files\Common Files\ARTech
2009-04-03 14:19 . 2009-04-02 16:57 -------- d-----w
c:\program files\RMAdmin
2009-04-02 16:17 . 2009-04-02 16:17 -------- d-----w
c:\program files\Common Files\RDPrint
2009-04-02 16:17 . 2009-04-01 13:38 -------- d--h--w
c:\program files\InstallShield Installation Information
2009-04-02 16:17 . 2009-04-02 16:17 -------- d-----w
c:\program files\RDS
2009-04-02 16:17 . 2009-04-02 16:17 2255 ----a-w
c:\windows\PmData.Dat
2009-04-02 15:02 . 2009-04-02 15:02 -------- d-----w
c:\program files\Dell 720
2009-04-02 14:50 . 2009-04-02 14:45 92787 ----a-w
c:\windows\hppins05.dat
2009-04-02 14:48 . 2009-04-02 14:46 -------- d-----w
c:\program files\HP
2009-04-02 14:45 . 2009-04-02 14:45 -------- d-----w
c:\program files\Common Files\SWF Studio
2009-04-02 13:48 . 2009-04-02 13:48 -------- d-----w
c:\program files\Common Files\Adobe Systems Shared
2009-04-02 13:48 . 2009-04-02 13:45 -------- d-----w
c:\program files\Common Files\Adobe
2009-04-01 17:37 . 2009-04-01 17:34 -------- d-----w
c:\program files\Common Files\Intuit
2009-04-01 17:36 . 2009-04-01 17:36 -------- d-----w
c:\program files\Common Files\AnswerWorks 4.0
2009-04-01 17:34 . 2009-04-01 17:34 -------- d-----w
c:\program files\Intuit
2009-04-01 16:34 . 2009-04-01 16:34 -------- d-----w
c:\program files\Common Files\L&H
2009-04-01 16:34 . 2009-04-01 16:34 -------- d-----w
c:\program files\Microsoft.NET
2009-04-01 16:34 . 2009-04-01 16:34 -------- d-----w
c:\program files\Microsoft ActiveSync
2009-04-01 16:33 . 2009-04-01 16:33 -------- d-----w
c:\program files\Microsoft Works
2009-04-01 16:12 . 2009-04-01 16:08 -------- d-----w
c:\program files\Intel
2009-04-01 16:01 . 2009-04-01 16:01 -------- d-----w
c:\program files\SigmaTel
2009-04-01 14:18 . 2009-04-01 14:18 -------- d-----w
c:\program files\Dell
2009-04-01 13:49 . 2009-04-01 13:22 87263 ----a-w
c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-01 13:38 . 2009-04-01 13:38 -------- d-----w
c:\program files\ATI Technologies
2009-04-01 13:23 . 2009-04-01 13:23 -------- d-----w
c:\program files\microsoft frontpage
2009-04-01 13:23 . 2008-04-14 12:00 67 --sha-w
c:\windows\Fonts\desktop.ini
2009-04-01 13:20 . 2009-04-01 13:20 21640 ----a-w
c:\windows\system32\emptyregdb.dat
2009-03-19 20:32 . 2009-04-07 15:51 23400 ----a-w
c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2008-04-14 12:00 284160 ----a-w
c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2008-04-14 12:00 826368 ----a-w
c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-04-14 12:00 78336 ----a-w
c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2008-04-14 12:00 729088 ----a-w
c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-04-14 12:00 714752 ----a-w
c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2008-04-14 12:00 617472 ----a-w
c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-04-14 12:00 401408 ----a-w
c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-04-14 12:00 1846784 ----a-w
c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}]
2008-04-14 12:00 104960 ----a-w
c:\windows\system32\peuslnx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-
14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart
Security\egui.exe" [2009-04-09 2029640]
"LogMeIn GUI"="c:\program
files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur
rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE"
[2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w
c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\voimxisa]
2008-04-14 12:00 104960 ----a-w
c:\windows\system32\peuslnx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\curre
ntversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"swg"=c:\program
files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"ISUSPM"="c:\program files\Common
Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"system tool"=c:\windows\sysguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curre
ntversion\run-]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control
Panel\atiptaxx.exe"
"SigmatelSysTrayApp"=stsystra.exe
"IAAnotif"=c:\program files\Intel\Intel Matrix Storage
Manager\Iaanotif.exe
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat
7.0\Distillr\Acrotray.exe"
"JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe
"MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe
"QuickTime Task"="c:\program
files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"dla"=c:\windows\system32\dla\tfswctrl.exe
"ISUSPM
Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\IS
USPM.exe -startup
"ISUSScheduler"="c:\program files\Common
Files\InstallShield\UpdateService\issch.exe" -start
"RoxWatchTray"="c:\program files\Common Files\Roxio
Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"UnlockerAssistant"="c:\program
files\Unlocker\UnlockerAssistant.exe"
"ShStatEXE"="c:\program files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
"McAfeeUpdaterUI"="c:\program files\Network
Associates\Common Framework\UpdaterUI.exe"
/StartedFromRunKey
"egui"="c:\program files\ESET\ESET Smart
Security\egui.exe" /hide /waitservice

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\st
andardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\st
andardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program
Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0
currbsob;currbsob;c:\windows\system32\drivers\currbsob.sy
s [4/14/2008 8:00 AM 23424]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys
[4/9/2009 3:18 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart
Security\ekrn.exe [4/9/2009 3:19 PM 731840]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program
files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System
Driver;c:\windows\system32\drivers\LMIRfsDriver.sys
[4/1/2009 1:43 PM 47640]
R3 NmPar;PCI Parallel
Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008
6:40 AM 80256]
R3 radpms;Driver for RADPMS
Device;c:\windows\system32\drivers\radpms.sys [7/24/2008
7:45 PM 12192]
S0 cerc6;cerc6; [x]
S2 gupdate1c9c414f9fc42be;Google Update Service
(gupdate1c9c414f9fc42be);c:\program
files\Google\Update\GoogleUpdate.exe [4/23/2009 9:11 AM
133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Svchost - NetSvcs
vplxdzts

[HKEY_CURRENT_USER\software\microsoft\windows\curre
ntversion\explorer\mountpoints2\{30e43047-1def-11de-9672-
806d6172696f}]
\Shell\AutoRun\command - E:\autoRcd.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software
Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-08
c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-
04-23 13:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL =
hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-
8&fr=b1ie7
mSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http
://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http
://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program
files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program
files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program
files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program
files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program
files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program
files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-
B719FE26E377} - c:\program files\Google\Google
Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} -
hxxps://webmail.un.int/dwa8W.cab
FF - ProfilePath - c:\documents and
settings\Cecilia\Application
Data\Mozilla\Firefox\Profiles\zq5cefss.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.yahoo.com/
FF - plugin: c:\program
files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**********************************************************************
****

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-08 17:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**********************************************************************
****
.
--------------------- DLLs Loaded Under Running Processes -------
--------------

- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage
Manager\IAANTmon.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft
Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
.
**********************************************************************
****
.
Completion time: 2009-05-08 17:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-08 21:30
ComboFix2.txt 2009-05-08 12:47

Pre-Run: 471,046,975,488 bytes free
Post-Run: 471,036,383,232 bytes free

300 --- E O F --- 2009-05-01 07:01


Report •

#7
May 9, 2009 at 19:22:26
Open notepad> click format> click word wrap to uncheck it> exit notepad.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\peuslnx.dll
c:\windows\Tasks\At1.job

Driver::
voimxisa
jxsygqyr
vplxdzts

Folder::
c:\documents and settings\Cecilia\Application Data\jxsygqyr
c:\documents and settings\Cecilia\Application Data\jxsygqyr
c:\documents and settings\NetworkService\Local Settings\Application Data\jxsygqyr

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\voimxisa]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Svchost\NetSvcs]
vplxdzts-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#8
May 10, 2009 at 08:26:17
(Sorry for the Word wrap before)

ComboFix 09-05-06.07 - Cecilia 05/10/2009 11:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.555 [GMT -4:00]
Running from: c:\documents and settings\Cecilia\Desktop\toolb.exe
Command switches used :: c:\documents and settings\Cecilia\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*

FILE ::
c:\windows\system32\peuslnx.dll
c:\windows\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\peuslnx.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VPLXDZTS


((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
.

2009-05-07 13:05 . 2009-05-07 13:05 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2009-05-06 22:53 . 2009-05-06 22:53 -------- d-----w c:\documents and settings\Cecilia\Application Data\Malwarebytes
2009-05-06 22:53 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-06 22:53 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 22:53 . 2009-05-06 22:53 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 22:53 . 2009-05-06 22:53 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-06 22:32 . 2009-05-06 22:32 -------- d-----w c:\documents and settings\Cecilia\Local Settings\Application Data\jxsygqyr
2009-05-06 20:45 . 2009-05-06 20:45 -------- d-----w c:\program files\Trend Micro
2009-05-06 19:27 . 2009-05-06 19:27 -------- d-----w c:\documents and settings\NetworkService\Application Data\jxsygqyr
2009-05-06 16:44 . 2009-05-06 16:44 -------- d-----w c:\documents and settings\CeciliaPiriz\Local Settings\Application Data\ESET
2009-05-06 16:44 . 2009-05-06 16:44 -------- d-----w c:\documents and settings\CeciliaPiriz\Application Data\ESET
2009-05-06 16:44 . 2009-05-06 20:15 -------- d-----w c:\program files\ESET
2009-05-05 14:44 . 2009-05-05 14:44 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-05-05 14:43 . 2009-05-05 14:43 -------- d-----w c:\documents and settings\Cecilia\Application Data\ESET
2009-05-05 14:43 . 2009-05-05 14:43 -------- d-----w c:\documents and settings\Cecilia\Local Settings\Application Data\ESET
2009-05-05 14:41 . 2009-05-05 14:41 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-05-05 13:20 . 2009-05-05 13:20 -------- d-----w c:\program files\StartCop
2009-05-05 13:07 . 2009-05-05 13:07 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-05 02:45 . 2009-05-05 02:56 -------- d-----w c:\program files\Unlocker
2009-05-04 16:10 . 2009-05-05 02:39 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-04 14:08 . 2009-05-04 14:08 0 ----a-w c:\windows\nsreg.dat
2009-05-04 14:08 . 2009-05-04 14:08 -------- d-----w c:\documents and settings\Cecilia\Local Settings\Application Data\Mozilla
2009-05-01 17:02 . 2009-05-01 17:02 -------- d-----w c:\windows\Downloaded Installations
2009-05-01 14:15 . 2009-05-01 14:15 -------- d-----w c:\documents and settings\CeciliaPiriz\Application Data\Yahoo!
2009-05-01 14:15 . 2009-05-01 14:15 -------- d-----w c:\documents and settings\CeciliaPiriz\Local Settings\Application Data\Google
2009-05-01 13:47 . 2009-05-01 13:47 -------- d-----w c:\documents and settings\CeciliaPiriz\Application Data\Research In Motion
2009-05-01 13:45 . 2009-05-01 13:45 -------- d-----w c:\documents and settings\CeciliaPiriz\Application Data\InstallShield
2009-05-01 07:09 . 2009-05-01 07:09 -------- d-sh--w C:\found.000
2009-05-01 07:00 . 2009-05-01 07:00 -------- d-----w c:\program files\MSXML 4.0
2009-04-30 16:47 . 2009-05-06 16:19 -------- d-----w C:\QUARANTINE
2009-04-30 16:45 . 2009-04-30 16:45 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-30 15:38 . 2009-04-30 15:42 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-30 15:35 . 2009-04-30 15:35 -------- d-----w c:\documents and settings\LocalService\Application Data\Roxio
2009-04-30 15:35 . 2009-04-30 15:35 -------- d-----w c:\documents and settings\Cecilia\Application Data\Roxio
2009-04-30 15:25 . 2009-04-30 15:25 -------- d-----w c:\documents and settings\Cecilia\Application Data\InstallShield
2009-04-30 15:25 . 2009-04-30 15:25 -------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-04-30 15:23 . 2009-04-30 15:38 -------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-04-30 15:23 . 2009-04-30 15:23 -------- d-----w c:\program files\Roxio
2009-04-30 15:23 . 2009-04-30 15:24 -------- d-----w c:\program files\Common Files\Roxio Shared
2009-04-30 15:18 . 2007-01-18 14:24 26496 ----a-r c:\windows\system32\drivers\RimSerial.sys
2009-04-30 15:17 . 2009-04-30 15:17 -------- d-----w c:\program files\Research In Motion
2009-04-30 13:23 . 2009-05-05 13:13 256 ----a-w c:\windows\system32\pool.bin
2009-04-30 13:23 . 2009-04-30 13:23 -------- d-----w c:\documents and settings\Cecilia\Application Data\Research In Motion
2009-04-30 13:22 . 2009-04-30 15:17 -------- d-----w c:\program files\Common Files\Research In Motion
2009-04-29 15:30 . 2009-04-29 15:31 -------- d-----w C:\9be96c78a522f8d8d3dd0469
2009-04-24 13:31 . 2009-02-20 18:09 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-24 13:31 . 2009-02-20 18:09 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-04-24 13:31 . 2009-02-20 10:20 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 13:31 . 2009-02-20 18:09 268288 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-04-24 13:31 . 2009-02-20 18:09 6066176 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-04-24 13:31 . 2009-02-20 18:09 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-24 13:31 . 2008-07-09 14:25 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-24 13:31 . 2009-02-20 18:09 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-04-24 13:30 . 2009-04-24 13:31 -------- d-----w C:\562c8d6f493a28201758e604d9aa2d
2009-04-24 13:29 . 2009-04-24 13:30 -------- d-----w C:\[u]0[/u]3dac92d0daee9bc909c5e90
2009-04-23 13:11 . 2009-04-23 13:11 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-23 13:11 . 2009-05-06 19:39 -------- d-----w c:\documents and settings\Cecilia\Application Data\Skype
2009-04-23 13:10 . 2009-04-23 13:11 -------- d-----r c:\program files\Skype
2009-04-23 13:10 . 2009-04-23 13:11 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-21 15:48 . 2009-04-21 15:48 -------- d-----w c:\documents and settings\Cecilia\Application Data\Sonic
2009-04-21 15:48 . 2009-04-21 15:48 -------- d-----w c:\documents and settings\Cecilia\Application Data\Leadertech
2009-04-21 15:38 . 2009-04-21 15:38 -------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-04-21 15:37 . 2009-04-21 15:37 -------- d-----w c:\program files\Common Files\TiVo Shared
2009-04-21 15:34 . 2004-12-23 06:56 40544 ----a-w c:\windows\system32\drivers\drvnddm.sys
2009-04-21 15:34 . 2005-02-02 07:22 88080 ----a-w c:\windows\system32\drivers\drvmcdb.sys
2009-04-21 15:34 . 2004-12-02 15:04 5627 ----a-w c:\windows\system32\drivers\sscdbhk5.sys
2009-04-21 15:34 . 2004-12-02 15:04 23545 ----a-w c:\windows\system32\drivers\ssrtln.sys
2009-04-21 15:34 . 2005-03-16 09:33 61500 ----a-w c:\windows\system32\tfswapi.dll
2009-04-21 15:34 . 2005-03-16 09:33 98360 ----a-w c:\windows\dla.exe
2009-04-21 15:34 . 2009-04-21 15:42 -------- d-----w c:\windows\system32\dla
2009-04-21 15:34 . 2009-04-21 15:34 -------- d-----w c:\program files\Sonic
2009-04-21 15:33 . 2009-04-21 15:34 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-04-16 19:47 . 2009-04-16 19:47 -------- d-----w c:\documents and settings\CeciliaPiriz\Local Settings\Application Data\Apple Computer
2009-04-16 00:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-10 13:01 . 2009-04-01 17:42 -------- d-----w c:\program files\LogMeIn
2009-05-08 16:11 . 2009-04-05 23:49 -------- d-----w c:\program files\BPSAtyro
2009-05-06 16:42 . 2009-04-02 14:45 87448 ----a-w c:\documents and settings\CeciliaPiriz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 16:18 . 2009-04-02 14:42 87448 ----a-w c:\documents and settings\Cecilia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 15:18 . 2009-04-01 13:38 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-23 13:11 . 2009-04-03 13:41 -------- d-----w c:\program files\Google
2009-04-09 19:21 . 2009-04-09 19:21 55768 ----a-w c:\windows\system32\drivers\epfwtdi.sys
2009-04-09 19:21 . 2009-04-09 19:21 33096 ----a-w c:\windows\system32\drivers\epfwndis.sys
2009-04-09 19:21 . 2009-04-09 19:21 133000 ----a-w c:\windows\system32\drivers\epfw.sys
2009-04-09 19:18 . 2009-04-09 19:18 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-04-09 19:10 . 2009-04-09 19:10 113960 ----a-w c:\windows\system32\drivers\eamon.sys
2009-04-07 15:51 . 2009-04-07 15:51 -------- d-----w c:\program files\iTunes
2009-04-07 15:51 . 2009-04-07 15:51 -------- d-----w c:\program files\iPod
2009-04-07 15:51 . 2009-04-07 15:49 -------- d-----w c:\program files\Common Files\Apple
2009-04-07 15:51 . 2009-04-07 15:51 -------- d-----w c:\program files\Bonjour
2009-04-07 15:50 . 2009-04-07 15:50 -------- d-----w c:\program files\QuickTime
2009-04-07 15:50 . 2009-04-07 15:50 -------- d-----w c:\program files\Apple Software Update
2009-04-07 13:02 . 2009-04-07 13:01 -------- d-----w c:\program files\Yahoo!
2009-04-03 16:24 . 2009-04-03 16:24 -------- d-----w c:\program files\Common Files\ARTech
2009-04-03 14:19 . 2009-04-02 16:57 -------- d-----w c:\program files\RMAdmin
2009-04-02 16:17 . 2009-04-02 16:17 -------- d-----w c:\program files\Common Files\RDPrint
2009-04-02 16:17 . 2009-04-01 13:38 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 16:17 . 2009-04-02 16:17 -------- d-----w c:\program files\RDS
2009-04-02 16:17 . 2009-04-02 16:17 2255 ----a-w c:\windows\PmData.Dat
2009-04-02 15:02 . 2009-04-02 15:02 -------- d-----w c:\program files\Dell 720
2009-04-02 14:50 . 2009-04-02 14:45 92787 ----a-w c:\windows\hppins05.dat
2009-04-02 14:48 . 2009-04-02 14:46 -------- d-----w c:\program files\HP
2009-04-02 14:45 . 2009-04-02 14:45 -------- d-----w c:\program files\Common Files\SWF Studio
2009-04-02 13:48 . 2009-04-02 13:48 -------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-04-02 13:48 . 2009-04-02 13:45 -------- d-----w c:\program files\Common Files\Adobe
2009-04-01 17:37 . 2009-04-01 17:34 -------- d-----w c:\program files\Common Files\Intuit
2009-04-01 17:36 . 2009-04-01 17:36 -------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2009-04-01 17:34 . 2009-04-01 17:34 -------- d-----w c:\program files\Intuit
2009-04-01 16:34 . 2009-04-01 16:34 -------- d-----w c:\program files\Common Files\L&H
2009-04-01 16:34 . 2009-04-01 16:34 -------- d-----w c:\program files\Microsoft.NET
2009-04-01 16:34 . 2009-04-01 16:34 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-01 16:33 . 2009-04-01 16:33 -------- d-----w c:\program files\Microsoft Works
2009-04-01 16:12 . 2009-04-01 16:08 -------- d-----w c:\program files\Intel
2009-04-01 16:01 . 2009-04-01 16:01 -------- d-----w c:\program files\SigmaTel
2009-04-01 14:18 . 2009-04-01 14:18 -------- d-----w c:\program files\Dell
2009-04-01 13:49 . 2009-04-01 13:22 87263 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-01 13:38 . 2009-04-01 13:38 -------- d-----w c:\program files\ATI Technologies
2009-04-01 13:23 . 2009-04-01 13:23 -------- d-----w c:\program files\microsoft frontpage
2009-04-01 13:23 . 2008-04-14 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-01 13:20 . 2009-04-01 13:20 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-19 20:32 . 2009-04-07 15:51 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2008-04-14 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2008-04-14 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-04-14 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}]
2008-04-14 12:00 104960 ----a-w c:\windows\system32\peuslnx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\voimxisa]
2008-04-14 12:00 104960 ----a-w c:\windows\system32\peuslnx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"system tool"=c:\windows\sysguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"SigmatelSysTrayApp"=stsystra.exe
"IAAnotif"=c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe
"MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"dla"=c:\windows\system32\dla\tfswctrl.exe
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe"
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 currbsob;currbsob;c:\windows\system32\drivers\currbsob.sys [4/14/2008 8:00 AM 23424]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/9/2009 3:19 PM 731840]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [4/1/2009 1:43 PM 47640]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008 6:40 AM 80256]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [7/24/2008 7:45 PM 12192]
S0 cerc6;cerc6; [x]
S2 gupdate1c9c414f9fc42be;Google Update Service (gupdate1c9c414f9fc42be);c:\program files\Google\Update\GoogleUpdate.exe [4/23/2009 9:11 AM 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30e43047-1def-11de-9672-806d6172696f}]
\Shell\AutoRun\command - E:\autoRcd.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-23 13:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://webmail.un.int/dwa8W.cab
FF - ProfilePath - c:\documents and settings\Cecilia\Application Data\Mozilla\Firefox\Profiles\zq5cefss.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-10 11:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-10 11:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-10 15:22
ComboFix2.txt 2009-05-08 21:30
ComboFix3.txt 2009-05-08 12:47

Pre-Run: 471,029,395,456 bytes free
Post-Run: 470,958,882,816 bytes free

278 --- E O F --- 2009-05-01 07:01


Report •

#9
May 10, 2009 at 08:44:14
Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip

1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Copy all the text contained in the code box below between the X's to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Drivers to delete:
voimxisa
jxsygqyr

Files to delete:
c:\windows\system32\peuslnx.dll

Folders to delete:
c:\documents and settings\Cecilia\Local Settings\Application Data\jxsygqyr
c:\documents and settings\NetworkService\Application Data\jxsygqyr

Registry keys to delete:
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\voimxisa

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
Click the Execute button
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.


Report •

#10
May 10, 2009 at 09:02:02
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\voimxisa" not found!
Deletion of driver "voimxisa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\jxsygqyr" not found!
Deletion of driver "jxsygqyr" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "c:\windows\system32\peuslnx.dll"
Deletion of file "c:\windows\system32\peuslnx.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Folder "c:\documents and settings\Cecilia\Local Settings\Application Data\jxsygqyr" deleted successfully.
Folder "c:\documents and settings\NetworkService\Application Data\jxsygqyr" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\voimxisa" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\voimxisa" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.


Report •

#11
May 10, 2009 at 11:08:41
Looks better.

Please post a new Combofix log following the previous directions in response #3.


Report •

#12
May 10, 2009 at 14:36:58
Ok then. Here it goes:
ComboFix 09-05-09.05 - Cecilia 05/10/2009 17:26.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.602 [GMT -4:00]
Running from: c:\documents and settings\Cecilia\Desktop\toolb.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
.

2009-05-07 13:05 . 2009-05-07 13:05 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2009-05-06 22:53 . 2009-05-06 22:53 -------- d-----w c:\documents and settings\Cecilia\Application Data\Malwarebytes
2009-05-06 22:53 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-06 22:53 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 22:53 . 2009-05-06 22:53 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 22:53 . 2009-05-06 22:53 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-06 20:45 . 2009-05-06 20:45 -------- d-----w c:\program files\Trend Micro
2009-05-06 16:44 . 2009-05-06 16:44 -------- d-----w c:\documents and settings\CeciliaPiriz\Local Settings\Application Data\ESET
2009-05-06 16:44 . 2009-05-06 16:44 -------- d-----w c:\documents and settings\CeciliaPiriz\Application Data\ESET
2009-05-06 16:44 . 2009-05-06 20:15 -------- d-----w c:\program files\ESET
2009-05-05 14:44 . 2009-05-05 14:44 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-05-05 14:43 . 2009-05-05 14:43 -------- d-----w c:\documents and settings\Cecilia\Application Data\ESET
2009-05-05 14:43 . 2009-05-05 14:43 -------- d-----w c:\documents and settings\Cecilia\Local Settings\Application Data\ESET
2009-05-05 14:41 . 2009-05-05 14:41 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-05-05 13:20 . 2009-05-05 13:20 -------- d-----w c:\program files\StartCop
2009-05-05 13:07 . 2009-05-05 13:07 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-05 02:45 . 2009-05-05 02:56 -------- d-----w c:\program files\Unlocker
2009-05-04 16:10 . 2009-05-05 02:39 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-04 14:08 . 2009-05-04 14:08 0 ----a-w c:\windows\nsreg.dat
2009-05-04 14:08 . 2009-05-04 14:08 -------- d-----w c:\documents and settings\Cecilia\Local Settings\Application Data\Mozilla
2009-05-01 17:02 . 2009-05-01 17:02 -------- d-----w c:\windows\Downloaded Installations
2009-05-01 14:15 . 2009-05-01 14:15 -------- d-----w c:\documents and settings\CeciliaPiriz\Application Data\Yahoo!
2009-05-01 14:15 . 2009-05-01 14:15 -------- d-----w c:\documents and settings\CeciliaPiriz\Local Settings\Application Data\Google
2009-05-01 13:47 . 2009-05-01 13:47 -------- d-----w c:\documents and settings\CeciliaPiriz\Application Data\Research In Motion
2009-05-01 13:45 . 2009-05-01 13:45 -------- d-----w c:\documents and settings\CeciliaPiriz\Application Data\InstallShield
2009-05-01 07:09 . 2009-05-01 07:09 -------- d-sh--w C:\found.000
2009-05-01 07:00 . 2009-05-01 07:00 -------- d-----w c:\program files\MSXML 4.0
2009-04-30 16:47 . 2009-05-06 16:19 -------- d-----w C:\QUARANTINE
2009-04-30 16:45 . 2009-04-30 16:45 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-30 15:38 . 2009-04-30 15:42 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-30 15:35 . 2009-04-30 15:35 -------- d-----w c:\documents and settings\LocalService\Application Data\Roxio
2009-04-30 15:35 . 2009-04-30 15:35 -------- d-----w c:\documents and settings\Cecilia\Application Data\Roxio
2009-04-30 15:25 . 2009-04-30 15:25 -------- d-----w c:\documents and settings\Cecilia\Application Data\InstallShield
2009-04-30 15:25 . 2009-04-30 15:25 -------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-04-30 15:23 . 2009-04-30 15:38 -------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-04-30 15:23 . 2009-04-30 15:23 -------- d-----w c:\program files\Roxio
2009-04-30 15:23 . 2009-04-30 15:24 -------- d-----w c:\program files\Common Files\Roxio Shared
2009-04-30 15:18 . 2007-01-18 14:24 26496 ----a-r c:\windows\system32\drivers\RimSerial.sys
2009-04-30 15:17 . 2009-04-30 15:17 -------- d-----w c:\program files\Research In Motion
2009-04-30 13:23 . 2009-05-05 13:13 256 ----a-w c:\windows\system32\pool.bin
2009-04-30 13:23 . 2009-04-30 13:23 -------- d-----w c:\documents and settings\Cecilia\Application Data\Research In Motion
2009-04-30 13:22 . 2009-04-30 15:17 -------- d-----w c:\program files\Common Files\Research In Motion
2009-04-29 15:30 . 2009-04-29 15:31 -------- d-----w C:\9be96c78a522f8d8d3dd0469
2009-04-24 13:31 . 2009-02-20 18:09 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-24 13:31 . 2009-02-20 18:09 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-04-24 13:31 . 2009-02-20 10:20 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 13:31 . 2009-02-20 18:09 268288 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-04-24 13:31 . 2009-02-20 18:09 6066176 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-04-24 13:31 . 2009-02-20 18:09 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-24 13:31 . 2008-07-09 14:25 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-24 13:31 . 2009-02-20 18:09 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-04-24 13:30 . 2009-04-24 13:31 -------- d-----w C:\562c8d6f493a28201758e604d9aa2d
2009-04-24 13:29 . 2009-04-24 13:30 -------- d-----w C:\[u]0[/u]3dac92d0daee9bc909c5e90
2009-04-23 13:11 . 2009-04-23 13:11 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-23 13:11 . 2009-05-06 19:39 -------- d-----w c:\documents and settings\Cecilia\Application Data\Skype
2009-04-23 13:10 . 2009-04-23 13:11 -------- d-----r c:\program files\Skype
2009-04-23 13:10 . 2009-04-23 13:11 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-21 15:48 . 2009-04-21 15:48 -------- d-----w c:\documents and settings\Cecilia\Application Data\Sonic
2009-04-21 15:48 . 2009-04-21 15:48 -------- d-----w c:\documents and settings\Cecilia\Application Data\Leadertech
2009-04-21 15:38 . 2009-04-21 15:38 -------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-04-21 15:37 . 2009-04-21 15:37 -------- d-----w c:\program files\Common Files\TiVo Shared
2009-04-21 15:34 . 2004-12-23 06:56 40544 ----a-w c:\windows\system32\drivers\drvnddm.sys
2009-04-21 15:34 . 2005-02-02 07:22 88080 ----a-w c:\windows\system32\drivers\drvmcdb.sys
2009-04-21 15:34 . 2004-12-02 15:04 5627 ----a-w c:\windows\system32\drivers\sscdbhk5.sys
2009-04-21 15:34 . 2004-12-02 15:04 23545 ----a-w c:\windows\system32\drivers\ssrtln.sys
2009-04-21 15:34 . 2005-03-16 09:33 61500 ----a-w c:\windows\system32\tfswapi.dll
2009-04-21 15:34 . 2005-03-16 09:33 98360 ----a-w c:\windows\dla.exe
2009-04-21 15:34 . 2009-04-21 15:42 -------- d-----w c:\windows\system32\dla
2009-04-21 15:34 . 2009-04-21 15:34 -------- d-----w c:\program files\Sonic
2009-04-21 15:33 . 2009-04-21 15:34 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-04-16 19:47 . 2009-04-16 19:47 -------- d-----w c:\documents and settings\CeciliaPiriz\Local Settings\Application Data\Apple Computer
2009-04-16 00:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-10 13:01 . 2009-04-01 17:42 -------- d-----w c:\program files\LogMeIn
2009-05-08 16:11 . 2009-04-05 23:49 -------- d-----w c:\program files\BPSAtyro
2009-05-06 16:42 . 2009-04-02 14:45 87448 ----a-w c:\documents and settings\CeciliaPiriz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 16:18 . 2009-04-02 14:42 87448 ----a-w c:\documents and settings\Cecilia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 15:18 . 2009-04-01 13:38 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-23 13:11 . 2009-04-03 13:41 -------- d-----w c:\program files\Google
2009-04-09 19:21 . 2009-04-09 19:21 55768 ----a-w c:\windows\system32\drivers\epfwtdi.sys
2009-04-09 19:21 . 2009-04-09 19:21 33096 ----a-w c:\windows\system32\drivers\epfwndis.sys
2009-04-09 19:21 . 2009-04-09 19:21 133000 ----a-w c:\windows\system32\drivers\epfw.sys
2009-04-09 19:18 . 2009-04-09 19:18 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-04-09 19:10 . 2009-04-09 19:10 113960 ----a-w c:\windows\system32\drivers\eamon.sys
2009-04-07 15:51 . 2009-04-07 15:51 -------- d-----w c:\program files\iTunes
2009-04-07 15:51 . 2009-04-07 15:51 -------- d-----w c:\program files\iPod
2009-04-07 15:51 . 2009-04-07 15:49 -------- d-----w c:\program files\Common Files\Apple
2009-04-07 15:51 . 2009-04-07 15:51 -------- d-----w c:\program files\Bonjour
2009-04-07 15:50 . 2009-04-07 15:50 -------- d-----w c:\program files\QuickTime
2009-04-07 15:50 . 2009-04-07 15:50 -------- d-----w c:\program files\Apple Software Update
2009-04-07 13:02 . 2009-04-07 13:01 -------- d-----w c:\program files\Yahoo!
2009-04-03 16:24 . 2009-04-03 16:24 -------- d-----w c:\program files\Common Files\ARTech
2009-04-03 14:19 . 2009-04-02 16:57 -------- d-----w c:\program files\RMAdmin
2009-04-02 16:17 . 2009-04-02 16:17 -------- d-----w c:\program files\Common Files\RDPrint
2009-04-02 16:17 . 2009-04-01 13:38 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 16:17 . 2009-04-02 16:17 -------- d-----w c:\program files\RDS
2009-04-02 16:17 . 2009-04-02 16:17 2255 ----a-w c:\windows\PmData.Dat
2009-04-02 15:02 . 2009-04-02 15:02 -------- d-----w c:\program files\Dell 720
2009-04-02 14:50 . 2009-04-02 14:45 92787 ----a-w c:\windows\hppins05.dat
2009-04-02 14:48 . 2009-04-02 14:46 -------- d-----w c:\program files\HP
2009-04-02 14:45 . 2009-04-02 14:45 -------- d-----w c:\program files\Common Files\SWF Studio
2009-04-02 13:48 . 2009-04-02 13:48 -------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-04-02 13:48 . 2009-04-02 13:45 -------- d-----w c:\program files\Common Files\Adobe
2009-04-01 17:37 . 2009-04-01 17:34 -------- d-----w c:\program files\Common Files\Intuit
2009-04-01 17:36 . 2009-04-01 17:36 -------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2009-04-01 17:34 . 2009-04-01 17:34 -------- d-----w c:\program files\Intuit
2009-04-01 16:34 . 2009-04-01 16:34 -------- d-----w c:\program files\Common Files\L&H
2009-04-01 16:34 . 2009-04-01 16:34 -------- d-----w c:\program files\Microsoft.NET
2009-04-01 16:34 . 2009-04-01 16:34 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-01 16:33 . 2009-04-01 16:33 -------- d-----w c:\program files\Microsoft Works
2009-04-01 16:12 . 2009-04-01 16:08 -------- d-----w c:\program files\Intel
2009-04-01 16:01 . 2009-04-01 16:01 -------- d-----w c:\program files\SigmaTel
2009-04-01 14:18 . 2009-04-01 14:18 -------- d-----w c:\program files\Dell
2009-04-01 13:49 . 2009-04-01 13:22 87263 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-01 13:38 . 2009-04-01 13:38 -------- d-----w c:\program files\ATI Technologies
2009-04-01 13:23 . 2009-04-01 13:23 -------- d-----w c:\program files\microsoft frontpage
2009-04-01 13:23 . 2008-04-14 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-01 13:20 . 2009-04-01 13:20 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-19 20:32 . 2009-04-07 15:51 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2008-04-14 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2008-04-14 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-04-14 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}]
2008-04-14 12:00 104960 ----a-w c:\windows\system32\peuslnx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\voimxisa]
2008-04-14 12:00 104960 ----a-w c:\windows\system32\peuslnx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"system tool"=c:\windows\sysguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"SigmatelSysTrayApp"=stsystra.exe
"IAAnotif"=c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe
"MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"dla"=c:\windows\system32\dla\tfswctrl.exe
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe"
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 currbsob;currbsob;c:\windows\system32\drivers\currbsob.sys [4/14/2008 8:00 AM 23424]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/9/2009 3:19 PM 731840]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [4/1/2009 1:43 PM 47640]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008 6:40 AM 80256]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [7/24/2008 7:45 PM 12192]
S0 cerc6;cerc6; [x]
S2 gupdate1c9c414f9fc42be;Google Update Service (gupdate1c9c414f9fc42be);c:\program files\Google\Update\GoogleUpdate.exe [4/23/2009 9:11 AM 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30e43047-1def-11de-9672-806d6172696f}]
\Shell\AutoRun\command - E:\autoRcd.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-23 13:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://webmail.un.int/dwa8W.cab
FF - ProfilePath - c:\documents and settings\Cecilia\Application Data\Mozilla\Firefox\Profiles\zq5cefss.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-10 17:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-05-10 17:30
ComboFix-quarantined-files.txt 2009-05-10 21:30
ComboFix2.txt 2009-05-10 15:22
ComboFix3.txt 2009-05-08 21:30
ComboFix4.txt 2009-05-08 12:47

Pre-Run: 470,965,006,336 bytes free
Post-Run: 470,956,138,496 bytes free

247 --- E O F --- 2009-05-01 07:01


Report •

#13
May 10, 2009 at 16:04:16
This thing is stubborn. Please turn off yuor Eset antivirus before doing the following.

Click Start>Run. Copy & paste the following and click OK:

regsvr32.exe /U peuslnx.dll

You should get a message that it has been uninstalled succesfully.

Next, open notepad (Start Menu > Run > Type notepad and press "ok".

Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}]
[-HKEY_CLASSES_ROOT\CLSID\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"system tool"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.

Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.

Restart the computer.

Run Malwarebytes> update it> run the short scan and post its log please.


Report •

#14
May 10, 2009 at 18:35:58
I did the first instruction:
Click Start>Run. Copy & paste the following and click OK:

regsvr32.exe /U peuslnx.dll

and it says:

"peuslnx.dll" is not an executable file and not registration helper is registered for this type of file.

This is probably a challenge for you. Thank you.


Report •

#15
May 10, 2009 at 19:00:45
Please continue to the second part then post the Malwarebytes log.


Report •

#16
May 10, 2009 at 19:01:13
I don't know if I should have done this, but, after the unsuccesful -regsvr32.exe /U peuslnx.dll- I did the fix.reg and after I run Malwarebyes as you said. This is the log:
Malwarebytes' Anti-Malware 1.36
Database version: 2106
Windows 5.1.2600 Service Pack 3

5/10/2009 9:50:20 PM
mbam-log-2009-05-10 (21-50-20).txt

Scan type: Quick Scan
Objects scanned: 89135
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07d9420b-3f5b-4aba-86cd-9339d9f52c8b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\voimxisa (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{07d9420b-3f5b-4aba-86cd-9339d9f52c8b} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\peuslnx.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wwfcluok.dll (Trojan.Vundo) -> Delete on reboot.


AND A SECOND MALWAREBYTES:

Malwarebytes' Anti-Malware 1.36
Database version: 2106
Windows 5.1.2600 Service Pack 3

5/10/2009 10:00:48 PM
mbam-log-2009-05-10 (22-00-48).txt

Scan type: Quick Scan
Objects scanned: 89026
Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07d9420b-3f5b-4aba-86cd-9339d9f52c8b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\voimxisa (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{07d9420b-3f5b-4aba-86cd-9339d9f52c8b} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\peuslnx.dll (Trojan.Vundo.H) -> Delete on reboot.


Report •

#17
May 15, 2009 at 06:58:56
Any ideas?

Report •

#18
May 15, 2009 at 20:23:57
There is a file or two hiding from us.

Download OTScanIt2 to your Desktop from the following link:

OTScanIt2 by oldtimer

Double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

1. Double click on OTScanIt2.exe to run it.
2. Click on Extract. Once done, when prompted. Click OK and click Close.
This is a self-extracting file...It will create a folder named OTScanIt2 on your desktop.
3. Double click on the OTScanIt2 folder to open... then double click on OTScanIt2.exe to run it.
4. Under Rookit Search, select Yes.
5. Click on Run Scan at the top left hand corner. It may take a few minutes...be patient, let it run.
When done, Notepad will open with the log file "OTScanIt.Txt" contents.
6. Please post the contents of the OTScanIt.Txt Notepad file in your next reply.


Report •

#19
May 16, 2009 at 09:37:22
I don't know if it's because the file is too big (1629KB) I can't post it. I will backup My Documents and delete them from the computer and I will run it again on Monday.

Report •

#20
May 16, 2009 at 11:19:47
It may take a post or two to get the entire log posted.

Report •

#21
May 18, 2009 at 06:43:21
The original file had (according to MS word) 29395 lines. I am trying to post 2660, and I need to post it in more than one files.

FIRST PART:

[code]
OTScanIt2 logfile created on: 5/16/2009 11:46:29 AM - Run 1
OTScanIt2 by OldTimer - Version 1.0.14.0 Folder = C:\Documents and Settings\Cecilia\Desktop\OTScanIt2
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.09 Mb Total Physical Memory | 457.93 Mb Available Physical Memory | 44.80% Memory free
2.40 Gb Paging File | 1.98 Gb Available in Paging File | 82.58% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 436.06 Gb Free Space | 93.62% Space Free | Partition Type: NTFS
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PIRIZ
Current User Name: Cecilia
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

[Processes - Safe List]
applemobiledeviceservice.exe -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.)
ati2evxx.exe -> %SystemRoot%\system32\Ati2evxx.exe -> [2005/08/04 00:02:58 | 00,380,928 | ---- | M] (ATI Technologies Inc.)
egui.exe -> %ProgramFiles%\ESET\ESET Smart Security\egui.exe -> [2009/04/09 15:17:56 | 02,029,640 | ---- | M] (ESET)
ekrn.exe -> %ProgramFiles%\ESET\ESET Smart Security\ekrn.exe -> [2009/04/09 15:19:08 | 00,731,840 | ---- | M] (ESET)
explorer.exe -> %SystemRoot%\Explorer.EXE -> [2008/04/14 08:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation)
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> [2009/04/24 00:38:11 | 00,307,704 | ---- | M] (Mozilla Corporation)
googleupdate.exe -> %ProgramFiles%\Google\Update\GoogleUpdate.exe -> [2009/04/23 09:11:05 | 00,133,104 | ---- | M] (Google Inc.)
iaantmon.exe -> %ProgramFiles%\Intel\Intel Matrix Storage Manager\Iaantmon.exe -> [2006/07/06 08:14:30 | 00,090,112 | ---- | M] (Intel Corporation)
lexbces.exe -> %SystemRoot%\system32\LEXBCES.EXE -> [2004/03/04 12:30:48 | 00,311,296 | ---- | M] (Lexmark International, Inc.)
lexpps.exe -> %SystemRoot%\system32\LEXPPS.EXE -> [2004/03/04 12:26:20 | 00,174,592 | ---- | M] (Lexmark International, Inc.)
lmiguardian.exe -> %ProgramFiles%\LogMeIn\x86\LMIGuardian.exe -> [2008/10/16 21:35:24 | 00,087,360 | ---- | M] (LogMeIn, Inc.)
lmiguardian.exe -> %ProgramFiles%\LogMeIn\x86\LMIGuardian.exe -> [2008/10/16 21:35:24 | 00,087,360 | ---- | M] (LogMeIn, Inc.)
lmiguardian.exe -> %ProgramFiles%\LogMeIn\x86\LMIGuardian.exe -> [2008/10/16 21:35:24 | 00,087,360 | ---- | M] (LogMeIn, Inc.)
logmein.exe -> %ProgramFiles%\LogMeIn\x86\LogMeIn.exe -> [2008/07/24 19:46:10 | 00,063,040 | ---- | M] (LogMeIn, Inc.)
logmein.exe -> %ProgramFiles%\LogMeIn\x86\LogMeIn.exe -> [2008/07/24 19:46:10 | 00,063,040 | ---- | M] (LogMeIn, Inc.)
logmeinsystray.exe -> %ProgramFiles%\LogMeIn\x86\LogMeInSystray.exe -> [2008/07/24 19:46:10 | 00,063,048 | ---- | M] (LogMeIn, Inc.)
mdm.exe -> %CommonProgramFiles%\Microsoft Shared\VS7DEBUG\MDM.EXE -> [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation)
mdnsresponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.)
mediahub.exe -> %CommonProgramFiles%\Sonic Shared\Sonic Central\Main\Mediahub.exe -> [2005/04/18 02:01:00 | 02,293,760 | ---- | M] ()
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/04/11 16:32:52 | 00,494,080 | ---- | M] (OldTimer Tools)
ramaint.exe -> %ProgramFiles%\LogMeIn\x86\RaMaint.exe -> [2008/10/16 21:35:28 | 00,116,032 | ---- | M] (LogMeIn, Inc.)
wdfmgr.exe -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
ymsgr_tray.exe -> %ProgramFiles%\Yahoo!\Messenger\Ymsgr_tray.exe -> [2009/03/18 18:50:30 | 00,079,088 | ---- | M] (Yahoo! Inc.)

[Win32 Services - Safe List]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> [2009/04/02 09:48:19 | 00,069,632 | ---- | M] (Adobe Systems)
(Apple Mobile Device) Apple Mobile Device [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.)
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation)
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %SystemRoot%\system32\Ati2evxx.exe -> [2005/08/04 00:02:58 | 00,380,928 | ---- | M] (ATI Technologies Inc.)
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\ati2sgag.exe -> [2005/08/05 22:05:00 | 00,516,096 | ---- | M] ()
(Bonjour Service) Bonjour Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.)
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation)
(EhttpSrv) ESET HTTP Server [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\ESET\ESET Smart Security\EHttpSrv.exe -> [2009/04/09 15:29:20 | 00,020,680 | ---- | M] (ESET)
(ekrn) ESET Service [Win32_Own | Auto | Running] -> %ProgramFiles%\ESET\ESET Smart Security\ekrn.exe -> [2009/04/09 15:19:08 | 00,731,840 | ---- | M] (ESET)
(gupdate1c9c414f9fc42be) Google Update Service (gupdate1c9c414f9fc42be) [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Google\Update\GoogleUpdate.exe -> [2009/04/23 09:11:05 | 00,133,104 | ---- | M] (Google Inc.)
(gusvc) Google Software Updater [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2009/04/30 11:18:34 | 00,182,768 | ---- | M] (Google)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2008/04/14 08:00:00 | 00,038,400 | ---- | M] (Microsoft Corporation)
(IAANTMON) Intel(R) Matrix Storage Event Monitor [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Intel Matrix Storage Manager\Iaantmon.exe -> [2006/07/06 08:14:30 | 00,090,112 | ---- | M] (Intel Corporation)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation)
(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.)
(LexBceS) LexBce Server [Win32_Own | Auto | Running] -> %SystemRoot%\system32\LEXBCES.EXE -> [2004/03/04 12:30:48 | 00,311,296 | ---- | M] (Lexmark International, Inc.)
(LMIMaint) LogMeIn Maintenance Service [Win32_Own | Auto | Running] -> %ProgramFiles%\LogMeIn\x86\RaMaint.exe -> [2008/10/16 21:35:28 | 00,116,032 | ---- | M] (LogMeIn, Inc.)
(LogMeIn) LogMeIn [Win32_Own | Auto | Running] -> %ProgramFiles%\LogMeIn\x86\LogMeIn.exe -> [2008/07/24 19:46:10 | 00,063,040 | ---- | M] (LogMeIn, Inc.)
(MDM) Machine Debug Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Microsoft Shared\VS7DEBUG\MDM.EXE -> [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation)
(ose) Office Source Engine [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Microsoft Shared\Source Engine\OSE.EXE -> [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation)
(Roxio UPnP Renderer 9) Roxio UPnP Renderer 9 [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -> [2007/12/06 23:20:56 | 00,088,560 | ---- | M] (Sonic Solutions)
(Roxio Upnp Server 9) Roxio Upnp Server 9 [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Roxio\Digital Home 9\RoxioUpnpService9.exe -> [2007/12/06 23:20:52 | 00,362,992 | ---- | M] (Sonic Solutions)
(RoxLiveShare9) LiveShare P2P Server 9 [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -> [2008/06/26 12:23:06 | 00,313,840 | ---- | M] (Sonic Solutions)
(RoxMediaDB9) RoxMediaDB9 [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -> [2008/06/26 12:22:44 | 01,108,464 | ---- | M] (Sonic Solutions)
(RoxWatch9) Roxio Hard Drive Watcher 9 [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -> [2008/06/26 12:23:02 | 00,170,480 | ---- | M] (Sonic Solutions)
(UMWdf) Windows User Mode Driver Framework [Win32_Own | Auto | Running] -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)


Report •

#22
May 18, 2009 at 06:47:25
SECOND PART:

[Driver Services - Safe List]
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ati2mtag.sys -> [2005/08/04 00:10:18 | 01,273,344 | ---- | M] (ATI Technologies Inc.)
(currbsob) currbsob [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\currbsob.sys -> [2008/04/14 08:00:00 | 00,023,424 | ---- | M] (Microsoft Corporation)
(drvmcdb) drvmcdb [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\drvmcdb.sys -> [2005/02/02 03:22:00 | 00,088,080 | ---- | M] (Sonic Solutions)
(drvnddm) drvnddm [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\drvnddm.sys -> [2004/12/23 02:56:00 | 00,040,544 | ---- | M] (Sonic Solutions)
(e1express) Intel(R) PRO/1000 PCI Express Network Connection Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\e1e5132.sys -> [2005/03/31 18:04:52 | 00,180,736 | ---- | M] (Intel Corporation)
(eamon) eamon [File_System | Auto | Running] -> %SystemRoot%\system32\DRIVERS\eamon.sys -> [2009/04/09 15:10:30 | 00,113,960 | ---- | M] (ESET)
(ehdrv) ehdrv [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\ehdrv.sys -> [2009/04/09 15:18:02 | 00,107,256 | ---- | M] (ESET)
(epfw) epfw [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\epfw.sys -> [2009/04/09 15:21:06 | 00,133,000 | ---- | M] (ESET)
(Epfwndis) Eset Personal Firewall [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\Epfwndis.sys -> [2009/04/09 15:21:10 | 00,033,096 | ---- | M] (ESET)
(epfwtdi) epfwtdi [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\epfwtdi.sys -> [2009/04/09 15:21:12 | 00,055,768 | ---- | M] (ESET)
(GEARAspiWDM) GEAR ASPI Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\GEARAspiWDM.sys -> [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HDAudBus.sys -> [2008/04/14 08:00:00 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HPFXBULK) HPFXBULK [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\hpfxbulk.sys -> [2006/05/05 08:51:40 | 00,009,344 | ---- | M] (Hewlett Packard)
(iastor) Intel AHCI Controller [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\iastor.sys -> [2006/07/06 07:59:42 | 00,246,784 | ---- | M] (Intel Corporation)
(LMIInfo) LogMeIn Kernel Information Provider [Kernel | Auto | Running] -> %ProgramFiles%\LogMeIn\x86\RaInfo.sys -> [2008/07/24 19:46:12 | 00,012,856 | ---- | M] (LogMeIn, Inc.)
(lmimirr) lmimirr [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\lmimirr.sys -> [2008/07/24 19:45:20 | 00,010,144 | ---- | M] (LogMeIn, Inc.)
(LMIRfsClientNP) LMIRfsClientNP [File_System | Disabled | Stopped] -> %SystemRoot%\System32\LMIRfsClientNP.dll -> [2008/10/16 21:35:58 | 00,083,288 | ---- | M] (LogMeIn, Inc.)
(LMIRfsDriver) LogMeIn Remote File System Driver [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\LMIRfsDriver.sys -> [2008/07/24 19:46:10 | 00,047,640 | ---- | M] (LogMeIn, Inc.)
(mf) mf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\mf.sys -> [2008/04/14 01:06:42 | 00,063,744 | ---- | M] (Microsoft Corporation)
(NmPar) PCI Parallel Port [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\NmPar.sys -> [2008/12/24 06:40:12 | 00,080,256 | ---- | M] (Windows (R) 2000 DDK provider)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ptilink.sys -> [2008/04/14 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\PxHelp20.sys -> [2007/05/01 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions)
(radpms) Driver for RADPMS Device [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\radpms.sys -> [2008/07/24 19:45:20 | 00,012,192 | ---- | M] (LogMeIn, Inc.)
(RimUsb) BlackBerry Smartphone [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\Drivers\RimUsb.sys -> [2008/05/20 19:33:50 | 00,022,784 | ---- | M] (Research In Motion Limited)
(RimVSerPort) RIM Virtual Serial Port v2 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\RimSerial.sys -> [2007/01/18 10:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd)
(ROOTMODEM) Microsoft Legacy Modem Driver [Kernel | On_Demand | Running] -> %SystemRoot%\System32\Drivers\RootMdm.sys -> [2008/04/14 08:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\secdrv.sys -> [2008/04/14 08:00:00 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(sscdbhk5) sscdbhk5 [File_System | System | Running] -> %SystemRoot%\system32\drivers\sscdbhk5.sys -> [2004/12/02 11:04:20 | 00,005,627 | ---- | M] (Sonic Solutions)
(ssrtln) ssrtln [File_System | System | Running] -> %SystemRoot%\system32\drivers\ssrtln.sys -> [2004/12/02 11:04:10 | 00,023,545 | ---- | M] (Sonic Solutions)
(STHDA) SigmaTel High Definition Audio CODEC [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\sthda.sys -> [2005/11/16 16:36:00 | 01,047,816 | ---- | M] (SigmaTel, Inc.)
(tfsnboio) tfsnboio [File_System | Auto | Running] -> %SystemRoot%\system32\dla\tfsnboio.sys -> [2005/03/16 05:33:00 | 00,025,725 | ---- | M] (Sonic Solutions)
(tfsncofs) tfsncofs [File_System | Auto | Running] -> %SystemRoot%\system32\dla\tfsncofs.sys -> [2005/03/16 05:33:00 | 00,034,845 | ---- | M] (Sonic Solutions)
(tfsndrct) tfsndrct [File_System | Auto | Running] -> %SystemRoot%\system32\dla\tfsndrct.sys -> [2005/03/16 05:33:00 | 00,004,125 | ---- | M] (Sonic Solutions)
(tfsndres) tfsndres [File_System | Auto | Running] -> %SystemRoot%\system32\dla\tfsndres.sys -> [2005/03/16 05:33:00 | 00,002,241 | ---- | M] (Sonic Solutions)
(tfsnifs) tfsnifs [File_System | Auto | Running] -> %SystemRoot%\system32\dla\tfsnifs.sys -> [2005/03/16 05:33:00 | 00,086,684 | ---- | M] (Sonic Solutions)
(tfsnopio) tfsnopio [File_System | Auto | Running] -> %SystemRoot%\system32\dla\tfsnopio.sys -> [2005/03/16 05:33:00 | 00,014,877 | ---- | M] (Sonic Solutions)
(tfsnpool) tfsnpool [File_System | Auto | Running] -> %SystemRoot%\system32\dla\tfsnpool.sys -> [2005/03/16 05:33:00 | 00,006,365 | ---- | M] (Sonic Solutions)
(tfsnudf) tfsnudf [File_System | Auto | Running] -> %SystemRoot%\system32\dla\tfsnudf.sys -> [2005/03/16 05:33:00 | 00,098,716 | ---- | M] (Sonic Solutions)
(tfsnudfa) tfsnudfa [File_System | Auto | Running] -> %SystemRoot%\system32\dla\tfsnudfa.sys -> [2005/03/16 05:33:00 | 00,100,605 | ---- | M] (Sonic Solutions)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?Lin... ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?Lin... ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> Reg Error: Invalid data type. ->
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?Lin... ->
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?Lin... ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC17... ->
HKEY_LOCAL_MACHINE\: Search\\"CustomSearch" -> http://us.rd.yahoo.com/customize/ie... ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC17... ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redi... ->
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultName" -> Yahoo! Search ->
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultURL" -> http://search.yahoo.com/search?p={s... ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.yahoo.com/ ->
HKEY_CURRENT_USER\: SearchURL\\"" -> http://us.rd.yahoo.com/customize/ie... ->
HKEY_CURRENT_USER\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar] -> [2008/07/28 06:47:40 | 00,882,416 | ---- | M] (Yahoo! Inc.)
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
HKEY_CURRENT_USER\: "ProxyOverride" -> *.local ->
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Cecilia\Application Data\Mozilla\FireFox\Profiles\zq5cefss.default\prefs.js ->
browser.search.defaultenginename -> "Yahoo" ->
browser.search.defaulturl -> "http://search.yahoo.com/search?fr=ffsp1&p=" ->
browser.search.selectedEngine -> "Yahoo" ->
browser.startup.homepage -> "http://www.yahoo.com/" ->
extensions.enabledItems -> LogMeInClient@logmein.com:1.0.0.406 ->
extensions.enabledItems -> {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546 ->
extensions.enabledItems -> {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10 ->
keyword.URL -> "http://search.yahoo.com/search?fr=ffds1&p=" ->
< FireFox Settings [User.js] > -> C:\Documents and Settings\Cecilia\Application Data\Mozilla\FireFox\Profiles\zq5cefss.default\user.js ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions -> ->
HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions -> ->
HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components -> %ProgramFiles%\MOZILLA FIREFOX\COMPONENTS [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2009/05/04 10:08:20 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins -> %ProgramFiles%\MOZILLA FIREFOX\PLUGINS [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2009/05/15 03:03:57 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Thunderbird\Extensions -> ->
HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com -> C:\PROGRAM FILES\ESET\ESET SMART SECURITY\MOZILLA THUNDERBIRD ->
< FireFox Extensions [User Folders] > ->
-> C:\Documents and Settings\Cecilia\Application Data\mozilla\Extensions -> [2009/05/04 10:08:20 | 00,000,000 | ---D | M]
-> C:\Documents and Settings\Cecilia\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} -> [2009/05/04 10:08:20 | 00,000,000 | ---D | M]
-> C:\Documents and Settings\Cecilia\Application Data\mozilla\Firefox\Profiles\zq5cefss.default\extensions -> [2009/05/15 12:19:23 | 00,097,675 | ---- | M] ()
-> C:\Documents and Settings\Cecilia\Application Data\mozilla\Firefox\Profiles\zq5cefss.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} -> [2009/05/15 12:19:23 | 00,097,675 | ---- | M] ()
-> C:\Documents and Settings\Cecilia\Application Data\mozilla\Firefox\Profiles\zq5cefss.default\extensions\LogMeInClient@logmein.com -> [2009/05/15 12:19:23 | 00,097,675 | ---- | M] ()
< FireFox Extensions [Program Folders] > ->
-> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions -> [2009/04/24 00:38:29 | 09,756,664 | ---- | M] (Mozilla Foundation)
-> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} -> [2009/04/24 00:38:29 | 09,756,664 | ---- | M] (Mozilla Foundation)
< FireFox Components [Program Folders] > ->
C:\PROGRAM FILES\MOZILLA FIREFOX\components\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\components -> [2009/05/04 10:08:20 | 00,000,000 | ---D | M]
browserdirprovider.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\components\browserdirprovider.dll -> [2009/04/24 00:38:30 | 00,023,032 | ---- | M] (Mozilla Foundation)
brwsrcmp.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\components\brwsrcmp.dll -> [2009/04/24 00:38:32 | 00,134,648 | ---- | M] (Mozilla Foundation)
< FireFox Plugins [Program Folders] > ->
C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins -> [2009/05/15 03:03:57 | 00,000,000 | ---D | M]
npnul32.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npnul32.dll -> [2009/04/24 00:38:33 | 00,065,528 | ---- | M] (mozilla.org)
NPOFFICE.DLL -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\NPOFFICE.DLL -> [2007/03/22 19:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation)
< FireFox SearchPlugins [Program Folders] > ->
C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins -> [2009/05/04 10:08:16 | 00,000,000 | ---D | M]
amazondotcom.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\amazondotcom.xml -> [2009/04/23 20:39:08 | 00,001,394 | ---- | M] ()
answers.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\answers.xml -> [2009/04/23 20:39:08 | 00,002,193 | ---- | M] ()
creativecommons.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\creativecommons.xml -> [2009/04/23 20:39:08 | 00,001,534 | ---- | M] ()
eBay.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\eBay.xml -> [2009/04/23 20:39:08 | 00,002,343 | ---- | M] ()
google.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\google.xml -> [2009/04/23 20:39:08 | 00,001,706 | ---- | M] ()
wikipedia.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\wikipedia.xml -> [2009/04/23 20:39:08 | 00,001,178 | ---- | M] ()
yahoo.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\yahoo.xml -> [2009/04/23 20:39:08 | 00,000,792 | ---- | M] ()
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
Reset Hosts
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [&Yahoo! Toolbar Helper] -> [2008/07/28 06:47:40 | 00,882,416 | ---- | M] (Yahoo! Inc.)
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> [2004/12/14 02:56:50 | 00,063,136 | ---- | M] (Adobe Systems Incorporated)
{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B} [HKLM] -> %SystemRoot%\system32\peuslnx.dll [Reg Error: Value error.] -> [2008/04/14 08:00:00 | 00,104,960 | ---- | M] ()
{5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> %SystemRoot%\system32\dla\tfswshx.dll [DriveLetterAccess] -> [2005/03/16 05:33:00 | 00,118,844 | ---- | M] (Sonic Solutions)
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\Google Toolbar\GoogleToolbar.dll [Google Toolbar Helper] -> [2009/04/30 08:58:12 | 00,259,696 | ---- | M] (Google Inc.)
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [AcroIEToolbarHelper Class] -> [2004/12/14 03:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [Google Toolbar Notifier BHO] -> [2009/04/03 12:30:24 | 00,668,656 | ---- | M] (Google Inc.)
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} [HKLM] -> %ProgramFiles%\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [Google Dictionary Compression sdch] -> [2009/04/30 08:58:11 | 00,470,512 | ---- | M] (Google Inc.)
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [SingleInstance Class] -> [2008/07/28 06:47:42 | 00,160,496 | ---- | M] (Yahoo! Inc)
otro [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" [HKLM] -> %ProgramFiles%\Google\Google Toolbar\GoogleToolbar.dll [Google Toolbar] -> [2009/04/30 08:58:12 | 00,259,696 | ---- | M] (Google Inc.)
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [2004/12/14 03:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar] -> [2008/07/28 06:47:40 | 00,882,416 | ---- | M] (Yahoo! Inc.)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> %ProgramFiles%\Google\Google Toolbar\GoogleToolbar.dll [Google Toolbar] -> [2009/04/30 08:58:12 | 00,259,696 | ---- | M] (Google Inc.)
WebBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [2004/12/14 03:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar] -> [2008/07/28 06:47:40 | 00,882,416 | ---- | M] (Yahoo! Inc.)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"egui" -> %ProgramFiles%\ESET\ESET Smart Security\egui.exe ["C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice] -> [2009/04/09 15:17:56 | 02,029,640 | ---- | M] (ESET)
"LogMeIn GUI" -> %ProgramFiles%\LogMeIn\x86\LogMeInSystray.exe ["C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"] -> [2008/07/24 19:46:10 | 00,063,048 | ---- | M] (LogMeIn, Inc.)
"QuickTime Task" -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> [2009/01/05 16:18:48 | 00,413,696 | ---- | M] (Apple Inc.)
"TrojanScanner" -> %ProgramFiles%\Trojan Remover\Trjscan.exe [C:\Program Files\Trojan Remover\Trjscan.exe /boot] -> [2009/05/10 13:59:24 | 01,059,208 | ---- | M] (Simply Super Software)
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"Messenger (Yahoo!)" -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe ["C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet] -> [2009/03/18 18:50:30 | 04,363,504 | ---- | M] (Yahoo! Inc.)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Cecilia Startup Folder > -> C:\Documents and Settings\Cecilia\Start Menu\Programs\Startup ->
< Machine Startup Folder > -> C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup ->
-> %SystemRoot%\System32\GroupPolicy\Machine\Scripts\Startup\borrar-antes-logon.bat -> [2009/05/05 09:10:33 | 00,000,052 | ---- | M] ()
< Machine Shutdown Folder > -> C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Shutdown ->
-> %SystemRoot%\System32\GroupPolicy\Machine\Scripts\Shutdown\borrar-antes-logon.bat -> [2009/05/05 09:10:33 | 00,000,052 | ---- | M] ()
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" -> [1] -> File not found
\\"NoCDBurning" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDrives" -> [0] -> File not found
\\"NoActiveDesktop" -> [1] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" -> [0] -> File not found
\\"legalnoticecaption" -> [] -> File not found
\\"legalnoticetext" -> [] -> File not found
\\"shutdownwithoutlogon" -> [1] -> File not found
\\"undockwithoutlogon" -> [1] -> File not found
\\"DisableRegistryTools" -> [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Button: Research] -> [2007/04/19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2008/04/14 08:00:00 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2008/04/14 06:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2008/04/14 06:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2007/04/19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/14 08:00:00 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 06:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/contro... ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
www_thomhartmann.com [https] -> Trusted sites ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/ge... [Reg Error: Key error.] ->
{983A9C21-8207-4B58-BBB8-0EBC3D7C5505} [HKLM] -> https://webmail.un.int/dwa8W.cab [Domino Web Access 8 Control] ->
{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} [HKLM] -> https://secure.logmein.com/activex/ractrl.cab?lmi=100 [Performance Viewer Activex Control] ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{CD21211B-FADD-4E8A-812B-C4AECD1BCACA} -> (Intel(R) PRO/1000 PL Network Connection) ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\Explorer.exe -> [2008/04/14 08:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
LMIinit -> %SystemRoot%\system32\LMIinit.dll -> [2008/10/16 21:35:38 | 00,087,352 | ---- | M] (LogMeIn, Inc.)
voimxisa -> %SystemRoot%\system32\peuslnx.dll -> [2008/04/14 08:00:00 | 00,104,960 | ---- | M] ()
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/14 08:00:00 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/14 08:00:00 | 00,141,312 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/14 08:00:00 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/14 08:00:00 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" -> C:\Program Files\Bonjour\mDNSResponder.exe [C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour] -> [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" -> C:\Program Files\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes] -> [2009/04/02 16:10:58 | 13,646,632 | ---- | M] (Apple Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" -> C:\Program Files\Skype\Phone\Skype.exe [C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype] -> [2009/04/16 13:36:36 | 24,264,488 | R--- | M] (Skype Technologies S.A.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -> C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger] -> [2009/03/18 18:50:30 | 04,363,504 | ---- | M] (Yahoo! Inc.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
"AlternateShell" -> cmd.exe ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2008/04/14 08:00:00 | 00,062,976 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > -> ->
C:\AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [2009/04/01 09:23:25 | 00,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
\{30e43047-1def-11de-9672-806d6172696f}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{30e43047-1def-11de-9672-806d6172696f}\Shell
\{30e43047-1def-11de-9672-806d6172696f}\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{30e43047-1def-11de-9672-806d6172696f}\Shell\AutoRun
\{30e43047-1def-11de-9672-806d6172696f}\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{30e43047-1def-11de-9672-806d6172696f}\Shell\AutoRun\command
\{30e43047-1def-11de-9672-806d6172696f}\Shell\AutoRun\command\\"" -> E:\autoRcd.exe [E:\autoRcd.exe] -> File not found


Report •

#23
May 18, 2009 at 06:56:59
THIRD PART:


Files/Folders - Created Within 30 Days]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2009/05/16 11:44:49 | 00,000,000 | ---D | C]
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/05/16 11:43:55 | 00,665,196 | ---- | C] ()
OCONVPCK.EXE -> %UserProfile%\Desktop\OCONVPCK.EXE -> [2009/05/15 12:31:22 | 01,761,856 | ---- | C] (Microsoft Corporation)
Microsoft ActiveSync -> %ProgramFiles%\Microsoft ActiveSync -> [2009/05/15 11:49:06 | 00,000,000 | ---D | C]
DESIGNER -> %CommonProgramFiles%\DESIGNER -> [2009/05/15 11:48:13 | 00,000,000 | ---D | C]
Microsoft Visual Studio -> %ProgramFiles%\Microsoft Visual Studio -> [2009/05/15 11:47:56 | 00,000,000 | ---D | C]
New Settings File.OPS -> %UserProfile%\My Documents\New Settings File.OPS -> [2009/05/15 09:44:32 | 00,498,094 | ---- | C] ()
backup-may15-2009.reg -> %UserProfile%\My Documents\backup-may15-2009.reg -> [2009/05/15 09:23:40 | 00,000,356 | ---- | C] ()
RECYCLER -> %SystemDrive%\RECYCLER -> [2009/05/15 09:08:51 | 00,000,000 | -HSD | C]
temp -> %SystemRoot%\temp -> [2009/05/15 08:48:47 | 00,000,000 | ---D | C]
mucltui.dll -> %SystemRoot%\System32\mucltui.dll -> [2009/05/14 10:41:38 | 00,268,648 | ---- | C] (Microsoft Corporation)
muweb.dll -> %SystemRoot%\System32\muweb.dll -> [2009/05/14 10:41:38 | 00,208,744 | ---- | C] (Microsoft Corporation)
mucltui.dll.mui -> %SystemRoot%\System32\mucltui.dll.mui -> [2009/05/14 10:41:38 | 00,027,496 | ---- | C] (Microsoft Corporation)
Microsoft Silverlight -> %ProgramFiles%\Microsoft Silverlight -> [2009/05/14 09:47:50 | 00,000,000 | ---D | C]
TEMP -> %AllUsersProfile%\Application Data\TEMP -> [2009/05/13 09:03:42 | 00,000,000 | ---D | C]
Trojan Remover.lnk -> %AllUsersProfile%\Desktop\Trojan Remover.lnk -> [2009/05/13 09:03:19 | 00,000,784 | ---- | C] ()
ztvunrar36.dll -> %SystemRoot%\System32\ztvunrar36.dll -> [2009/05/13 09:03:18 | 00,162,304 | ---- | C] ()
UNRAR3.dll -> %SystemRoot%\System32\UNRAR3.dll -> [2009/05/13 09:03:18 | 00,153,088 | ---- | C] ()
ztvunace26.dll -> %SystemRoot%\System32\ztvunace26.dll -> [2009/05/13 09:03:18 | 00,077,312 | ---- | C] ()
unacev2.dll -> %SystemRoot%\System32\unacev2.dll -> [2009/05/13 09:03:18 | 00,075,264 | ---- | C] ()
ztvcabinet.dll -> %SystemRoot%\System32\ztvcabinet.dll -> [2009/05/13 09:03:18 | 00,069,632 | ---- | C] (Microsoft Corporation)
Trojan Remover -> %ProgramFiles%\Trojan Remover -> [2009/05/13 09:02:53 | 00,000,000 | ---D | C]
Simply Super Software -> %UserProfile%\My Documents\Simply Super Software -> [2009/05/13 09:02:53 | 00,000,000 | ---D | C]
Simply Super Software -> %AppData%\Simply Super Software -> [2009/05/13 09:02:53 | 00,000,000 | ---D | C]
Simply Super Software -> %AllUsersProfile%\Application Data\Simply Super Software -> [2009/05/13 09:02:53 | 00,000,000 | ---D | C]
Yahoo! Messenger.lnk -> %AllUsersProfile%\Desktop\Yahoo! Messenger.lnk -> [2009/05/11 09:09:06 | 00,000,812 | ---- | C] ()
regal10demayo2009.reg -> %UserProfile%\My Documents\regal10demayo2009.reg -> [2009/05/10 21:39:15 | 74,199,554 | ---- | C] ()
avenger.exe -> %UserProfile%\Desktop\avenger.exe -> [2009/05/10 11:53:00 | 00,731,136 | ---- | C] ()
avenger.zip -> %UserProfile%\Desktop\avenger.zip -> [2009/05/10 11:51:29 | 00,724,952 | ---- | C] ()
Copy of summerprograms.xls -> %UserProfile%\Desktop\Copy of summerprograms.xls -> [2009/05/08 17:16:54 | 00,065,024 | ---- | C] ()
organigrama.htm -> %UserProfile%\Desktop\organigrama.htm -> [2009/05/08 11:17:51 | 00,036,333 | ---- | C] ()
organigrama_files -> %UserProfile%\Desktop\organigrama_files -> [2009/05/08 11:17:51 | 00,000,000 | ---D | C]
Boot.bak -> %SystemDrive%\Boot.bak -> [2009/05/08 08:42:26 | 00,000,211 | ---- | C] ()
cmldr -> %SystemDrive%\cmldr -> [2009/05/08 08:42:24 | 00,260,272 | ---- | C] ()
cmdcons -> %SystemDrive%\cmdcons -> [2009/05/08 08:42:24 | 00,000,000 | RHSD | C]
SWXCACLS.exe -> %SystemRoot%\SWXCACLS.exe -> [2009/05/08 08:40:50 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> %SystemRoot%\SWREG.exe -> [2009/05/08 08:40:50 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> %SystemRoot%\SWSC.exe -> [2009/05/08 08:40:50 | 00,136,704 | ---- | C] (SteelWerX)
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/05/08 08:40:50 | 00,117,248 | ---- | C] ()
sed.exe -> %SystemRoot%\sed.exe -> [2009/05/08 08:40:50 | 00,098,816 | ---- | C] ()
grep.exe -> %SystemRoot%\grep.exe -> [2009/05/08 08:40:50 | 00,080,412 | ---- | C] ()
zip.exe -> %SystemRoot%\zip.exe -> [2009/05/08 08:40:50 | 00,068,096 | ---- | C] ()
NIRCMD.exe -> %SystemRoot%\NIRCMD.exe -> [2009/05/08 08:40:50 | 00,031,232 | ---- | C] (NirSoft)
ERDNT -> %SystemRoot%\ERDNT -> [2009/05/08 08:40:44 | 00,000,000 | ---D | C]
Qoobox -> %SystemDrive%\Qoobox -> [2009/05/07 07:18:56 | 00,000,000 | ---D | C]
toolb.exe -> %UserProfile%\Desktop\toolb.exe -> [2009/05/07 07:17:52 | 02,988,557 | R--- | C] ()
Malwarebytes -> %AppData%\Malwarebytes -> [2009/05/06 18:53:24 | 00,000,000 | ---D | C]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/05/06 18:53:23 | 00,015,504 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/05/06 18:53:23 | 00,000,696 | ---- | C] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/05/06 18:53:20 | 00,038,496 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware -> [2009/05/06 18:53:18 | 00,000,000 | ---D | C]
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes -> [2009/05/06 18:53:18 | 00,000,000 | ---D | C]
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2009/05/06 16:45:49 | 00,001,734 | ---- | C] ()
Trend Micro -> %ProgramFiles%\Trend Micro -> [2009/05/06 16:45:47 | 00,000,000 | ---D | C]
ESET -> %ProgramFiles%\ESET -> [2009/05/06 12:44:11 | 00,000,000 | ---D | C]
Atyro.mdb -> %SystemDrive%\Atyro.mdb -> [2009/05/06 10:37:55 | 00,761,856 | ---- | C] ()
Favorites -> %UserProfile%\My Documents\Favorites -> [2009/05/06 09:41:53 | 00,000,000 | R--D | C]
appmgmt -> %SystemRoot%\System32\appmgmt -> [2009/05/06 09:06:05 | 00,000,000 | ---D | C]
ESET -> %AppData%\ESET -> [2009/05/05 10:43:06 | 00,000,000 | ---D | C]
ESET -> %UserProfile%\Local Settings\Application Data\ESET -> [2009/05/05 10:43:04 | 00,000,000 | ---D | C]
ESET -> %AllUsersProfile%\Application Data\ESET -> [2009/05/05 10:41:44 | 00,000,000 | ---D | C]
ESET_ESS_User_Guide_EN.pdf -> %UserProfile%\My Documents\ESET_ESS_User_Guide_EN.pdf -> [2009/05/05 10:40:06 | 03,906,644 | ---- | C] ()
Startup Cop.lnk -> %UserProfile%\Desktop\Startup Cop.lnk -> [2009/05/05 09:20:41 | 00,000,630 | ---- | C] ()
StartCop -> %ProgramFiles%\StartCop -> [2009/05/05 09:20:40 | 00,000,000 | ---D | C]
GroupPolicy -> %SystemRoot%\System32\GroupPolicy -> [2009/05/05 09:07:46 | 00,000,000 | -H-D | C]
Unlocker -> %ProgramFiles%\Unlocker -> [2009/05/04 22:45:33 | 00,000,000 | ---D | C]
d3d9caps.dat -> %SystemRoot%\System32\d3d9caps.dat -> [2009/05/04 12:10:04 | 00,000,664 | ---- | C] ()
FUNCIONARIOS URUDELEG Y CONSULADO.doc -> %UserProfile%\Desktop\FUNCIONARIOS URUDELEG Y CONSULADO.doc -> [2009/05/04 10:11:29 | 00,093,184 | ---- | C] ()
nsreg.dat -> %SystemRoot%\nsreg.dat -> [2009/05/04 10:08:21 | 00,000,000 | ---- | C] ()
Mozilla -> %UserProfile%\Local Settings\Application Data\Mozilla -> [2009/05/04 10:08:19 | 00,000,000 | ---D | C]
Mozilla -> %AppData%\Mozilla -> [2009/05/04 10:08:19 | 00,000,000 | ---D | C]
Mozilla Firefox.lnk -> %AllUsersProfile%\Desktop\Mozilla Firefox.lnk -> [2009/05/04 10:08:16 | 00,001,602 | ---- | C] ()
Mozilla Firefox -> %ProgramFiles%\Mozilla Firefox -> [2009/05/04 10:08:12 | 00,000,000 | ---D | C]
Downloaded Installations -> %SystemRoot%\Downloaded Installations -> [2009/05/01 13:02:27 | 00,000,000 | ---D | C]
found.000 -> %SystemDrive%\found.000 -> [2009/05/01 03:09:54 | 00,000,000 | -HSD | C]
MSXML 4.0 -> %ProgramFiles%\MSXML 4.0 -> [2009/05/01 03:00:32 | 00,000,000 | ---D | C]
QUARANTINE -> %SystemDrive%\QUARANTINE -> [2009/04/30 12:47:10 | 00,000,000 | ---D | C]
Roxio -> %AppData%\Roxio -> [2009/04/30 11:35:50 | 00,000,000 | ---D | C]
InstallShield -> %AppData%\InstallShield -> [2009/04/30 11:25:35 | 00,000,000 | ---D | C]
Sonic -> %AllUsersProfile%\Application Data\Sonic -> [2009/04/30 11:25:18 | 00,000,000 | ---D | C]
Roxio -> %ProgramFiles%\Roxio -> [2009/04/30 11:23:19 | 00,000,000 | ---D | C]
Roxio -> %AllUsersProfile%\Application Data\Roxio -> [2009/04/30 11:23:19 | 00,000,000 | ---D | C]
Roxio Shared -> %CommonProgramFiles%\Roxio Shared -> [2009/04/30 11:23:12 | 00,000,000 | ---D | C]
RegisteredPackages -> %SystemRoot%\RegisteredPackages -> [2009/04/30 11:19:05 | 00,000,000 | ---D | C]
RimSerial.sys -> %SystemRoot%\System32\drivers\RimSerial.sys -> [2009/04/30 11:18:11 | 00,026,496 | R--- | C] (Research in Motion Ltd)
Desktop Manager.lnk -> %AllUsersProfile%\Desktop\Desktop Manager.lnk -> [2009/04/30 11:17:39 | 00,001,729 | ---- | C] ()
Research In Motion -> %ProgramFiles%\Research In Motion -> [2009/04/30 11:17:20 | 00,000,000 | ---D | C]
pool.bin -> %SystemRoot%\System32\pool.bin -> [2009/04/30 09:23:18 | 00,000,256 | ---- | C] ()
Research In Motion -> %AppData%\Research In Motion -> [2009/04/30 09:23:17 | 00,000,000 | ---D | C]
Research In Motion -> %CommonProgramFiles%\Research In Motion -> [2009/04/30 09:22:54 | 00,000,000 | ---D | C]
Windows Genuine Advantage -> %AllUsersProfile%\Application Data\Windows Genuine Advantage -> [2009/04/29 11:31:28 | 00,000,000 | ---D | C]
9be96c78a522f8d8d3dd0469 -> %SystemDrive%\9be96c78a522f8d8d3dd0469 -> [2009/04/29 11:30:36 | 00,000,000 | ---D | C]
20090424104046653.tif -> %AllUsersProfile%\Documents\20090424104046653.tif -> [2009/04/24 10:39:04 | 00,903,978 | ---- | C] ()
ie7updates -> %SystemRoot%\ie7updates -> [2009/04/24 09:32:10 | 00,000,000 | ---D | C]
msfeeds.dll -> %SystemRoot%\System32\dllcache\msfeeds.dll -> [2009/04/24 09:31:59 | 00,459,264 | ---- | C] (Microsoft Corporation)
msfeedsbs.dll -> %SystemRoot%\System32\dllcache\msfeedsbs.dll -> [2009/04/24 09:31:59 | 00,052,224 | ---- | C] (Microsoft Corporation)
ieframe.dll -> %SystemRoot%\System32\dllcache\ieframe.dll -> [2009/04/24 09:31:58 | 06,066,176 | ---- | C] (Microsoft Corporation)
ieapfltr.dat -> %SystemRoot%\System32\dllcache\ieapfltr.dat -> [2009/04/24 09:31:58 | 02,455,488 | ---- | C] (Microsoft Corporation)
ieframe.dll.mui -> %SystemRoot%\System32\dllcache\ieframe.dll.mui -> [2009/04/24 09:31:58 | 00,991,232 | ---- | C] (Microsoft Corporation)
ieapfltr.dll -> %SystemRoot%\System32\dllcache\ieapfltr.dll -> [2009/04/24 09:31:58 | 00,383,488 | ---- | C] (Microsoft Corporation)
iertutil.dll -> %SystemRoot%\System32\dllcache\iertutil.dll -> [2009/04/24 09:31:58 | 00,268,288 | ---- | C] (Microsoft Corporation)
ieudinit.exe -> %SystemRoot%\System32\dllcache\ieudinit.exe -> [2009/04/24 09:31:58 | 00,013,824 | ---- | C] (Microsoft Corporation)
icardie.dll -> %SystemRoot%\System32\dllcache\icardie.dll -> [2009/04/24 09:31:57 | 00,063,488 | ---- | C] (Microsoft Corporation)
WBEM -> %SystemRoot%\WBEM -> [2009/04/24 09:31:45 | 00,000,000 | ---D | C]
ie7 -> %SystemRoot%\ie7 -> [2009/04/24 09:31:12 | 00,000,000 | -H-D | C]
$NtServicePackUninstallIDNMitigationAPIs$ -> %SystemRoot%\$NtServicePackUninstallIDNMitigationAPIs$ -> [2009/04/24 09:30:59 | 00,000,000 | -H-D | C]
562c8d6f493a28201758e604d9aa2d -> %SystemDrive%\562c8d6f493a28201758e604d9aa2d -> [2009/04/24 09:30:37 | 00,000,000 | ---D | C]
$NtServicePackUninstallNLSDownlevelMapping$ -> %SystemRoot%\$NtServicePackUninstallNLSDownlevelMapping$ -> [2009/04/24 09:30:30 | 00,000,000 | -H-D | C]
03dac92d0daee9bc909c5e90 -> %SystemDrive%\03dac92d0daee9bc909c5e90 -> [2009/04/24 09:29:59 | 00,000,000 | ---D | C]
Downloads -> %UserProfile%\My Documents\Downloads -> [2009/04/23 09:12:14 | 00,000,000 | ---D | C]
Google Chrome.lnk -> %AllUsersProfile%\Desktop\Google Chrome.lnk -> [2009/04/23 09:11:41 | 00,001,813 | ---- | C] ()
GoogleUpdateTaskMachine.job -> %SystemRoot%\tasks\GoogleUpdateTaskMachine.job -> [2009/04/23 09:11:13 | 00,000,882 | ---- | C] ()
Skype -> %AppData%\Skype -> [2009/04/23 09:11:09 | 00,000,000 | ---D | C]
Skype.lnk -> %AllUsersProfile%\Desktop\Skype.lnk -> [2009/04/23 09:11:00 | 00,001,878 | ---- | C] ()
Skype -> %ProgramFiles%\Skype -> [2009/04/23 09:10:57 | 00,000,000 | R--D | C]
Skype -> %AllUsersProfile%\Application Data\Skype -> [2009/04/23 09:10:53 | 00,000,000 | ---D | C]
20090422124039186.tif -> %AllUsersProfile%\Documents\20090422124039186.tif -> [2009/04/22 12:38:54 | 00,069,581 | ---- | C] ()
20090422111552282.tif -> %AllUsersProfile%\Documents\20090422111552282.tif -> [2009/04/22 11:14:07 | 00,074,931 | ---- | C] ()
20090422111453821.tif -> %AllUsersProfile%\Documents\20090422111453821.tif -> [2009/04/22 11:13:08 | 00,303,959 | ---- | C] ()
20090422111219320.tif -> %AllUsersProfile%\Documents\20090422111219320.tif -> [2009/04/22 11:10:34 | 00,142,485 | ---- | C] ()
Sonic -> %AppData%\Sonic -> [2009/04/21 11:48:51 | 00,000,000 | ---D | C]
Leadertech -> %AppData%\Leadertech -> [2009/04/21 11:48:33 | 00,000,000 | ---D | C]
InstallShield -> %AllUsersProfile%\Application Data\InstallShield -> [2009/04/21 11:38:11 | 00,000,000 | ---D | C]
MyDVD LE.lnk -> %AllUsersProfile%\Desktop\MyDVD LE.lnk -> [2009/04/21 11:38:07 | 00,001,885 | ---- | C] ()
TiVo Shared -> %CommonProgramFiles%\TiVo Shared -> [2009/04/21 11:37:06 | 00,000,000 | ---D | C]
wininit.ini -> %SystemRoot%\wininit.ini -> [2009/04/21 11:34:25 | 00,000,186 | ---- | C] ()
dla -> %SystemRoot%\System32\dla -> [2009/04/21 11:34:25 | 00,000,000 | ---D | C]
Sonic -> %ProgramFiles%\Sonic -> [2009/04/21 11:34:23 | 00,000,000 | ---D | C]
Burn CDs & DVDs with Sonic DigitalMedia LE.lnk -> %AllUsersProfile%\Desktop\Burn CDs & DVDs with Sonic DigitalMedia LE.lnk -> [2009/04/21 11:33:19 | 00,001,890 | ---- | C] ()
Sonic Shared -> %CommonProgramFiles%\Sonic Shared -> [2009/04/21 11:33:07 | 00,000,000 | ---D | C]
FERNANDO GONZALEZ GUYER.doc -> %UserProfile%\My Documents\FERNANDO GONZALEZ GUYER.doc -> [2009/04/17 10:30:22 | 00,024,064 | ---- | C] ()
ActiveSkin.INI -> %SystemRoot%\ActiveSkin.INI -> [2009/04/07 10:33:21 | 00,000,112 | ---- | C] ()
ricdb.ini -> %SystemRoot%\ricdb.ini -> [2009/04/02 12:56:05 | 00,070,466 | ---- | C] ()
RPCS.ini -> %SystemRoot%\System32\RPCS.ini -> [2009/04/02 12:56:04 | 00,000,094 | ---- | C] ()
PMJobCli.ini -> %SystemRoot%\PMJobCli.ini -> [2009/04/02 12:17:43 | 00,000,226 | ---- | C] ()
PMRicMb.ini -> %SystemRoot%\PMRicMb.ini -> [2009/04/02 12:17:41 | 00,012,309 | ---- | C] ()
PMRicPMb.ini -> %SystemRoot%\PMRicPMb.ini -> [2009/04/02 12:17:41 | 00,007,873 | ---- | C] ()
PMPrtMb.ini -> %SystemRoot%\PMPrtMb.ini -> [2009/04/02 12:17:41 | 00,005,390 | ---- | C] ()
PMRicFMb.ini -> %SystemRoot%\PMRicFMb.ini -> [2009/04/02 12:17:41 | 00,004,644 | ---- | C] ()
PMDvPrn.ini -> %SystemRoot%\PMDvPrn.ini -> [2009/04/02 12:17:41 | 00,003,149 | ---- | C] ()
PMDvDev.ini -> %SystemRoot%\PMDvDev.ini -> [2009/04/02 12:17:41 | 00,002,102 | ---- | C] ()
PMDIOMb.ini -> %SystemRoot%\PMDIOMb.ini -> [2009/04/02 12:17:41 | 00,002,047 | ---- | C] ()
PMHostMb.ini -> %SystemRoot%\PMHostMb.ini -> [2009/04/02 12:17:41 | 00,002,036 | ---- | C] ()
PMPSIOMb.ini -> %SystemRoot%\PMPSIOMb.ini -> [2009/04/02 12:17:41 | 00,001,885 | ---- | C] ()
PMRicSMb.ini -> %SystemRoot%\PMRicSMb.ini -> [2009/04/02 12:17:41 | 00,001,727 | ---- | C] ()
PMRicCMb.ini -> %SystemRoot%\PMRicCMb.ini -> [2009/04/02 12:17:41 | 00,001,706 | ---- | C] ()
PMMib2Mb.ini -> %SystemRoot%\PMMib2Mb.ini -> [2009/04/02 12:17:41 | 00,001,494 | ---- | C] ()
PMDvFax.ini -> %SystemRoot%\PMDvFax.ini -> [2009/04/02 12:17:41 | 00,001,168 | ---- | C] ()
PMDPIMb.ini -> %SystemRoot%\PMDPIMb.ini -> [2009/04/02 12:17:41 | 00,001,143 | ---- | C] ()
PMAxsMb.ini -> %SystemRoot%\PMAxsMb.ini -> [2009/04/02 12:17:41 | 00,001,094 | ---- | C] ()
PMDvScan.ini -> %SystemRoot%\PMDvScan.ini -> [2009/04/02 12:17:41 | 00,000,842 | ---- | C] ()
PMDvCopy.ini -> %SystemRoot%\PMDvCopy.ini -> [2009/04/02 12:17:41 | 00,000,423 | ---- | C] ()
PMSnmpMb.ini -> %SystemRoot%\PMSnmpMb.ini -> [2009/04/02 12:17:41 | 00,000,332 | ---- | C] ()
RidocPrn.ini -> %SystemRoot%\RidocPrn.ini -> [2009/04/02 12:17:38 | 00,000,035 | ---- | C] ()
PMObservps.dll -> %SystemRoot%\System32\PMObservps.dll -> [2009/04/02 12:17:25 | 00,024,576 | ---- | C] ()
dellstat.ini -> %SystemRoot%\dellstat.ini -> [2009/04/02 11:02:45 | 00,000,155 | ---- | C] ()
dlbcvs.dll -> %SystemRoot%\System32\dlbcvs.dll -> [2009/04/02 11:02:31 | 00,040,960 | ---- | C] ()
dlbccoin.ini -> %SystemRoot%\System32\dlbccoin.ini -> [2009/04/02 11:02:31 | 00,000,373 | ---- | C] ()
hpbvspst.ini -> %SystemRoot%\hpbvspst.ini -> [2009/04/02 10:50:20 | 00,000,462 | ---- | C] ()
hpbvnstp.ini -> %SystemRoot%\hpbvnstp.ini -> [2009/04/02 10:49:59 | 00,001,228 | ---- | C] ()
tx32.dll -> %SystemRoot%\System32\tx32.dll -> [2009/04/01 13:37:48 | 00,375,296 | ---- | C] ()
Ic32.ini -> %SystemRoot%\System32\Ic32.ini -> [2009/04/01 13:37:48 | 00,000,202 | ---- | C] ()
ODBC.INI -> %SystemRoot%\ODBC.INI -> [2009/04/01 12:35:28 | 00,000,376 | ---- | C] ()
wwfcluok.dll -> %SystemRoot%\System32\wwfcluok.dll -> [2008/04/14 08:00:00 | 00,143,872 | ---- | C] ()
qxjmowrc.dll -> %SystemRoot%\System32\qxjmowrc.dll -> [2008/04/14 08:00:00 | 00,143,872 | ---- | C] ()
peuslnx.dll -> %SystemRoot%\System32\peuslnx.dll -> [2008/04/14 08:00:00 | 00,104,960 | ---- | C] ()
win.ini -> %SystemRoot%\win.ini -> [2008/04/14 08:00:00 | 00,000,573 | ---- | C] ()
system.ini -> %SystemRoot%\system.ini -> [2008/04/14 08:00:00 | 00,000,227 | ---- | C] ()
ractrlkeyhook.dll -> %SystemRoot%\System32\ractrlkeyhook.dll -> [2007/08/06 12:07:30 | 00,008,784 | ---- | C] ()
hppapr04.DLL -> %SystemRoot%\System32\hppapr04.DLL -> [2006/05/05 08:51:40 | 00,241,664 | ---- | C] ()
px.ini -> %SystemRoot%\System32\px.ini -> [2005/04/19 18:59:34 | 00,000,000 | ---- | C] ()
OUTLPERF.INI -> %SystemRoot%\System32\OUTLPERF.INI -> [2003/01/07 15:05:08 | 00,002,695 | ---- | C] ()
hptcpmon.ini -> %SystemRoot%\System32\hptcpmon.ini -> [2001/07/06 17:30:00 | 00,003,399 | ---- | C] ()


Report •

#24
May 18, 2009 at 07:17:59
4TH PART (last part I am posting)

[Files/Folders - Modified Within 30 Days]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp ->
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/05/16 11:44:19 | 00,665,196 | ---- | M] ()
qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/05/16 09:43:10 | 00,004,646 | ---- | M] ()
qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/05/16 09:43:10 | 00,004,232 | ---- | M] ()
win.ini -> %SystemRoot%\win.ini -> [2009/05/16 03:02:10 | 00,000,573 | ---- | M] ()
GoogleUpdateTaskMachine.job -> %SystemRoot%\tasks\GoogleUpdateTaskMachine.job -> [2009/05/16 00:00:12 | 00,000,882 | ---- | M] ()
NTUSER.DAT -> %UserProfile%\NTUSER.DAT -> [2009/05/15 12:41:53 | 02,621,440 | -H-- | M] ()
OCONVPCK.EXE -> %UserProfile%\Desktop\OCONVPCK.EXE -> [2009/05/15 12:31:27 | 01,761,856 | ---- | M] (Microsoft Corporation)
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2009/05/15 12:02:02 | 00,002,206 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2009/05/15 11:59:56 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2009/05/15 11:59:51 | 00,002,048 | --S- | M] ()
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [2009/05/15 11:59:46 | 00,310,784 | ---- | M] ()
ntuser.ini -> %UserProfile%\ntuser.ini -> [2009/05/15 11:58:40 | 00,000,278 | -HS- | M] ()
IconCache.db -> %UserProfile%\Local Settings\Application Data\IconCache.db -> [2009/05/15 11:58:35 | 05,316,726 | -H-- | M] ()
ODBC.INI -> %SystemRoot%\ODBC.INI -> [2009/05/15 11:52:01 | 00,000,376 | ---- | M] ()
GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT -> [2009/05/15 10:19:49 | 00,087,448 | ---- | M] ()
Perflib_Perfdata_934.dat -> %SystemRoot%\Temp\Perflib_Perfdata_934.dat -> [2009/05/15 09:49:26 | 00,016,384 | ---- | M] ()
New Settings File.OPS -> %UserProfile%\My Documents\New Settings File.OPS -> [2009/05/15 09:44:34 | 00,498,094 | ---- | M] ()
Perflib_Perfdata_e10.dat -> %UserProfile%\Local Settings\temp\Perflib_Perfdata_e10.dat -> [2009/05/15 09:43:13 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_bc0.dat -> %SystemRoot%\Temp\Perflib_Perfdata_bc0.dat -> [2009/05/15 09:43:13 | 00,016,384 | ---- | M] ()
backup-may15-2009.reg -> %UserProfile%\My Documents\backup-may15-2009.reg -> [2009/05/15 09:23:40 | 00,000,356 | ---- | M] ()
Perflib_Perfdata_bc8.dat -> %SystemRoot%\Temp\Perflib_Perfdata_bc8.dat -> [2009/05/15 09:08:25 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_bec.dat -> %SystemRoot%\Temp\Perflib_Perfdata_bec.dat -> [2009/05/15 08:56:26 | 00,016,384 | ---- | M] ()
system.ini -> %SystemRoot%\system.ini -> [2009/05/15 08:47:47 | 00,000,227 | ---- | M] ()
toolb.exe -> %UserProfile%\Desktop\toolb.exe -> [2009/05/15 08:44:36 | 02,988,557 | R--- | M] ()
Google Chrome.lnk -> %AllUsersProfile%\Desktop\Google Chrome.lnk -> [2009/05/14 22:51:26 | 00,001,813 | ---- | M] ()
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/05/14 17:50:08 | 00,117,248 | ---- | M] ()
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [2009/05/13 09:38:34 | 00,000,027 | ---- | M] ()
boot.ini -> %SystemDrive%\boot.ini -> [2009/05/13 09:31:58 | 00,000,282 | RHS- | M] ()
Trojan Remover.lnk -> %AllUsersProfile%\Desktop\Trojan Remover.lnk -> [2009/05/13 09:03:19 | 00,000,784 | ---- | M] ()
AppleSoftwareUpdate.job -> %SystemRoot%\tasks\AppleSoftwareUpdate.job -> [2009/05/12 17:25:01 | 00,000,284 | ---- | M] ()
Yahoo! Messenger.lnk -> %AllUsersProfile%\Desktop\Yahoo! Messenger.lnk -> [2009/05/11 09:09:06 | 00,000,812 | ---- | M] ()
regal10demayo2009.reg -> %UserProfile%\My Documents\regal10demayo2009.reg -> [2009/05/10 21:39:38 | 74,199,554 | ---- | M] ()
avenger.zip -> %UserProfile%\Desktop\avenger.zip -> [2009/05/10 11:51:39 | 00,724,952 | ---- | M] ()
Copy of summerprograms.xls -> %UserProfile%\Desktop\Copy of summerprograms.xls -> [2009/05/08 17:16:55 | 00,065,024 | ---- | M] ()
organigrama.htm -> %UserProfile%\Desktop\organigrama.htm -> [2009/05/08 11:17:52 | 00,036,333 | ---- | M] ()
MRT.exe -> %SystemRoot%\System32\MRT.exe -> [2009/05/07 03:16:29 | 24,699,336 | ---- | M] (Microsoft Corporation)
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/05/06 18:53:23 | 00,000,696 | ---- | M] ()
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2009/05/06 16:45:49 | 00,001,734 | ---- | M] ()
randseed.rnd -> %SystemRoot%\randseed.rnd -> [2009/05/06 09:24:45 | 00,000,512 | ---- | M] ()
ESET_ESS_User_Guide_EN.pdf -> %UserProfile%\My Documents\ESET_ESS_User_Guide_EN.pdf -> [2009/05/05 10:40:07 | 03,906,644 | ---- | M] ()
Startup Cop.lnk -> %UserProfile%\Desktop\Startup Cop.lnk -> [2009/05/05 09:20:41 | 00,000,630 | ---- | M] ()
pool.bin -> %SystemRoot%\System32\pool.bin -> [2009/05/05 09:13:44 | 00,000,256 | ---- | M] ()
d3d9caps.dat -> %SystemRoot%\System32\d3d9caps.dat -> [2009/05/04 22:39:16 | 00,000,664 | ---- | M] ()
FUNCIONARIOS URUDELEG Y CONSULADO.doc -> %UserProfile%\Desktop\FUNCIONARIOS URUDELEG Y CONSULADO.doc -> [2009/05/04 10:11:29 | 00,093,184 | ---- | M] ()
nsreg.dat -> %SystemRoot%\nsreg.dat -> [2009/05/04 10:08:21 | 00,000,000 | ---- | M] ()
Mozilla Firefox.lnk -> %AllUsersProfile%\Desktop\Mozilla Firefox.lnk -> [2009/05/04 10:08:16 | 00,001,602 | ---- | M] ()
imsins.BAK -> %SystemRoot%\imsins.BAK -> [2009/05/01 03:01:26 | 00,001,355 | ---- | M] ()
WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx -> [2009/04/30 11:19:21 | 00,316,640 | ---- | M] ()
Desktop Manager.lnk -> %AllUsersProfile%\Desktop\Desktop Manager.lnk -> [2009/04/30 11:17:39 | 00,001,729 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2009/04/28 09:20:45 | 00,403,968 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2009/04/28 09:20:45 | 00,063,188 | ---- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2009/04/28 09:20:44 | 00,471,944 | ---- | M] ()
desktop.ini -> %UserProfile%\My Documents\desktop.ini -> [2009/04/27 08:44:19 | 00,000,078 | -HS- | M] ()
20090424104046653.tif -> %AllUsersProfile%\Documents\20090424104046653.tif -> [2009/04/24 10:39:05 | 00,903,978 | ---- | M] ()
Skype.lnk -> %AllUsersProfile%\Desktop\Skype.lnk -> [2009/04/23 09:11:00 | 00,001,878 | ---- | M] ()
20090422124039186.tif -> %AllUsersProfile%\Documents\20090422124039186.tif -> [2009/04/22 12:38:54 | 00,069,581 | ---- | M] ()
20090422111552282.tif -> %AllUsersProfile%\Documents\20090422111552282.tif -> [2009/04/22 11:14:07 | 00,074,931 | ---- | M] ()
20090422111453821.tif -> %AllUsersProfile%\Documents\20090422111453821.tif -> [2009/04/22 11:13:09 | 00,303,959 | ---- | M] ()
20090422111219320.tif -> %AllUsersProfile%\Documents\20090422111219320.tif -> [2009/04/22 11:10:34 | 00,142,485 | ---- | M] ()
wininit.ini -> %SystemRoot%\wininit.ini -> [2009/04/21 11:38:27 | 00,000,186 | ---- | M] ()
Burn CDs & DVDs with Sonic DigitalMedia LE.lnk -> %AllUsersProfile%\Desktop\Burn CDs & DVDs with Sonic DigitalMedia LE.lnk -> [2009/04/21 11:37:20 | 00,001,890 | ---- | M] ()
MyDVD LE.lnk -> %AllUsersProfile%\Desktop\MyDVD LE.lnk -> [2009/04/21 11:37:20 | 00,001,885 | ---- | M] ()
NIRCMD.exe -> %SystemRoot%\NIRCMD.exe -> [2009/04/20 12:56:28 | 00,031,232 | ---- | M] (NirSoft)
FERNANDO GONZALEZ GUYER.doc -> %UserProfile%\My Documents\FERNANDO GONZALEZ GUYER.doc -> [2009/04/17 10:30:31 | 00,024,064 | ---- | M] ()
opa11.dat -> %AllUsersProfile%\Application Data\Microsoft\OFFICE\DATA\opa11.dat -> [2009/04/01 13:54:03 | 00,008,206 | ---- | M] ()
[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Report •

#25
May 18, 2009 at 19:59:13
Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip

1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Copy all the text contained in the code box below between the X's to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Drivers to unload:
voimxisa

Drivers to delete:
voimxisa

Files to delete:
C:\Windows\System32\qxjmowrc.dll
C:\Windows\System32\wwfcluok.dll
C:\Windows\System32\peuslnx.dll

Registry keys to delete:
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\voimxisa

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
Click the Execute button
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.


Report •

#26
May 19, 2009 at 06:46:40
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\voimxisa" not found!
Deletion of driver "voimxisa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\voimxisa" not found!
Deletion of driver "voimxisa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Windows\System32\qxjmowrc.dll" deleted successfully.

Error: could not open file "C:\Windows\System32\wwfcluok.dll"
Deletion of file "C:\Windows\System32\wwfcluok.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open file "C:\Windows\System32\peuslnx.dll"
Deletion of file "C:\Windows\System32\peuslnx.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07D9420B-3F5B-4ABA-86CD-9339D9F52C8B}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\voimxisa" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\voimxisa" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.


Report •


Ask Question