Tech Support banner

Status
Not open for further replies.
1 - 15 of 15 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter #1
Eset NOD32 is giving a red alert of an infection in C:\Windows\System32\Drivers\atapi.sys as Trojan: Win32/Olmarik.py However it will not delete it.

Interestingly, Eset's online scanner does not find it. Neither does PC Tools ThreatFire nor does Combofix. Yet with each of these applications being run, the Eset red alert appears.

Attached are the required files you ask for.

Yes, I have access to Install Disk.

Happy Thanksgiving to you all!



DDS (Ver_09-11-24.02) - NTFSx86
Run by Paul Goldman at 7:02:50.45 on Tue 11/24/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3071.1781 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Systweak\Advanced Vista Optimizer 2009\AVODefragService32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\Common Files\BinarySense\disksvc.exe
C:\Program Files\NeoSmart Technologies\iReboot\iRebootd.exe
C:\Windows\Explorer.EXE
C:\Program Files\ASUS\AASP\1.00.40\aaCenter.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Personal Mail Server Pro\SMTPListener.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Microsoft Office\Office14\OfficeSAS\officeSASscheduler.exe
C:\Program Files\Microsoft Office\Office14\OfficeSAS\OfficeSAS.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\PROGRA~1\COMMON~1\LogiShrd\LComMgr\COMMUN~1.EXE
C:\PROGRA~1\COMMON~1\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\aol\1233363163\ee\aolsoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Users\Paul Goldman\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Pando Search Assistant BHO: {06663b51-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: flashget2 urlcatch: {1f364306-aa45-47b5-9f9d-39a8b94e7ef1} - FG2CatchUrl
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mif5ba~1\office14\URLREDIR.DLL
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Free Download Manager] "c:\program files\free download manager\fdm.exe" -autorun
uRun: [cdloader] "c:\users\paul goldman\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [j2 4.4] "c:\program files\j2 messenger 4.4\J2GDllCmd.exe" /R
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRunOnce: [RealUpgradeHelper] "c:\program files\common files\real\update_ob\upgrdhlp.exe" "RealNetworks|RealPlayer|12.0"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [UVS12 Preload] c:\program files\corel\corel videostudio 12\uvPL.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office14\officesas\officeSASscheduler.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download All by FlashGet - c:\program files\flashget network\flashget universal\comdlls\Bhoall.htm
IE: &Download by FlashGet - c:\program files\flashget network\flashget universal\comdlls\Bholink.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Se&nd to OneNote - /105
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {7A0815F1-6B65-4e3a-B198-709807B4042A} - {1EC035CE-090E-4AF7-B6DF-AD11C2F0F9C9} - c:\program files\xstreamradio 3.02\RadioHelper.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\paulgo~1\appdata\roaming\mozilla\firefox\profiles\usg9mr5d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\progra~1\mif5ba~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\mif5ba~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPPandBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-11-24 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-11-24 59664]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-3 172032]
R2 AVO2009 Defrag;AVO2009 Defrag;c:\program files\systweak\advanced vista optimizer 2009\AVODefragService32.exe [2009-3-12 398056]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-5-14 93312]
R2 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-2-5 55264]
R2 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
R2 HDD & SSD access service;HDD & SSD access service;c:\program files\common files\binarysense\disksvc.exe [2009-8-13 205976]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 iReboot;iReboot Background Service;c:\program files\neosmart technologies\ireboot\iRebootd.exe [2008-4-27 9216]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-13 269648]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
R2 SMTPMainService;SMTP Server Service;c:\program files\personal mail server pro\SMTPListener.exe [2007-2-4 776704]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 AtiHdmiService;ATI Function Driver for High Definition Audio Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-11-3 103952]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-13 19160]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-11-24 33552]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 gupdate1ca3a5c11504a03;Google Update Service (gupdate1ca3a5c11504a03);c:\program files\google\update\GoogleUpdate.exe [2009-9-20 133104]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-8-1 604488]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra professional business 2009\RpcAgentSrv.exe [2009-2-8 98488]
S3 SureThing Labelflash service;SureThing Labelflash service;c:\program files\common files\surething shared\stllssvr.exe [2009-8-3 74392]
S3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itnt.sys [2009-5-28 899884]

=============== Created Last 30 ================

2100-02-23 12:35:34 768 ----a-w- c:\program files\x73_lut.dat
2100-02-08 14:03:54 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2009-11-24 11:20:47 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-11-24 11:20:47 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-11-24 11:20:47 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-11-24 11:20:45 0 d-----w- c:\programdata\PC Tools
2009-11-24 11:20:45 0 d-----w- c:\program files\ThreatFire
2009-11-24 11:14:12 0 d-----w- c:\program files\Sun
2009-11-24 11:10:10 0 d-----w- c:\users\paul goldman\.SunDownloadManager
2009-11-23 23:25:29 77312 ----a-w- c:\windows\MBR.exe
2009-11-21 22:45:51 0 d-----w- c:\program files\Microsoft Synchronization Services
2009-11-21 22:45:10 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-21 22:41:15 0 d-----w- c:\program files\Microsoft Analysis Services
2009-11-21 22:03:10 9216 --sh--r- C:\XELDZ.1st
2009-11-21 22:03:10 438840 --sh--r- C:\bootxez
2009-11-21 22:03:10 206168 --sh--r- C:\XELDZ
2009-11-21 14:14:24 0 d-----w- c:\users\paulgo~1\appdata\roaming\AVS4YOU
2009-11-21 14:14:23 0 d-----w- c:\programdata\AVS4YOU
2009-11-21 14:12:49 0 d-----w- c:\program files\common files\AVSMedia
2009-11-21 14:12:45 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-11-21 14:12:45 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-11-21 14:12:45 0 d-----w- c:\program files\AVS4YOU
2009-11-21 14:08:46 0 d-----w- c:\program files\Movie Maker 2.6
2009-11-21 13:55:59 0 d-----w- c:\programdata\ArcSoft
2009-11-21 13:55:44 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2009-11-21 13:55:43 245408 ----a-w- c:\windows\system32\unicows.dll
2009-11-20 22:33:04 7420 ----a-w- c:\windows\UA000106.DLL
2009-11-20 22:32:28 0 d-----w- c:\programdata\InterVideo
2009-11-20 22:32:27 209040 ----a-w- c:\windows\system32\IVIresizeW7.dll
2009-11-20 22:32:27 192656 ----a-w- c:\windows\system32\IVIresizePX.dll
2009-11-20 22:32:26 24720 ----a-w- c:\windows\system32\IVIresize.dll
2009-11-20 22:32:26 204944 ----a-w- c:\windows\system32\IVIresizeA6.dll
2009-11-20 22:32:26 196752 ----a-w- c:\windows\system32\IVIresizeP6.dll
2009-11-20 22:32:26 196752 ----a-w- c:\windows\system32\IVIresizeM6.dll
2009-11-20 22:32:15 0 d-----w- c:\program files\Windows Media Components
2009-11-20 22:31:19 0 d-----w- c:\programdata\Ulead Systems
2009-11-20 22:31:19 0 d-----w- c:\program files\Corel
2009-11-20 22:18:51 0 d-----w- c:\programdata\BlazeVideo
2009-11-20 22:18:51 0 d-----w- c:\program files\Blaze Video Magic
2009-11-20 21:51:31 0 d-----w- c:\programdata\CyberLink
2009-11-20 21:28:43 0 d-----w- c:\program files\Aimersoft
2009-11-11 04:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-11 04:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-11-10 21:47:28 0 d-----w- C:\Windows 7 manuals
2009-11-10 15:38:06 0 d-----w- c:\windows\system32\custom matrices
2009-11-10 15:37:59 0 d-----w- c:\windows\system32\C2MP
2009-11-10 15:18:04 0 d-----w- c:\program files\Yamicsoft
2009-11-10 15:16:09 20 ----a-w- c:\windows\„øs
2009-11-10 15:11:25 20 ----a-w- c:\windows\,÷ƒ
2009-11-10 15:10:40 20 ----a-w- c:\windows\œóŽ
2009-11-03 12:54:55 0 d-----w- c:\program files\common files\ATI Technologies
2009-11-03 12:46:28 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-11-03 12:46:27 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-11-03 12:46:26 1503232 ------w- c:\windows\system32\adi_oal.dll
2009-11-03 12:45:36 0 d-----w- c:\programdata\SonicFocus
2009-11-03 12:33:54 6504 ----a-w- c:\windows\system32\drivers\ASACPI.sys
2009-11-03 12:28:16 81408 ----a-w- c:\windows\system32\devcon_x64.exe
2009-11-03 12:28:16 55808 ----a-w- c:\windows\system32\devcon.exe
2009-11-03 12:28:15 0 d-----w- c:\program files\Driver Checker

==================== Find3M ====================

2009-11-14 06:47:57 260608 ----a-w- c:\windows\PEV.exe
2009-11-03 12:33:54 12400 ----a-w- c:\windows\system32\drivers\AsIO.sys
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 19:15:56 143872 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2009-10-22 19:01:22 4835652 ----a-w- c:\windows\system32\libavcodec.dll
2009-10-22 14:05:41 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-10-17 19:26:49 1325582 ----a-w- c:\windows\XSitePro2 Uninstaller.exe
2009-10-17 15:38:18 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-17 15:38:18 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-16 23:58:06 183296 ----a-w- c:\windows\system32\ff_samplerate.dll
2009-10-16 23:57:06 146944 ----a-w- c:\windows\system32\ff_tremor.dll
2009-10-16 23:04:24 178688 ----a-w- c:\windows\system32\ff_libmad.dll
2009-10-16 23:04:08 113152 ----a-w- c:\windows\system32\ff_unrar.dll
2009-10-16 23:03:48 257024 ----a-w- c:\windows\system32\ff_libdts.dll
2009-10-16 23:03:44 142848 ----a-w- c:\windows\system32\ff_liba52.dll
2009-10-16 23:03:40 484864 ----a-w- c:\windows\system32\ff_libfaad2.dll
2009-10-16 22:10:10 281748 ----a-w- c:\windows\system32\ff_kernelDeint.dll
2009-10-16 20:53:32 100864 ----a-w- c:\windows\system32\ff_wmv9.dll
2009-10-16 20:53:20 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-16 19:40:42 957047 ----a-w- c:\windows\system32\ff_x264.dll
2009-10-16 19:38:20 914464 ----a-w- c:\windows\system32\xvidcore.dll
2009-10-16 19:35:50 311204 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2009-10-16 19:08:54 611638 ----a-w- c:\windows\system32\libmplayer.dll
2009-10-16 19:04:28 1632375 ----a-w- c:\windows\system32\ffmpegmt.dll
2009-10-02 04:06:59 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-28 14:22:00 364544 ----a-w- c:\windows\system32\yk62x86.dll
2009-09-28 14:22:00 315392 ----a-w- c:\windows\system32\drivers\yk62x86.sys
2009-09-27 22:02:04 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-09-26 08:32:10 1205080 ----a-w- c:\windows\system32\FM20.DLL
2009-09-26 08:32:08 31600 ----a-w- c:\windows\system32\FM20ENU.DLL
2009-09-21 00:49:55 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-10 05:52:05 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 21:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 21:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 21:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 21:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 21:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 21:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-03 07:04:15 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-08-29 06:57:31 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 06:54:52 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2001-07-26 14:58:46 47 ----a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 10:46:44 8116 ----a-w- c:\program files\OSLO3071b2.USB
2001-05-08 14:36:42 114688 ----a-w- c:\program files\lxarscan.dll
2001-04-23 12:22:14 1437 ----a-w- c:\program files\gtx73.ini
2009-02-04 12:51:38 61 --sh--w- c:\windows\cnerolf.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 7:05:07.24 ===============
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello paulgold,

Who advised you to run ComboFix? Are or were you receiving help at another forum?

The log it produced at C:\ComboFix.txt is important for us to see. Kindly post it.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #4
No, I'm not in another forum, nor getting advice from another technician. I attempted to run ComboFix after reading about it from a Google search. I downloaded it and attempted to run it. However it did not run but just "froze"
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
That would be because ComboFix does not officially support Windows 7 yet. You should be careful before attempting to run specialty tools. ;)

What you have is the latest rootkitted hard disk controller hijack and this can be difficult/tricky to take care of. Have you tried System Restore yet?
 

·
Registered
Joined
·
9 Posts
Discussion Starter #6
So that this all makes sense, I'm responding from an XP installation on a separate HDD on the same rig as the Win7 installation. It is on C: This XP is on D:
I booted up to C: and I attempted to go to System Restore however I got a BSOD:
STOP: 0X0000007E (0X0000003, 0864EDC136, 0X8X39B624, 08D39B200)
The Win7 application is now as slow as molasses. Hope this helps with your diagnosis?
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
I know what is wrong, I'm just trying to eliminate the 'easy' fixes first. :wink:

Press the Windows Logo key and the letter R to bring up the Run box. Copy/paste the following text inside the quote box into the Run box and click OK:

cmd /c PEV --custom# #s #f #5 #c #m #d #n# %systemdrive%\atapi.sys >Log.txt&Log.txt&del Log.txt
When it completes, please post the log it produced.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #8
Thank you. Here's the log it produced.

21,584 C:\Windows\System32\drivers\atapi.sys 8BBBB2B9EC1C9353ACA397F953007015 2009-07-13 23:11:15 2009-07-14 01:26:15 ------

21,584 C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys 338C86357871C167A96AB976519BF59E 2009-07-13 23:11:15 2009-07-14 01:26:15 Microsoft Corporation

21,584 C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys 338C86357871C167A96AB976519BF59E 2009-07-13 23:11:15 2009-07-14 01:26:15 Microsoft Corporation

96,512 C:\WINDOWS.0\system32\dllcache\atapi.sys 9F3A2F5AA6875C72BF062C712CFA2674 2008-04-14 12:00:00 2008-04-13 20:10:32 Microsoft Corporation

96,512 C:\WINDOWS.0\system32\drivers\atapi.sys 9F3A2F5AA6875C72BF062C712CFA2674 2008-04-14 12:00:00 2008-04-13 20:10:32 Microsoft Corporation

96,512 C:\WINDOWS.0\system32\drivers\system32\DRIVERS\atapi.sys 9F3A2F5AA6875C72BF062C712CFA2674 2009-09-07 16:52:13 2008-04-14 12:00:00 Microsoft Corporation

96,512 C:\WINDOWS.0\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys 9F3A2F5AA6875C72BF062C712CFA2674 2009-09-07 16:51:54 2008-04-14 12:00:00 Microsoft Corporation

96,512 C:\WINDOWS.0\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys 9F3A2F5AA6875C72BF062C712CFA2674 2009-09-07 16:52:01 2008-04-13 20:10:32 Microsoft Corporation

Has that now removed the trojan?

And again, thank you for your help with this!

Paul
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
No, all that did was tell me where I might find other copies of the file if needed. Do not use any copies from this folder C:\WINDOWS.0 they are from a different version of Windows and are not the correct size.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to the desktop of a nearby computer for reference as you will not have any browsers open while you are carrying out portions of these instructions.

=================================


We are going to have to use the Recovery Environment to replace the file. The Recovery Environment does not allow for copy/paste, so to make it easier on you and minimize the chance of typos on your part, press the Windows logo key and the letter E on your keyboard to open Windows Explorer. Navigate to the following file:

C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
Copy atapi.sys directly to the C:\ drive. Double check to ensure you do see a C:\atapi.sys


==============================


Now we need to get into the Recovery Environment

Tap F8 as if you were going to load Safe Mode, but select 'Repair your computer'
  • At the next screen, select Command prompt
  • You should now be at X:\Sources> prompt.
At that prompt, type in the following bolded text:

copy C:\atapi.sys c:\windows\system32\drivers\atapi.sys

(there is a space after the word copy and another space after c:\atapi.sys)


Press Enter and type Y when prompted to overwrite the file.

You should see a message '1 file copied' If you do not see this message, do not continue. Come back here for further guidance

Type Exit and Windows will load.

==============================

Open Notepad and copy/paste the contents inside the quote box below, into Notepad.

@MBR -a -t >Logit.txt
@START Logit.txt
@DEL %0
Save this as look.bat Choose to "Save type as - All Files". Save it to C:\Windows folder

It should look like this:


Right click on C:\Windows\look.bat & run as administrator. Please post the log it produces.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #10
Here's the requested logit.txt

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x864ED50C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
DeleteProcedure -> 0x8be09b08
QueryNameProcedure -> 0x8580b810
user & kernel MBR OK

Many system functions now run much better. HOWEVER,

1. The desktop theme has been removed and wont change.
2. Access to internet through IE, FF, Chrome, AOL is NOT possible.
3. Many functions go to "Not Responding" when opened.

I'm wondering if this means that the trojan has permanently degraded the installation and if so, how I can restore it? BTW, System Restore has no previous entries showing.

Again, Thank You for your help.
Paul
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
That procedure should not have affected all those areas. You may need to reinstall the OS. Please run a new scan with dds.scr and post the dds.txt.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #12
No, I wasn't suggesting or asking if the procedure caused the symptoms, I was asking if the TROJAN could have caused it?

Again, thanks so much for your help.

Herewith the requested DDS files:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Paul Goldman at 6:45:33.92 on Sat 12/05/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3071.1800 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Systweak\Advanced Vista Optimizer 2009\AVODefragService32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\Common Files\BinarySense\disksvc.exe
C:\Program Files\NeoSmart Technologies\iReboot\iRebootd.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\AASP\1.00.40\aaCenter.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Personal Mail Server Pro\SMTPListener.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Users\Paul Goldman\Desktop\dds.scr
C:\Windows\system32\conhost.exe
c:\program files\real\realplayer\RealPlay.exe
c:\program files\real\realplayer\RealPlay.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: flashget2 urlcatch: {1f364306-aa45-47b5-9f9d-39a8b94e7ef1} - FG2CatchUrl
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mif5ba~1\office14\URLREDIR.DLL
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Free Download Manager] "c:\program files\free download manager\fdm.exe" -autorun
uRun: [cdloader] "c:\users\paul goldman\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download All by FlashGet - c:\program files\flashget network\flashget universal\comdlls\Bhoall.htm
IE: &Download by FlashGet - c:\program files\flashget network\flashget universal\comdlls\Bholink.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Se&nd to OneNote - /105
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {7A0815F1-6B65-4e3a-B198-709807B4042A} - {1EC035CE-090E-4AF7-B6DF-AD11C2F0F9C9} - c:\program files\xstreamradio 3.02\RadioHelper.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\paulgo~1\appdata\roaming\mozilla\firefox\profiles\usg9mr5d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\paul goldman\appdata\roaming\mozilla\firefox\profiles\usg9mr5d.default\extensions\{5e34052d-4d61-4be4-9b6e-93836198886c}\components\FFExternalAlert.dll
FF - plugin: c:\progra~1\mif5ba~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\mif5ba~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPPandBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-27 207792]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-11-24 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-11-24 59664]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-5-14 93312]
R2 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-2-5 55264]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-13 19160]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-11-24 33552]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2100-02-23 12:35:34 768 ----a-w- c:\program files\x73_lut.dat
2100-02-08 14:03:54 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2009-12-04 11:53:39 21584 ----a-w- C:\atapi.sys
2009-11-29 21:42:44 1 ----a-w- C:\s
2009-11-29 21:27:27 0 d-----w- C:\msdownld.tmp
2009-11-28 14:30:40 0 d-----w- C:\Archivos de programa
2009-11-27 18:39:55 882 ----a-w- c:\windows\RegSDImport.xml
2009-11-27 18:39:55 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-27 18:39:54 880 ----a-w- c:\windows\RegISSImport.xml
2009-11-27 18:39:54 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-27 18:39:54 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-27 18:39:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-27 18:39:54 131 ----a-w- c:\windows\IDB.zip
2009-11-27 18:39:54 1152444 ----a-w- c:\windows\UDB.zip
2009-11-27 18:39:07 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-11-27 18:39:07 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-11-27 18:39:07 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-27 18:38:50 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-27 18:38:50 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-11-27 18:38:50 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-27 18:38:50 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-27 18:38:43 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-11-27 18:38:43 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-27 18:38:32 0 d-----w- c:\users\paulgo~1\appdata\roaming\PC Tools
2009-11-27 18:38:32 0 d-----w- c:\program files\Spyware Doctor
2009-11-27 18:38:32 0 d-----w- c:\program files\common files\PC Tools
2009-11-27 16:08:31 0 d-----w- c:\users\paulgo~1\appdata\roaming\Affilorama
2009-11-27 16:08:29 0 d-----w- c:\program files\Traffic Travis v3
2009-11-25 18:07:59 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 18:07:51 0 d-----w- c:\program files\MSXML 4.0
2009-11-24 19:35:21 61 --sh--w- c:\windows\cnerolf.bin
2009-11-24 13:18:32 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-24 13:18:32 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-24 11:20:47 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-11-24 11:20:47 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-11-24 11:20:47 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-11-24 11:20:45 0 d-----w- c:\programdata\PC Tools
2009-11-24 11:20:45 0 d-----w- c:\program files\ThreatFire
2009-11-24 11:14:12 0 d-----w- c:\program files\Sun
2009-11-24 11:10:10 0 d-----w- c:\users\paul goldman\.SunDownloadManager
2009-11-23 23:25:29 77312 ----a-w- c:\windows\MBR.exe
2009-11-21 22:45:51 0 d-----w- c:\program files\Microsoft Synchronization Services
2009-11-21 22:45:10 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-21 22:41:15 0 d-----w- c:\program files\Microsoft Analysis Services
2009-11-21 22:03:10 9216 --sh--r- C:\XELDZ.1st
2009-11-21 22:03:10 438840 --sh--r- C:\bootxez
2009-11-21 22:03:10 206168 --sh--r- C:\XELDZ
2009-11-21 14:14:24 0 d-----w- c:\users\paulgo~1\appdata\roaming\AVS4YOU
2009-11-21 14:14:23 0 d-----w- c:\programdata\AVS4YOU
2009-11-21 14:12:49 0 d-----w- c:\program files\common files\AVSMedia
2009-11-21 14:12:45 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-11-21 14:12:45 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-11-21 14:12:45 0 d-----w- c:\program files\AVS4YOU
2009-11-21 14:08:46 0 d-----w- c:\program files\Movie Maker 2.6
2009-11-21 13:55:59 0 d-----w- c:\programdata\ArcSoft
2009-11-21 13:55:44 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2009-11-21 13:55:43 245408 ----a-w- c:\windows\system32\unicows.dll
2009-11-20 22:33:04 7420 ----a-w- c:\windows\UA000106.DLL
2009-11-20 22:32:28 0 d-----w- c:\programdata\InterVideo
2009-11-20 22:32:27 209040 ----a-w- c:\windows\system32\IVIresizeW7.dll
2009-11-20 22:32:27 192656 ----a-w- c:\windows\system32\IVIresizePX.dll
2009-11-20 22:32:26 24720 ----a-w- c:\windows\system32\IVIresize.dll
2009-11-20 22:32:26 204944 ----a-w- c:\windows\system32\IVIresizeA6.dll
2009-11-20 22:32:26 196752 ----a-w- c:\windows\system32\IVIresizeP6.dll
2009-11-20 22:32:26 196752 ----a-w- c:\windows\system32\IVIresizeM6.dll
2009-11-20 22:32:15 0 d-----w- c:\program files\Windows Media Components
2009-11-20 22:31:19 0 d-----w- c:\programdata\Ulead Systems
2009-11-20 22:31:19 0 d-----w- c:\program files\Corel
2009-11-20 22:18:51 0 d-----w- c:\programdata\BlazeVideo
2009-11-20 22:18:51 0 d-----w- c:\program files\Blaze Video Magic
2009-11-20 21:51:31 0 d-----w- c:\programdata\CyberLink
2009-11-20 21:28:43 0 d-----w- c:\program files\Aimersoft
2009-11-11 04:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-11 04:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-11-10 21:47:28 0 d-----w- C:\Windows 7 manuals
2009-11-10 15:38:06 0 d-----w- c:\windows\system32\custom matrices
2009-11-10 15:37:59 0 d-----w- c:\windows\system32\C2MP
2009-11-10 15:18:04 0 d-----w- c:\program files\Yamicsoft
2009-11-10 15:16:09 20 ----a-w- c:\windows\„øs
2009-11-10 15:11:25 20 ----a-w- c:\windows\,÷ƒ
2009-11-10 15:10:40 20 ----a-w- c:\windows\œóŽ

==================== Find3M ====================

2009-11-14 06:47:57 260608 ----a-w- c:\windows\PEV.exe
2009-11-03 12:46:28 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-11-03 12:46:27 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-11-03 12:33:54 6504 ----a-w- c:\windows\system32\drivers\ASACPI.sys
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 19:15:56 143872 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2009-10-22 19:01:22 4835652 ----a-w- c:\windows\system32\libavcodec.dll
2009-10-22 14:05:41 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-10-17 19:26:49 1325582 ----a-w- c:\windows\XSitePro2 Uninstaller.exe
2009-10-17 15:38:18 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-17 15:38:18 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-16 23:58:06 183296 ----a-w- c:\windows\system32\ff_samplerate.dll
2009-10-16 23:57:06 146944 ----a-w- c:\windows\system32\ff_tremor.dll
2009-10-16 23:04:24 178688 ----a-w- c:\windows\system32\ff_libmad.dll
2009-10-16 23:04:08 113152 ----a-w- c:\windows\system32\ff_unrar.dll
2009-10-16 23:03:48 257024 ----a-w- c:\windows\system32\ff_libdts.dll
2009-10-16 23:03:44 142848 ----a-w- c:\windows\system32\ff_liba52.dll
2009-10-16 23:03:40 484864 ----a-w- c:\windows\system32\ff_libfaad2.dll
2009-10-16 22:10:10 281748 ----a-w- c:\windows\system32\ff_kernelDeint.dll
2009-10-16 20:53:32 100864 ----a-w- c:\windows\system32\ff_wmv9.dll
2009-10-16 20:53:20 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-16 19:40:42 957047 ----a-w- c:\windows\system32\ff_x264.dll
2009-10-16 19:38:20 914464 ----a-w- c:\windows\system32\xvidcore.dll
2009-10-16 19:35:50 311204 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2009-10-16 19:08:54 611638 ----a-w- c:\windows\system32\libmplayer.dll
2009-10-16 19:04:28 1632375 ----a-w- c:\windows\system32\ffmpegmt.dll
2009-09-28 14:22:00 364544 ----a-w- c:\windows\system32\yk62x86.dll
2009-09-26 08:32:10 1205080 ----a-w- c:\windows\system32\FM20.DLL
2009-09-26 08:32:08 31600 ----a-w- c:\windows\system32\FM20ENU.DLL
2009-09-21 00:49:55 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-10 05:52:05 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2001-07-26 14:58:46 47 ----a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 10:46:44 8116 ----a-w- c:\program files\OSLO3071b2.USB
2001-05-08 14:36:42 114688 ----a-w- c:\program files\lxarscan.dll
2001-04-23 12:22:14 1437 ----a-w- c:\program files\gtx73.ini
2009-02-04 12:51:38 61 --sh--w- c:\windows\cnerolf.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 6:55:56.73 ===============
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
I'm not seeing any leftover malware. I believe the simplest/quickest solution to getting the system working properly, is to reinstall the OS
 

·
Registered
Joined
·
9 Posts
Discussion Starter #14
Thank you very much for all the help. You're probably right. Re-installing the OS would be the way to go. Is it possible to re-install Win 7 and still retain all the existing files. If so, how is it done?
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
1 - 15 of 15 Posts
Status
Not open for further replies.
Top