DealAssistant.exe & oulwsv.exe

**yurka** · October 4th, 2009, 07:38 PM

Below is the next third. I don't want to overwhelm the Board, so let me know if you want the rest of it.
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text E:\Program Files\AceLogix\Free Ram Optimizer\fro.exe[956] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text E:\Program Files\AceLogix\Free Ram Optimizer\fro.exe[956] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text E:\Program Files\AceLogix\Free Ram Optimizer\fro.exe[956] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text E:\Program Files\AceLogix\Free Ram Optimizer\fro.exe[956] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1024] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1024] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1024] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F120F5A
.text C:\WINDOWS\System32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1144] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1144] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1144] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1364] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1364] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1364] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1364] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Yury\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Documents and Settings\Yury\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1524] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Yury\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1524] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\Yury\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1524] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text E:\Program Files\NoAdware\NoAdware5.exe[1620] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text E:\Program Files\NoAdware\NoAdware5.exe[1620] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text E:\Program Files\NoAdware\NoAdware5.exe[1620] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text E:\Program Files\NoAdware\NoAdware5.exe[1620] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1728] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[1728] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1728] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1728] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2060] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2060] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2060] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2060] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A

**Train** · October 4th, 2009, 09:11 PM

Post the rest of it please.

**yurka** · October 5th, 2009, 05:43 PM

Sorry, was busy. Thanks for reminding me.
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2140] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2140] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2140] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2140] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\alg.exe[2328] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\alg.exe[2328] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\alg.exe[2328] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[2328] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2900] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2900] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2900] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2900] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text E:\Program Files\Mozilla Firefox\firefox.exe[3536] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text E:\Program Files\Mozilla Firefox\firefox.exe[3536] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text E:\Program Files\Mozilla Firefox\firefox.exe[3536] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text E:\Program Files\Mozilla Firefox\firefox.exe[3536] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text E:\Program Files\Mozilla Firefox\firefox.exe[3536] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wuauclt.exe[3916] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wuauclt.exe[3916] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wuauclt.exe[3916] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wuauclt.exe[3916] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahCompleteRequest] [71AA32D8] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahQueueUserApc] [71AA2AB5] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahEnableNonIFSHandleSupport] [71AA3363] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahDisableNonIFSHandleSupport] [71AA3561] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahCreateSocketHandle] [71AA310A] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahNotifyAllProcesses] [71AA3CFE] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahCreateNotificationHandle] [71AA209A] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahWaitForNotification] [71AA1CFF] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahInsertHandleContext] [71AA170C] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahRemoveHandleContext] [71AA18C8] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahDestroyHandleContextTable] [71AA3C82] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahCreateHandleContextTable] [71AA1958] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahEnumerateHandleContexts] [71AA22D1] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahCloseApcHelper] [71AA2363] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahCloseHandleHelper] [71AA30C5] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahCloseNotificationHandleHelper] [71AA3CCF] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahOpenNotificationHandleHelper] [71AA1BFF] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahOpenHandleHelper] [71AA387B] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahOpenApcHelper] [71AA1A2B] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)
IAT C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe[1840] @ C:\WINDOWS\$NtServicePackUninstall$\WS2_32.dll [WS2HELP.dll!WahCloseSocketHandle] [71AA3289] C:\WINDOWS\$NtServicePackUninstall$\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F238CF1D-55BC-7523-7560-9CDB79BF4BC3}

---- EOF - GMER 1.0.15 ----

**Broni** · October 5th, 2009, 10:09 PM

OK.
We need Malwarebytes log, another attempt to run Superantispyware after Malwarebytes.
Log from it, if it runs and fresh HJT log.
...and we're not going to be a dentist anymore

**yurka** · October 6th, 2009, 11:31 AM

This is the first time in ~1year the Malware Bytes found anything. Anyway, tell me please, if I have to run SAS again.
Malwarebytes' Anti-Malware 1.33
Database version: 1733
Windows 5.1.2600 Service Pack 3

10/6/2009 11:23:06 AM
mbam-log-2009-10-06 (11-23-06).txt

Scan type: Quick Scan
Objects scanned: 58561
Time elapsed: 11 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Yury\Local Settings\Temporary Internet Files\Content.IE5\DM9W624T\setupxv[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.

**Broni** · October 6th, 2009, 02:31 PM

Let's do something else....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE. If Combofix asks you to install Recovery Console, please allow it.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**yurka** · October 6th, 2009, 10:06 PM

Thank you, Broni.
Confofix looks like a long job, with download, etc. I'll try to do it tomorrow, or over the weekend. Will let you know.
See you later.

**Broni** · October 6th, 2009, 10:51 PM

Not a problem. Take your time

**yurka** · October 10th, 2009, 09:47 AM

Broni,
I will probably (time allows) run Combofix.exe today. So far, I disabled/turned off all kind of malware shields, except Avast antivirus; will do it after I pull the Internet cable off (as I do not want to stay connected even for a short time between I turn Avast off and start Combofix. Or am I paranoid?). What about MalWareBytes? So far I haven't found "turn off" button. I have to go now, will check for your reply when I come back. So far I followed instructions for WINDOWS DEFENDER

* Click Start > Programs > Windows Defender or launch from the system tray icon.
* Click on Tools & Settings > Options.
* Under Real-time protection options, uncheck the "Real-time protection" check box.
* Click Save.
* Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
* (When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.) ,
but I don't have "Real time protection" Option. Nor do I have "Windows defender under "Security". The only thing I see there is Firewall, which I turned down already. What should I do?

**Broni** · October 10th, 2009, 12:13 PM

You did, what you could. Run Combofix.

**yurka** · October 10th, 2009, 03:04 PM

Broni,
The Combofix ran flawlessly and was very fast, I wish I knew it in advance... :-). Both Combofix and Hijackthis are 28+13 pages long. Should I send them as an attachment or you prefer C+P. In the latter case, how many posts should I split it among?

**Broni** · October 10th, 2009, 03:07 PM

HJT should fit into one post. Combo may take 2.

**yurka** · October 10th, 2009, 03:45 PM

ComboFix 09-10-05.01 - Yury 10/10/2009 14:14.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.607 [GMT -4:00]
Running from: c:\documents and settings\Yury\Desktop\ComboFix.exe
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSearch\bin\DefaultSearch.dll
c:\program files\ContextAdvisor
c:\program files\ContextAdvisor\ContextAdvisor.dat
c:\recycled\Dc1
c:\recycled\Dc1\_iscppr.exe
c:\recycled\Dc1\a3d.dll
c:\recycled\Dc1\adminchk.dll
c:\recycled\Dc1\aeaudio.sys
c:\recycled\Dc1\AEEnable.exe
c:\recycled\Dc1\data.tag
c:\recycled\Dc1\DLSLoader.exe
c:\recycled\Dc1\install.exe
c:\recycled\Dc1\ListEnv.dll
c:\recycled\Dc1\MicTab.dll
c:\recycled\Dc1\MidiSynth.dll
c:\recycled\Dc1\migrate.dll
c:\recycled\Dc1\RemADI.exe
c:\recycled\Dc1\Remove.exe
c:\recycled\Dc1\SMAgent.exe
c:\recycled\Dc1\SMAgentI.exe
c:\recycled\Dc1\SMAgentX.exe
c:\recycled\Dc1\SMax3CP.cpl
c:\recycled\Dc1\SMax3CP.ico
c:\recycled\Dc1\smsens.sys
c:\recycled\Dc1\SMTray.exe
c:\recycled\Dc1\smwdm.sys
c:\recycled\Dc1\smwdmCH2.inf
c:\recycled\Dc1\smwdmCH4.inf
c:\recycled\Dc1\SMWizard.exe
c:\recycled\Dc1\smx.cat
c:\recycled\Dc21
c:\recycler\NPROTECT
c:\recycler\NPROTECT\00000009.LNK
c:\recycler\NPROTECT\00000022(2).LNK
c:\recycler\NPROTECT\00000023(2).LNK
c:\recycler\NPROTECT\00000024.LNK
c:\recycler\NPROTECT\00000025(2).LNK
c:\recycler\NPROTECT\00000028(2).LNK
c:\recycler\NPROTECT\00000029.LNK
c:\recycler\NPROTECT\00000030(2).LNK
c:\recycler\NPROTECT\00000035(2).LNK
c:\recycler\NPROTECT\00000036(2).LNK
c:\recycler\NPROTECT\00000045.LNK
c:\recycler\NPROTECT\00000046.LNK
c:\recycler\NPROTECT\00000106.LNK
c:\recycler\NPROTECT\00000107.LNK
c:\recycler\NPROTECT\00000109.LOG
c:\recycler\NPROTECT\00000110.000
c:\recycler\NPROTECT\00000116.LOG
c:\recycler\NPROTECT\00000117.000
c:\recycler\NPROTECT\00000118.USE
c:\recycler\NPROTECT\00000119.USE
c:\recycler\NPROTECT\00000120.USE
c:\recycler\NPROTECT\00000123.LOG
c:\recycler\NPROTECT\00000124.000
c:\recycler\NPROTECT\00000128.LOG
c:\recycler\NPROTECT\00000129.000
c:\recycler\NPROTECT\00000130.LOG
c:\recycler\NPROTECT\00000131.000
c:\recycler\NPROTECT\00000132.XML
c:\recycler\NPROTECT\00000133.XML
c:\recycler\NPROTECT\00000134.LOG
c:\recycler\NPROTECT\00000135.000
c:\recycler\NPROTECT\00000137.LOG
c:\recycler\NPROTECT\00000138.000
c:\recycler\NPROTECT\00000139.LOG
c:\recycler\NPROTECT\00000140.000
c:\recycler\NPROTECT\00000141.LOG
c:\recycler\NPROTECT\00000142.000
c:\recycler\NPROTECT\00000143.LOG
c:\recycler\NPROTECT\00000144.000
c:\recycler\NPROTECT\00000145.LOG
c:\recycler\NPROTECT\00000146.000
c:\recycler\NPROTECT\00000147.LOG
c:\recycler\NPROTECT\00000148.000
c:\recycler\NPROTECT\00000149.LOG
c:\recycler\NPROTECT\00000150.000
c:\recycler\NPROTECT\00000151.LOG
c:\recycler\NPROTECT\00000152.000
c:\recycler\NPROTECT\00000153.LOG
c:\recycler\NPROTECT\00000154.000
c:\recycler\NPROTECT\00000155.LOG
c:\recycler\NPROTECT\00000156.000
c:\recycler\NPROTECT\00000157.LOG
c:\recycler\NPROTECT\00000158.000
c:\recycler\NPROTECT\00000159.LOG
c:\recycler\NPROTECT\00000160.000
c:\recycler\NPROTECT\00000161.LOG
c:\recycler\NPROTECT\00000162.000
c:\recycler\NPROTECT\00000168.LOG
c:\recycler\NPROTECT\00000169.000
c:\recycler\NPROTECT\00000170.LOG
c:\recycler\NPROTECT\00000171.000
c:\recycler\NPROTECT\00000172.LOG
c:\recycler\NPROTECT\00000173.000
c:\recycler\NPROTECT\00000174.LOG
c:\recycler\NPROTECT\00000175.000
c:\recycler\NPROTECT\00000176.LOG
c:\recycler\NPROTECT\00000177.000
c:\recycler\NPROTECT\00000178.LOG
c:\recycler\NPROTECT\00000179.000
c:\recycler\NPROTECT\00000180.LOG
c:\recycler\NPROTECT\00000181.000
c:\recycler\NPROTECT\00000182.LOG
c:\recycler\NPROTECT\00000183.000
c:\recycler\NPROTECT\00000184.LOG
c:\recycler\NPROTECT\00000185.000
c:\recycler\NPROTECT\00000186.LOG
c:\recycler\NPROTECT\00000187.000
c:\recycler\NPROTECT\00000188.LOG
c:\recycler\NPROTECT\00000189.000
c:\recycler\NPROTECT\00000190.LOG
c:\recycler\NPROTECT\00000191.000
c:\recycler\NPROTECT\00000192.LOG
c:\recycler\NPROTECT\00000193.000
c:\recycler\NPROTECT\00000194.LOG
c:\recycler\NPROTECT\00000195.000
c:\recycler\NPROTECT\00000197.LOG
c:\recycler\NPROTECT\00000198.000
c:\recycler\NPROTECT\00000199.LOG
c:\recycler\NPROTECT\00000200.000
c:\recycler\NPROTECT\00000201.LOG
c:\recycler\NPROTECT\00000202.000
c:\recycler\NPROTECT\00000203.LOG
c:\recycler\NPROTECT\00000204.000
c:\recycler\NPROTECT\00000205.LOG
c:\recycler\NPROTECT\00000206.000
c:\recycler\NPROTECT\00000209.LOG
c:\recycler\NPROTECT\00000210.000
c:\recycler\NPROTECT\00000211.LOG
c:\recycler\NPROTECT\00000212.000
c:\recycler\NPROTECT\00000213.LOG
c:\recycler\NPROTECT\00000214.000
c:\recycler\NPROTECT\00000215.LOG
c:\recycler\NPROTECT\00000216.000
c:\recycler\NPROTECT\00000217.LOG
c:\recycler\NPROTECT\00000218.000
c:\recycler\NPROTECT\00000219.LOG
c:\recycler\NPROTECT\00000220.000
c:\recycler\NPROTECT\00000228.LOG
c:\recycler\NPROTECT\00000229.000
c:\recycler\NPROTECT\00000230.LNK
c:\recycler\NPROTECT\00000231.LNK
c:\recycler\NPROTECT\00000233.LOG
c:\recycler\NPROTECT\00000234.000
c:\recycler\NPROTECT\00000238.LOG
c:\recycler\NPROTECT\00000239.000
c:\recycler\NPROTECT\00000240.USE
c:\recycler\NPROTECT\00000241.USE
c:\recycler\NPROTECT\00000242.USE
c:\recycler\NPROTECT\00000244.LOG
c:\recycler\NPROTECT\00000245.000
c:\recycler\NPROTECT\00000249.LOG
c:\recycler\NPROTECT\00000250.000
c:\recycler\NPROTECT\00000252.LOG
c:\recycler\NPROTECT\00000253.000
c:\recycler\NPROTECT\00000254.LOG
c:\recycler\NPROTECT\00000255.000
c:\recycler\NPROTECT\00000256.LOG
c:\recycler\NPROTECT\00000257.000
c:\recycler\NPROTECT\00000258.LOG
c:\recycler\NPROTECT\00000259.000
c:\recycler\NPROTECT\00000260.LOG
c:\recycler\NPROTECT\00000261.000
c:\recycler\NPROTECT\00000262.XML
c:\recycler\NPROTECT\00000263.XML
c:\recycler\NPROTECT\00000264.LOG
c:\recycler\NPROTECT\00000265.000
c:\recycler\NPROTECT\00000266.XML
c:\recycler\NPROTECT\00000267.LOG
c:\recycler\NPROTECT\00000268.000
c:\recycler\NPROTECT\00000269.LOG
c:\recycler\NPROTECT\00000270.000
c:\recycler\NPROTECT\00000271.LOG
c:\recycler\NPROTECT\00000272.000
c:\recycler\NPROTECT\00000273.LOG
c:\recycler\NPROTECT\00000274.000
c:\recycler\NPROTECT\00000275.LOG
c:\recycler\NPROTECT\00000276.000
c:\recycler\NPROTECT\00000278.LOG
c:\recycler\NPROTECT\00000279.000
c:\recycler\NPROTECT\00000280.LOG
c:\recycler\NPROTECT\00000281.000
c:\recycler\NPROTECT\00000282.LOG
c:\recycler\NPROTECT\00000283.000
c:\recycler\NPROTECT\00000284.LOG
c:\recycler\NPROTECT\00000285.000
c:\recycler\NPROTECT\00000286.LOG
c:\recycler\NPROTECT\00000287.000
c:\recycler\NPROTECT\00000289.LOG
c:\recycler\NPROTECT\00000290.000
c:\recycler\NPROTECT\00000291.LOG
c:\recycler\NPROTECT\00000292.000
c:\recycler\NPROTECT\00000293.LOG
c:\recycler\NPROTECT\00000294.000
c:\recycler\NPROTECT\00000295.LOG
c:\recycler\NPROTECT\00000296.000
c:\recycler\NPROTECT\00000297.LOG
c:\recycler\NPROTECT\00000298.000
c:\recycler\NPROTECT\00000299.LNK
c:\recycler\NPROTECT\00000300.LNK
c:\recycler\NPROTECT\00000301.WBK
c:\recycler\NPROTECT\00000302.LNK
c:\recycler\NPROTECT\00000303.LNK
c:\recycler\NPROTECT\00000304.LNK
c:\recycler\NPROTECT\00000305.LNK
c:\recycler\NPROTECT\00000306.LNK
c:\recycler\NPROTECT\00000307.LNK
c:\recycler\NPROTECT\00000322.LOG
c:\recycler\NPROTECT\00000323.000
c:\recycler\NPROTECT\00000325.PF
c:\recycler\NPROTECT\00000326.PF
c:\recycler\NPROTECT\00000327.PF
c:\recycler\NPROTECT\00000328.PF
c:\recycler\NPROTECT\00000329.PF
c:\recycler\NPROTECT\00000330.PF
c:\recycler\NPROTECT\00000331.PF
c:\recycler\NPROTECT\00000332.PF
c:\recycler\NPROTECT\00000333.PF
c:\recycler\NPROTECT\00000334.PF
c:\recycler\NPROTECT\00000335.PF
c:\recycler\NPROTECT\00000336.PF
c:\recycler\NPROTECT\00000337.PF
c:\recycler\NPROTECT\00000338.PF
c:\recycler\NPROTECT\00000339.PF
c:\recycler\NPROTECT\00000340.PF
c:\recycler\NPROTECT\00000341.PF
c:\recycler\NPROTECT\00000342.PF
c:\recycler\NPROTECT\00000343.PF
c:\recycler\NPROTECT\00000344.PF
c:\recycler\NPROTECT\00000345.PF
c:\recycler\NPROTECT\00000346.PF
c:\recycler\NPROTECT\00000347.PF
c:\recycler\NPROTECT\00000348.PF
c:\recycler\NPROTECT\00000349.PF
c:\recycler\NPROTECT\00000350.PF
c:\recycler\NPROTECT\00000351.PF
c:\recycler\NPROTECT\00000352.PF
c:\recycler\NPROTECT\00000353.PF
c:\recycler\NPROTECT\00000354.PF
c:\recycler\NPROTECT\00000355.PF
c:\recycler\NPROTECT\00000356.PF
c:\recycler\NPROTECT\00000357.PF
c:\recycler\NPROTECT\00000358.PF
c:\recycler\NPROTECT\00000359.PF
c:\recycler\NPROTECT\00000360.PF
c:\recycler\NPROTECT\00000361.PF
c:\recycler\NPROTECT\00000362.PF
c:\recycler\NPROTECT\00000363.PF
c:\recycler\NPROTECT\00000364.PF
c:\recycler\NPROTECT\00000365.PF
c:\recycler\NPROTECT\00000366.PF
c:\recycler\NPROTECT\00000367.PF
c:\recycler\NPROTECT\00000368.PF
c:\recycler\NPROTECT\00000369.PF
c:\recycler\NPROTECT\00000370.PF
c:\recycler\NPROTECT\00000371.PF
c:\recycler\NPROTECT\00000372.PF
c:\recycler\NPROTECT\00000373.PF
c:\recycler\NPROTECT\00000374.PF
c:\recycler\NPROTECT\00000375.PF
c:\recycler\NPROTECT\00000376.PF
c:\recycler\NPROTECT\00000377.PF
c:\recycler\NPROTECT\00000378.PF
c:\recycler\NPROTECT\00000379.PF
c:\recycler\NPROTECT\00000380.PF
c:\recycler\NPROTECT\00000381.PF
c:\recycler\NPROTECT\00000382.PF
c:\recycler\NPROTECT\00000383.PF
c:\recycler\NPROTECT\00000384.PF
c:\recycler\NPROTECT\00000385.PF
c:\recycler\NPROTECT\00000386.PF
c:\recycler\NPROTECT\00000387.PF
c:\recycler\NPROTECT\00000388.PF
c:\recycler\NPROTECT\00000389.PF
c:\recycler\NPROTECT\00000390.PF
c:\recycler\NPROTECT\00000391.PF
c:\recycler\NPROTECT\00000392.PF
c:\recycler\NPROTECT\00000393.PF
c:\recycler\NPROTECT\00000394.PF
c:\recycler\NPROTECT\00000395.PF
c:\recycler\NPROTECT\00000396.PF
c:\recycler\NPROTECT\00000397.PF
c:\recycler\NPROTECT\00000398.PF
c:\recycler\NPROTECT\00000399.PF
c:\recycler\NPROTECT\00000400.PF
c:\recycler\NPROTECT\00000401.PF
c:\recycler\NPROTECT\00000402.PF
c:\recycler\NPROTECT\00000403.PF
c:\recycler\NPROTECT\00000404.PF
c:\recycler\NPROTECT\00000405.PF
c:\recycler\NPROTECT\00000406.PF
c:\recycler\NPROTECT\00000407.PF
c:\recycler\NPROTECT\00000408.PF
c:\recycler\NPROTECT\00000409.PF
c:\recycler\NPROTECT\00000410.PF
c:\recycler\NPROTECT\00000411.PF
c:\recycler\NPROTECT\00000412.PF
c:\recycler\NPROTECT\00000413.PF
c:\recycler\NPROTECT\00000414.PF
c:\recycler\NPROTECT\00000415.PF
c:\recycler\NPROTECT\00000416.PF
c:\recycler\NPROTECT\00000417.PF
c:\recycler\NPROTECT\00000418.PF
c:\recycler\NPROTECT\00000419.PF
c:\recycler\NPROTECT\00000423.LOG
c:\recycler\NPROTECT\00000424.000
c:\recycler\NPROTECT\00000427.LOG
c:\recycler\NPROTECT\00000428.000
c:\recycler\NPROTECT\00000434.LOG
c:\recycler\NPROTECT\00000435.000
c:\recycler\NPROTECT\00000441.LOG
c:\recycler\NPROTECT\00000442.000
c:\recycler\NPROTECT\00000444.LOG
c:\recycler\NPROTECT\00000445.000
c:\recycler\NPROTECT\00000448.LOG
c:\recycler\NPROTECT\00000449.000
c:\recycler\NPROTECT\00000450.LOG
c:\recycler\NPROTECT\00000451.000
c:\recycler\NPROTECT\00000452.LOG
c:\recycler\NPROTECT\00000453.000
c:\recycler\NPROTECT\00000455.LOG
c:\recycler\NPROTECT\00000456.000
c:\recycler\NPROTECT\00000457.LOG
c:\recycler\NPROTECT\00000458.000
c:\recycler\NPROTECT\00000459.LOG
c:\recycler\NPROTECT\00000460.000
c:\recycler\NPROTECT\00000461.LOG
c:\recycler\NPROTECT\00000462.000
c:\recycler\NPROTECT\00000463.LOG
c:\recycler\NPROTECT\00000464.000
c:\recycler\NPROTECT\00000465.LOG
c:\recycler\NPROTECT\00000466.000
c:\recycler\NPROTECT\00000469.LOG
c:\recycler\NPROTECT\00000470.000
c:\recycler\NPROTECT\00000471.LOG
c:\recycler\NPROTECT\00000472.000
c:\recycler\NPROTECT\00000473.LOG
c:\recycler\NPROTECT\00000474.000
c:\recycler\NPROTECT\00000475.LOG
c:\recycler\NPROTECT\00000476.000
c:\recycler\NPROTECT\00000477.LOG
c:\recycler\NPROTECT\00000478.000
c:\recycler\NPROTECT\00000479.LOG
c:\recycler\NPROTECT\00000480.000
c:\recycler\NPROTECT\00000482.LOG
c:\recycler\NPROTECT\00000483.000
c:\recycler\NPROTECT\00000484.LOG
c:\recycler\NPROTECT\00000485.000
c:\recycler\NPROTECT\00000487.LOG
c:\recycler\NPROTECT\00000488.000
c:\recycler\NPROTECT\00000489.LOG
c:\recycler\NPROTECT\00000490.000
c:\recycler\NPROTECT\00000491.LOG
c:\recycler\NPROTECT\00000492.000
c:\recycler\NPROTECT\00000494.LOG
c:\recycler\NPROTECT\00000495.000
c:\recycler\NPROTECT\00000498.LOG
c:\recycler\NPROTECT\00000499.000
c:\recycler\NPROTECT\00000500.LOG
c:\recycler\NPROTECT\00000501.000
c:\recycler\NPROTECT\00000503.LOG
c:\recycler\NPROTECT\00000504.000
c:\recycler\NPROTECT\00000505.LOG
c:\recycler\NPROTECT\00000506.000
c:\recycler\NPROTECT\00000507.LOG
c:\recycler\NPROTECT\00000508.000
c:\recycler\NPROTECT\00000510.LOG
c:\recycler\NPROTECT\00000511.000
c:\recycler\NPROTECT\00000512.LOG
c:\recycler\NPROTECT\00000513.000
c:\recycler\NPROTECT\00000514.LOG
c:\recycler\NPROTECT\00000515.000
c:\recycler\NPROTECT\00000516.LOG
c:\recycler\NPROTECT\00000517.000
c:\recycler\NPROTECT\00000518.LOG
c:\recycler\NPROTECT\00000519.000
c:\recycler\NPROTECT\00000520.LOG
c:\recycler\NPROTECT\00000521.000
c:\recycler\NPROTECT\00000522.LOG
c:\recycler\NPROTECT\00000523.000
c:\recycler\NPROTECT\00000524.LOG
c:\recycler\NPROTECT\00000525.000
c:\recycler\NPROTECT\00000526.LOG
c:\recycler\NPROTECT\00000527.000
c:\recycler\NPROTECT\00000529.LOG
c:\recycler\NPROTECT\00000530.000
c:\recycler\NPROTECT\00000531.LOG
c:\recycler\NPROTECT\00000532.000
c:\recycler\NPROTECT\00000533.LOG
c:\recycler\NPROTECT\00000534.000
c:\recycler\NPROTECT\00000535.LOG
c:\recycler\NPROTECT\00000536.000
c:\recycler\NPROTECT\00000537.LOG
c:\recycler\NPROTECT\00000538.000
c:\recycler\NPROTECT\00000539.LOG
c:\recycler\NPROTECT\00000540.000
c:\recycler\NPROTECT\00000541.LOG
c:\recycler\NPROTECT\00000542.000
c:\recycler\NPROTECT\00000543.LOG
c:\recycler\NPROTECT\00000544.000
c:\recycler\NPROTECT\00000547.LOG
c:\recycler\NPROTECT\00000548.000
c:\recycler\NPROTECT\00000549.LOG
c:\recycler\NPROTECT\00000550.000
c:\recycler\NPROTECT\00000551.LOG
c:\recycler\NPROTECT\00000552.000
c:\recycler\NPROTECT\00000553.LOG
c:\recycler\NPROTECT\00000554.000
c:\recycler\NPROTECT\00000556.PSP
c:\recycler\NPROTECT\00000561.LOG
c:\recycler\NPROTECT\00000562.000
c:\recycler\NPROTECT\00000567.LOG
c:\recycler\NPROTECT\00000568.000
c:\recycler\NPROTECT\00000574.LOG
c:\recycler\NPROTECT\00000575.000
c:\recycler\NPROTECT\00000582.LOG
c:\recycler\NPROTECT\00000583.000
c:\recycler\NPROTECT\00000584.LOG
c:\recycler\NPROTECT\00000585.000
c:\recycler\NPROTECT\00000590.LOG
c:\recycler\NPROTECT\00000591.000
c:\recycler\NPROTECT\00000599.LOG
c:\recycler\NPROTECT\00000600.000
c:\recycler\NPROTECT\00000609.log
c:\recycler\NPROTECT\00000610.edb
c:\recycler\NPROTECT\00000614.LOG
c:\recycler\NPROTECT\00000615.000
c:\recycler\NPROTECT\00000619.LOG
c:\recycler\NPROTECT\00000620.000
c:\recycler\NPROTECT\00000621.LOG
c:\recycler\NPROTECT\00000622.000
c:\recycler\NPROTECT\00000623.LOG
c:\recycler\NPROTECT\00000624.000
c:\recycler\NPROTECT\00000625.LOG
c:\recycler\NPROTECT\00000626.000
c:\recycler\NPROTECT\00000627.LOG
c:\recycler\NPROTECT\00000628.000
c:\recycler\NPROTECT\00000629.LOG
c:\recycler\NPROTECT\00000630.000
c:\recycler\NPROTECT\00000631.LOG
c:\recycler\NPROTECT\00000632.000
c:\recycler\NPROTECT\00000638.gpd
c:\recycler\NPROTECT\00000639.gpd
c:\recycler\NPROTECT\00000640.gpd
c:\recycler\NPROTECT\00000641.gpd
c:\recycler\NPROTECT\00000642.gpd
c:\recycler\NPROTECT\00000643.gpd
c:\recycler\NPROTECT\00000649
c:\recycler\NPROTECT\00000650.dat
c:\recycler\NPROTECT\00000651.idx
c:\recycler\NPROTECT\00000652.FCS
c:\recycler\NPROTECT\NPROTECT.LOG
c:\recycler\S-1-5-21-682003330-1060284298-1708537768-1003
c:\recycler\S-1-5-21-682003330-1060284298-1708537768-1003\desktop.ini
c:\recycler\S-1-5-21-682003330-1060284298-1708537768-1003\INFO2
c:\windows\Readme.txt

.
((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-04 20:52 . 2009-10-04 20:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-04 20:52 . 2009-10-04 20:52 -------- dc----w- c:\documents and settings\Yury\Application Data\Office Genuine Advantage
2009-10-04 15:20 . 2009-10-04 15:20 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-04 15:20 . 2009-10-04 15:20 -------- dc----w- c:\documents and settings\Yury\Application Data\SUPERAntiSpyware.com
2009-09-29 01:14 . 2009-09-29 01:14 -------- dc----w- c:\program files\Driver Robot
2009-09-29 01:04 . 2009-09-29 01:04 -------- dc----w- c:\windows\system32\wbem\Repository
2009-09-29 01:04 . 2009-09-29 01:04 -------- dc----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-09-28 23:23 . 2009-09-29 01:04 -------- dc----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters(2)
2009-09-27 13:58 . 2009-09-27 13:58 -------- dc----w- c:\documents and settings\Yury\Application Data\Blitware
2009-09-25 23:30 . 2009-09-25 23:30 -------- dc----w- c:\documents and settings\All Users\Application Data\page
2009-09-25 23:22 . 2009-09-25 23:28 -------- dc----w- c:\documents and settings\Yury\Application Data\GetRightToGo
2009-09-24 23:26 . 2009-09-24 23:26 -------- dc----w- c:\documents and settings\Yury\MyConnection PC
2009-09-21 01:05 . 2009-09-21 01:05 -------- dc----w- c:\program files\AskBarDis
2009-09-18 01:16 . 2009-09-18 01:16 -------- dc----w- c:\program files\PCPitstop
2009-09-18 01:16 . 2009-09-18 01:16 -------- dc----w- c:\documents and settings\Yury\Application Data\PCPitstop
2009-09-18 01:16 . 2009-09-18 01:17 -------- dc----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-09-11 17:08 . 2009-09-11 17:08 24744 -c--a-w- c:\windows\system32\drivers\ElbyCDIO.sys

**yurka** · October 10th, 2009, 04:57 PM

2009-09-10 21:52 . 2009-09-10 21:52 104512 -c--a-w- c:\windows\system32\drivers\AnyDVD.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 21:42 . 2006-03-02 02:06 -------- dc----w- c:\program files\NCH Swift Sound
2009-10-04 15:19 . 2003-02-23 05:05 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-04 15:10 . 2009-05-19 23:29 -------- dc----w- c:\documents and settings\Yury\Application Data\BabylonXtra
2009-10-04 02:52 . 2009-08-18 13:05 -------- dc----w- c:\documents and settings\Yury\Application Data\Skype
2009-10-03 23:25 . 2007-12-25 17:21 -------- dc----w- c:\documents and settings\Yury\Application Data\skypePM
2009-09-10 18:54 . 2009-02-06 03:18 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-02-06 03:19 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 23:38 . 2008-03-09 16:08 -------- dc----w- c:\program files\Microsoft Silverlight
2009-09-06 22:12 . 2009-09-06 22:12 -------- dc----w- c:\program files\LightScribe Template Labeler
2009-09-06 22:02 . 2009-09-06 21:14 -------- dc----w- c:\program files\Common Files\LightScribe
2009-09-06 22:01 . 2009-09-06 22:01 -------- dc----w- c:\documents and settings\All Users\Application Data\LightScribe
2009-08-26 02:06 . 2009-08-25 23:47 -------- dc----w- c:\documents and settings\Yury\Application Data\ErrorWiz
2009-08-18 13:14 . 2009-08-18 13:14 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2009-08-18 13:05 . 2009-08-18 13:05 -------- dc----w- c:\program files\Common Files\Skype
2009-08-18 13:05 . 2009-08-18 13:05 -------- dc----r- c:\program files\Skype
2009-08-18 13:05 . 2007-09-08 23:38 -------- dc----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-17 16:10 . 2008-11-13 00:09 1279456 -c--a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2008-11-13 00:09 93392 -c--a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2008-11-13 00:09 94160 -c--a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2008-11-13 00:09 114768 -c--a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-11-13 00:09 20560 -c--a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2008-11-13 00:09 51376 -c--a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2008-11-13 00:09 23152 -c--a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2008-11-13 00:09 26944 -c--a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2008-11-13 00:09 97480 -c--a-w- c:\windows\system32\AvastSS.scr
2009-08-11 23:22 . 2009-01-31 16:09 27136 -c--a-w- c:\windows\system32\drivers\nchssvad.sys
2009-08-06 23:24 . 2004-08-18 23:36 327896 -c--a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-18 23:36 209632 -c--a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 -c--a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-18 23:36 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-07-17 23:58 53472 -c--a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-07-17 23:58 96480 -c--a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-18 23:36 575704 -c--a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2007-03-22 19:01 274288 -c--a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2005-05-26 08:19 215920 -c--a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2004-07-17 23:58 1929952 -c--a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-07-17 23:57 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 -c--a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 -c--a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 -c--a-w- c:\windows\system32\OGAEXEC.exe
2009-07-17 19:01 . 2004-07-17 23:57 58880 -c--a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-07-17 23:58 286208 -c--a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{f2c96ff5-e7bd-4fc5-9b71-1d3bd0b6bf82}"= "c:\program files\NPR_Radio\tbNPR0.dll" [2009-07-08 2215960]

[HKEY_CLASSES_ROOT\clsid\{f2c96ff5-e7bd-4fc5-9b71-1d3bd0b6bf82}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 21:20 279944 -c--a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2c96ff5-e7bd-4fc5-9b71-1d3bd0b6bf82}]
2009-07-08 23:19 2215960 -c--a-w- c:\program files\NPR_Radio\tbNPR0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{f2c96ff5-e7bd-4fc5-9b71-1d3bd0b6bf82}"= "c:\program files\NPR_Radio\tbNPR0.dll" [2009-07-08 2215960]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{f2c96ff5-e7bd-4fc5-9b71-1d3bd0b6bf82}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F2C96FF5-E7BD-4FC5-9B71-1D3BD0B6BF82}"= "c:\program files\NPR_Radio\tbNPR0.dll" [2009-07-08 2215960]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{f2c96ff5-e7bd-4fc5-9b71-1d3bd0b6bf82}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Ram Optimizer"="e:\program files\AceLogix\Free Ram Optimizer\fro.exe" [2003-08-22 57344]
"TClockEx"="e:\tclockex\TCLOCKEX.EXE" [2000-03-09 89088]
"Google Update"="c:\documents and settings\Yury\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="e:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"ProcessSupervisorGUI"="e:\program files\Process Lasso\processlasso.exe" [2008-12-13 316944]
"ProcessGovernor"="e:\program files\Process Lasso\processgovernor.exe" [2008-12-13 133136]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-07-30 38912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CPU meter.exe.lnk - c:\windows\$NtServicePackUninstall$\taskmgr.exe [2008-9-26 135680]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\Userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\documents and settings\Yury\Application Data\iolo\\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
Notification Packages REG_MULTI_SZ %I

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.2.lnk]
backup=c:\windows\pss\eFax 4.2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax.com Tray Menu.lnk]
backup=c:\windows\pss\eFax.com Tray Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher S.lnk]
backup=c:\windows\pss\Exif Launcher S.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
backup=c:\windows\pss\Live Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LocalNet.lnk]
backup=c:\windows\pss\LocalNet.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MightyFAX Controller.lnk]
backup=c:\windows\pss\MightyFAX Controller.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Doc Pro - 4.2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Cleaner
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startemdoit
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tcactive
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tcmonitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"SCardDrv"=3 (0x3)
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

**yurka** · October 10th, 2009, 04:58 PM

"c:\\Program Files\\i2hub\\i2hub.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_04\\bin\\javaw.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"3389:TCP"= 3389:TCP:*

isabled:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP

HCP Discovery Service
"4100:UDP"= 4100:UDP:uPNP Router Control Port

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/28/2009 11:29 AM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/12/2008 8:09 PM 114768]
R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/12/2008 8:09 PM 20560]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;c:\windows\system32\drivers\HIDKbFlt.sys [7/25/2005 6:13 AM 23680]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/14/2007 7:09 PM 572776]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/14/2007 7:09 PM 572776]
R2 IOPort;IOPort;c:\windows\system32\IOPORT.SYS [2/22/2003 10:36 PM 6144]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 951632]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 3:16 PM 17536]
S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [7/20/2004 5:53 PM 11520]
S3 Unilocator;Unilocator;c:\windows\system32\LOCATRNT.EXE [9/30/1996 120832]
S4 EarthLinkMonitor;EarthLink Monitor Service;"c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe" --> c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [?]
S4 PCPitstop Scheduling;PCPitstop Scheduling;e:\program files\PCPitstop\PCPitstopScheduleService.exe [9/17/2009 9:16 PM 85504]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 14:29]

2009-10-07 c:\windows\Tasks\Ad-Aware.job
- c:\progra~1\Lavasoft\Ad-Aware\Ad-Aware.exe [2009-01-18 14:29]

2009-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-05 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.4\DriverRobot.exe [2009-09-29 14:22]

2009-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-162531612-725345543-1003Core.job
- c:\documents and settings\Yury\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-30 17:03]

2009-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-162531612-725345543-1003UA.job
- c:\documents and settings\Yury\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-30 17:03]

2009-10-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-10-10 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://my.yahoo.com/
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mLocal Page = \blank.htm
mStart Page = hxxp://my.yahoo.com/p/d.html?v
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=%s
IE: &Check Spelling - c:\program files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
IE: &ieSpell Options - c:\program files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
IE: Download with &Shareaza
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll
FF - ProfilePath - c:\documents and settings\Yury\Application Data\Mozilla\Firefox\Profiles\zuz3oq4r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - component: e:\program files\Mozilla Firefox\components\rpff.dll
FF - plugin: c:\documents and settings\Yury\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: e:\program files\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\Opera\program\plugins\npdsplay.dll
FF - plugin: e:\program files\Opera\program\plugins\NPSWF32.dll
FF - plugin: e:\program files\Opera\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-DealAssistant - c:\documents and settings\Yury\Application Data\DealAssistant\DealAssistant.exe
SafeBoot-svcWRSSSDK
AddRemove-DealAssistant - c:\documents and settings\Yury\Application Data\DealAssistant\DAUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 14:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F238CF1D-55BC-7523-7560-9CDB79BF4BC3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-746137067-162531612-725345543-1003\Software\Zepter Software\RegLib*74b861c1\AnyDVD/1]
"1"=dword:444c1dae
"2"=dword:4469288a

[HKEY_USERS\S-1-5-21-746137067-162531612-725345543-1003\Software\Zepter Software\RegLib*74b861c1\CloneDVD2/2]
"1"=dword:4459420d
"2"=dword:44d6822c

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\Explorer]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
e:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-10-10 14:19
ComboFix-quarantined-files.txt 2009-10-10 18:19

Pre-Run: 4,351,975,424 bytes free
Post-Run: 4,366,622,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

791 --- E O F --- 2009-10-04 20:39

Thread: DealAssistant.exe & oulwsv.exe

Thread Tools

Search Thread

Display

Hybrid View

Thread Information

Users Browsing this Thread

Posting Permissions