Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SvcHost.exe error [Solved]

Started by GotMeBeat , Mar 14 2009 01:20 PM

  • This topic is locked This topic is locked

#1
GotMeBeat
Posted 14 March 2009 - 01:20 PM

GotMeBeat

    New Member

  • Member
  • Pip
  • 4 posts
I am running a computer I built myself with Windows XP sp3 updated as of a few weeks ago. If you need to know specifics on hardware, I will happily supply the information.

Upon starting up my computer, I am unable to play sounds, the task bar changes from XP to classic style, and I receive two svchost.exe errors (Instruction at 0x7564d383... and another that I haven't recorded). Occasionally, the internet ceases to function and the Network and Internet connections dialogue box is empty. I went through all the required steps before coming to post an OTList log and ask for help. I was, however, unable to run the Malwarebytes' AntiMalware even after renaming the setup file and retrying, multiple times. I am also unable to run windows update, but I had been running it automatically until this problem 3 or 4 days ago.

At the beginning of the problem I ran AVG free with the most recent updates and removed three "RECYCLER" viruses which consisted of a folder namer RECYCLER and one file with a long string of numbers ending in .com. I also ran Ad-Aware (fully updated) and allowed it to take recommended actions on all potential threats.

Following are the OTListIt log, the Extras log, and the Rooter Rootkit Detector Log.

------------------------------------------------------------------------------------------
OTListIt logfile created on: 3/14/2009 3:00:51 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.3.7 Folder = C:\Documents and Settings\MFGeisler\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18372)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.47% Memory free
3.85 Gb Paging File | 3.48 Gb Available in Paging File | 90.48% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9.77 Gb Total Space | 1.84 Gb Free Space | 18.80% Space Free | Partition Type: NTFS
Drive D: | 180.14 Gb Total Space | 61.92 Gb Free Space | 34.37% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive V: | 298.09 Gb Total Space | 82.22 Gb Free Space | 27.58% Space Free | Partition Type: NTFS

Computer Name: ZEKE
Current User Name: MFGeisler
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
PRC - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Advanced Micro Devices Inc.)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
PRC - C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe (AMD)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\wbem\unsecapp.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\MFGeisler\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (getPlus® Helper [On_Demand | Stopped]) -- File not found
SRV - (helpsvc [Auto | Stopped]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (Lavasoft Ad-Aware Service [Auto | Running]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ALCXWDM [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (dtscsi [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\dtscsi.sys ()
DRV - (Lbd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (nvata [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\nvata.sys (NVIDIA Corporation)
DRV - (NVENETFD [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\NVENETFD.sys (NVIDIA Corporation)
DRV - (nvnetbus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nvnetbus.sys (NVIDIA Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sptd [Boot | Running]) -- C:\WINDOWS\System32\Drivers\sptd.sys ()

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...&ar=msnhome
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder:
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - prefs.js..extensions.enabledItems: {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}:1.5.2.35
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.7
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.61
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/02/05 04:06:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/03/14 14:40:13 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/03/08 19:04:55 | 00,000,000 | ---D | M]
[2009/01/05 23:05:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MFGeisler\Application Data\mozilla\Extensions
[2009/01/05 23:05:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MFGeisler\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/13 20:19:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MFGeisler\Application Data\mozilla\Firefox\Profiles\64842qrs.default\extensions
[2009/03/09 19:54:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MFGeisler\Application Data\mozilla\Firefox\Profiles\64842qrs.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2009/01/07 17:27:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MFGeisler\Application Data\mozilla\Firefox\Profiles\64842qrs.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2009/01/05 23:05:10 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/08 19:04:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/08 19:04:47 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/03/08 19:04:47 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" (ATI Technologies, Inc.)
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [HydraVisionDesktopManager] "C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" (AMD)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleStartMenu = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Microsoft Office 2007\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1231792056250 (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{EA18EB03-20C4-4046-9786-201C34035FF4}\\NameServer = 85.255.112.226,85.255.112.96
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/03/14 15:00:02 | 00,497,152 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\MFGeisler\Desktop\OTListIt2.exe
[2009/03/14 14:53:46 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/03/14 14:48:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/03/14 14:47:44 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/03/14 14:41:58 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/14 14:41:58 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/14 14:41:56 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/14 14:41:55 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/14 14:41:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/14 14:40:55 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/14 13:35:09 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\MFGeisler\Desktop\Rooter.exe
[2009/03/13 20:06:27 | 00,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2009/03/13 19:35:37 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2009/03/11 17:02:47 | 00,000,000 | ---D | C] -- C:\Program Files\Realtek AC97
[2009/03/11 15:08:31 | 00,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2009/03/11 14:59:27 | 00,000,000 | ---D | C] -- C:\Program Files\Autorun Eater
[2009/03/08 18:05:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Lang
[2009/03/08 15:05:15 | 00,940,794 | ---- | C] () -- C:\WINDOWS\System32\LoopyMusic.wav
[2009/03/08 15:05:15 | 00,146,650 | ---- | C] () -- C:\WINDOWS\System32\BuzzingBee.wav
[2009/02/16 22:43:23 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/02/16 18:16:45 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/02/16 18:16:39 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/02/16 18:16:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/02/16 18:11:42 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
[2009/02/16 18:11:36 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/02/16 18:11:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/03/14 15:00:03 | 00,497,152 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MFGeisler\Desktop\OTListIt2.exe
[2009/03/14 15:00:02 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/14 14:57:59 | 00,000,080 | -HS- | M] () -- C:\Documents and Settings\MFGeisler\My Documents\desktop.ini
[2009/03/14 14:57:49 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/14 14:57:47 | 00,056,728 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2009/03/14 14:41:58 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/14 13:35:37 | 34,058,980 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/03/14 13:35:09 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\MFGeisler\Desktop\Rooter.exe
[2009/03/14 13:32:35 | 06,947,104 | -H-- | M] () -- C:\Documents and Settings\MFGeisler\Local Settings\Application Data\IconCache.db
[2009/03/13 19:35:36 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/13 08:43:26 | 00,037,735 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/03/11 17:06:34 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\MFGeisler\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/11 15:08:31 | 00,000,169 | ---- | M] () -- C:\WINDOWS\RtlRack.ini
[2009/03/11 03:07:02 | 00,264,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/11 03:01:00 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/03/09 17:16:48 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/03/09 17:16:42 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/03/09 17:16:38 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/03/08 15:06:01 | 00,462,344 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/08 15:06:01 | 00,395,200 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/08 15:06:01 | 00,059,440 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/08 15:05:15 | 00,940,794 | ---- | M] () -- C:\WINDOWS\System32\LoopyMusic.wav
[2009/03/08 15:05:15 | 00,146,650 | ---- | M] () -- C:\WINDOWS\System32\BuzzingBee.wav
[2009/02/19 09:05:29 | 00,401,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
< End of report >

-----------------------------------------------------------------------------------------------------------------------------------------
OTListIt Extras logfile created on: 3/14/2009 3:00:51 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.3.7 Folder = C:\Documents and Settings\MFGeisler\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18372)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.47% Memory free
3.85 Gb Paging File | 3.48 Gb Available in Paging File | 90.48% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9.77 Gb Total Space | 1.84 Gb Free Space | 18.80% Space Free | Partition Type: NTFS
Drive D: | 180.14 Gb Total Space | 61.92 Gb Free Space | 34.37% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive V: | 298.09 Gb Total Space | 82.22 Gb Free Space | 27.58% Space Free | Partition Type: NTFS

Computer Name: ZEKE
Current User Name: MFGeisler
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"enablefirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger (America Online, Inc.)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger (America Online, Inc.)
C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe (AVG Technologies CZ, s.r.o.)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0088533A-C3B5-3A94-E64F-5BA6D9EC95AC}" = Catalyst Control Center Localization Italian
"{011BD142-49B4-0DE4-0EBC-1CC1EA879CA1}" = Catalyst Control Center Graphics Full Existing
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{062D9176-0A68-82F2-E536-B6CFCB648474}" = CCC Help Czech
"{08149959-5F4F-1FFB-0729-930396A4FE38}" = CCC Help Chinese Standard
"{0CA3E8E6-51CD-F006-EE04-726345784F3C}" = Catalyst Control Center Localization Hungarian
"{0D21E5DF-E126-CCBA-44F0-C39437F6DFF4}" = Catalyst Control Center Localization Japanese
"{1198F4A5-65B5-6224-3EFC-6EE9CF54A80B}" = CCC Help Hungarian
"{11F2DD56-1175-D58C-D3D5-6A40573F2170}" = Catalyst Control Center Localization Thai
"{1C481534-E4E7-861F-7246-A0E0B2870A87}" = Catalyst Control Center HydraVision Full
"{24DC7910-2A3C-8DF7-4EC9-3196AA026986}" = CCC Help Japanese
"{2555F3E2-B542-48A0-0EBD-8D7C585CA645}" = Catalyst Control Center Graphics Previews Common
"{2D33A97C-C09E-A577-3DEC-140899A99996}" = CCC Help Swedish
"{2DCBA355-028D-B90D-DA6F-4766B83B4B34}" = ccc-core-preinstall
"{2E11BD62-37DE-F607-B1A2-4451617A8BD9}" = Catalyst Control Center Localization Portuguese
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4041E519-BA03-6641-3017-B270ABC7F9F9}" = Catalyst Control Center Localization Swedish
"{4CD4FF25-5673-6E99-CDFD-7F9810894164}" = Catalyst Control Center Localization Dutch
"{4F5C9F76-EB27-9AB5-E5BA-17E5451E6ECF}" = Catalyst Control Center Localization French
"{53E20E85-4F7D-A552-BE35-E13A3AAE0136}" = Catalyst Control Center Core Implementation
"{578B9B0A-DE78-D958-E733-1F6D19636A07}" = Catalyst Control Center Localization Finnish
"{59C91609-D1EC-67D6-04BD-153DDFC5A6DB}" = Catalyst Control Center Localization Greek
"{5B764556-D882-4068-05EE-3E2C5EB98F4B}" = CCC Help Norwegian
"{5D0B9DA3-5FF5-5351-CBF2-6BD6DBB7D8D3}" = Catalyst Control Center Graphics Light
"{601802D9-CE20-45D7-F59F-747D7CEF9BDC}" = CCC Help Thai
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ED57AF9-33D1-CD51-BD67-10D7717EC031}" = Skins
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{719E15DE-65EA-ABE2-74CD-9AF842505FFD}" = CCC Help Finnish
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{747A8FF8-36B9-28D3-6CA5-6C34E46650C9}" = Catalyst Control Center Localization Spanish
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7953E06D-CDE9-1EB1-7CCC-3F9814970E85}" = CCC Help Russian
"{7B3DE20B-12F9-9E3C-1E21-08A0379DFE07}" = CCC Help Chinese Traditional
"{81987CB8-3D1B-1A2C-AE46-8E56FB5360C4}" = Catalyst Control Center Localization German
"{8A9E2571-44CC-C3CE-DACF-7D49EE160F80}" = Catalyst Control Center Graphics Full New
"{8B21757D-5AD0-443C-0B02-3A81901576B9}" = ccc-utility
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{9A259CBB-BD0D-1DF8-E657-6B65636C20AD}" = Catalyst Control Center Localization Norwegian
"{9F1EAC9C-B135-1672-60D3-D9B009FB86C7}" = CCC Help Polish
"{A1D530E4-E6D9-2ACD-FEF6-BAF39A1A6D93}" = CCC Help Turkish
"{A38032BB-7B5E-CCD2-6BFB-D5943C3C77BA}" = Catalyst Control Center Localization Danish
"{A94C6D45-5A5F-2550-CA6B-BF5256854E8B}" = Catalyst Control Center Localization Polish
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AD068483-1E11-3B1A-E866-D6F30961AD21}" = CCC Help Italian
"{B39895A3-FF92-807D-61E8-E52340BB25C1}" = CCC Help Greek
"{B565D094-8FE6-D9BC-40EE-0627F7480E75}" = CCC Help Spanish
"{C042DB01-01CC-F821-9417-0E8EE049F79F}" = Catalyst Control Center Localization Chinese Standard
"{C5AEBFD6-3AF9-4784-81C2-F442C86AA096}" = FireGL driver for 3D Studio MAX/VIZ
"{C9005A17-95D5-AEA5-C339-F84F20BF94EF}" = CCC Help German
"{CA795A4D-5CA8-C561-A145-192D85526D6D}" = CCC Help Portuguese
"{CBBCD044-B406-4C41-A3DD-99DE6F0004D2}" = ATI Hydravision APS
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{D50BBB80-1DC9-9376-C3D4-D5947AF30E2C}" = CCC Help Korean
"{D541AD3B-BF0B-BE09-D588-C05763D7F875}" = Catalyst Control Center Localization Turkish
"{D5D7E62F-5A01-1C5B-1FC9-D1A9C5796E33}" = CCC Help French
"{DABF79AA-DE47-7F41-C1C4-DC51AAABC67F}" = CCC Help Dutch
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E130868E-D095-4A7D-250C-618B2C84E349}" = CCC Help English
"{E635221F-390F-F027-ED8E-4F4B33837AE8}" = Catalyst Control Center Localization Russian
"{EC31D769-2712-F5E5-4146-140FB3060DDA}" = Catalyst Control Center Localization Czech
"{EF79F558-31D2-93AD-F897-347A6543B827}" = Catalyst Control Center Localization Chinese Traditional
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FBE6B162-D772-A4CB-3DD3-D79CC94BB9FB}" = ccc-core-static
"{FC1C7967-A1AC-6659-62A7-07E087FF39DF}" = CCC Help Danish
"{FCCDE84B-0154-459E-A8F2-C6B3FA5C1881}" = HydraVision
"{FD7AAB8A-EA95-E05F-4229-72C2E4817D8B}" = Catalyst Control Center Localization Korean
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"AOL Instant Messenger" = AOL Instant Messenger
"ATI Display Driver" = ATI Display Driver
"AVG8Uninstall" = AVG Free 8.0
"CDisplay_is1" = CDisplay 1.8
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8 Release Candidate 1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.7)" = Mozilla Firefox (3.0.7)
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 0.9.8a
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/16/2009 9:12:05 PM | Computer Name = ZEKE | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 2/18/2009 3:02:37 AM | Computer Name = ZEKE | Source = Application Error | ID = 1000
Description = Faulting application winamp.exe, version 5.5.4.2165, faulting module
unknown, version 0.0.0.0, fault address 0x0000008c.

Error - 2/22/2009 9:48:28 PM | Computer Name = ZEKE | Source = Application Error | ID = 1000
Description = Faulting application winamp.exe, version 5.5.4.2165, faulting module
unknown, version 0.0.0.0, fault address 0x0000008c.

Error - 2/22/2009 9:48:44 PM | Computer Name = ZEKE | Source = Application Error | ID = 1000
Description = Faulting application winamp.exe, version 5.5.4.2165, faulting module
unknown, version 0.0.0.0, fault address 0x0000008c.

Error - 2/22/2009 9:48:54 PM | Computer Name = ZEKE | Source = Application Error | ID = 1000
Description = Faulting application winamp.exe, version 5.5.4.2165, faulting module
unknown, version 0.0.0.0, fault address 0x0000008c.

Error - 2/22/2009 9:53:45 PM | Computer Name = ZEKE | Source = Application Error | ID = 1000
Description = Faulting application winamp.exe, version 5.5.4.2165, faulting module
unknown, version 0.0.0.0, fault address 0x0000008c.

Error - 2/27/2009 1:53:25 AM | Computer Name = ZEKE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3306, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 3/14/2009 5:58:25 PM | Computer Name = ZEKE | Source = Service Control Manager | ID = 7034
Description = The System Restore Service service terminated unexpectedly. It has
done this 1 time(s).

Error - 3/14/2009 5:58:25 PM | Computer Name = ZEKE | Source = Service Control Manager | ID = 7034
Description = The Telephony service terminated unexpectedly. It has done this 1
time(s).

Error - 3/14/2009 5:58:25 PM | Computer Name = ZEKE | Source = Service Control Manager | ID = 7031
Description = The Themes service terminated unexpectedly. It has done this 1 time(s).
The following corrective action will be taken in 60000 milliseconds: Restart the
service.

Error - 3/14/2009 5:58:25 PM | Computer Name = ZEKE | Source = Service Control Manager | ID = 7034
Description = The Distributed Link Tracking Client service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/14/2009 5:58:25 PM | Computer Name = ZEKE | Source = Service Control Manager | ID = 7031
Description = The Windows Time service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 3/14/2009 5:58:25 PM | Computer Name = ZEKE | Source = Service Control Manager | ID = 7031
Description = The Windows Management Instrumentation service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
60000 milliseconds: Restart the service.

Error - 3/14/2009 5:58:25 PM | Computer Name = ZEKE | Source = Service Control Manager | ID = 7034
Description = The Security Center service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/14/2009 5:58:25 PM | Computer Name = ZEKE | Source = Service Control Manager | ID = 7034
Description = The Automatic Updates service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/14/2009 5:58:25 PM | Computer Name = ZEKE | Source = Service Control Manager | ID = 7034
Description = The Wireless Zero Configuration service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/14/2009 5:59:41 PM | Computer Name = ZEKE | Source = DCOM | ID = 10005
Description = DCOM got error "%109" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}


< End of report >
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft Windows XP Professional (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:10001 Mo/Free:1996 Mo)
D:\ [Fixed] - NTFS - (Total:184465 Mo/Free:1966 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
V:\ [Fixed] - NTFS - (Total:305242 Mo/Free:2277 Mo)

Sat 03/14/2009|14:41

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\wbem\unsecapp.exe
---------- C:\WINDOWS\system32\wbem\wmiprvse.exe
---------- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
NameServer REG_SZ 85.255.112.226,85.255.112.96
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]
NameServer REG_SZ 85.255.112.226,85.255.112.96
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters]
NameServer REG_SZ 85.255.112.226,85.255.112.96
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
NameServer REG_SZ 85.255.112.226,85.255.112.96
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\..\{EA18EB03-20C4-4046-9786-201C34035FF4}]
NameServer REG_SZ 85.255.112.226,85.255.112.96
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\..\{EA18EB03-20C4-4046-9786-201C34035FF4}]
NameServer REG_SZ 85.255.112.226,85.255.112.96
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\..\{EA18EB03-20C4-4046-9786-201C34035FF4}]
NameServer REG_SZ 85.255.112.226,85.255.112.96
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\..\{EA18EB03-20C4-4046-9786-201C34035FF4}]
NameServer REG_SZ 85.255.112.226,85.255.112.96
==> WAREOUT <==

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Sat 03/14/2009|14:41

----------------------\\ Scan completed at 14:41
--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thank you in advance for your time.
  • 0

Advertisements

#2
JSntgRvr
Posted 14 March 2009 - 11:30 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, GotMeBeat. :)

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in our next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
GotMeBeat
Posted 15 March 2009 - 08:56 PM

GotMeBeat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Alright, I managed to get the program to run. However, the first few attempts were unsuccessful. I only received a tiny box that said ComboFix with a progress bar that filled up and disappeared. This was followed by a long stretch of nothing after which no program would open and the desktop froze, both of which are symptoms that I have experienced since this whole fiasco began.
That being said:

Rootkit Activity Detected:
C:\Windows\system32\drivers\gaopdxovhklungwwktuvqbuwsfldvyfvamrste.sys
C:\Windows\system32\gaopdxpxdrqrsvotpxyumvvlirsrippdrnmyxi.dll

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ComboFix 09-03-15.01 - MFGeisler 2009-03-15 19:45:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1625 [GMT -7:00]
Running from: c:\documents and settings\MFGeisler\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\MFGEIS~1\LOCALS~1\Temp\tmp2.tmp
c:\windows\system32\drivers\gaopdxovhklvngwwktuvqbuwsfldvyfvamrste.sys
c:\windows\system32\drivers\gaopdxxvkbgkgepxudyijkdltxqwwsxmujnkao.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxpxdrqrsvotpxyumvvlirsrippdrnmyxi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-14 14:59 . 2009-03-14 14:59 <DIR> d--hs---- c:\documents and settings\MFGeisler\PrivacIE
2009-03-14 14:59 . 2009-03-14 14:59 <DIR> d--hs---- c:\documents and settings\MFGeisler\IETldCache
2009-03-14 14:53 . 2009-03-14 14:55 <DIR> d--h-c--- c:\windows\ie8
2009-03-14 14:47 . 2009-03-14 14:47 <DIR> d-------- c:\program files\ERUNT
2009-03-14 14:41 . 2009-03-14 14:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-14 14:41 . 2009-03-14 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-14 14:41 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-14 14:41 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-14 14:40 . 2009-03-14 14:41 <DIR> d-------- C:\Rooter$
2009-03-13 19:35 . 2009-03-13 19:37 <DIR> d-------- c:\documents and settings\Administrator
2009-03-11 17:02 . 2009-03-11 17:02 <DIR> d-------- c:\program files\Realtek AC97
2009-03-11 15:08 . 2009-03-11 15:08 169 --a------ c:\windows\RtlRack.ini
2009-03-11 14:59 . 2009-03-13 20:06 <DIR> d-------- c:\program files\Autorun Eater
2009-03-08 18:05 . 2009-03-08 18:05 <DIR> d-------- c:\windows\system32\Lang
2009-03-08 15:05 . 2009-03-08 15:05 940,794 --a------ c:\windows\system32\LoopyMusic.wav
2009-03-08 15:05 . 2009-03-08 15:05 146,650 --a------ c:\windows\system32\BuzzingBee.wav
2009-02-16 22:43 . 2009-03-09 17:16 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-16 18:16 . 2009-03-09 17:16 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-16 18:16 . 2009-03-09 17:16 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-16 18:11 . 2009-02-16 18:11 <DIR> d-------- c:\program files\Lavasoft
2009-02-16 18:11 . 2009-02-16 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-16 18:11 . 2009-02-16 18:11 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 02:36 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-11 10:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-05 00:19 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-05 00:19 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-05 00:07 96,384 ----a-w c:\windows\system32\drivers\sptd8845.sys
2009-01-26 17:08 --------- d-----w c:\program files\Common Files\Ahead
2009-01-26 01:36 --------- d-----w c:\program files\CDisplay
2009-01-18 00:26 --------- d-----w c:\documents and settings\MFGeisler\Application Data\Winamp
2009-01-15 09:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 09:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 09:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 09:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 09:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 09:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 09:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 09:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 09:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 08:50 156,160 ----a-w c:\windows\system32\msls31.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2007-07-25 368640]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FRYMXINS"="c:\program files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" [X]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-04 1601304]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-04 17:19 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 03:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-11-08 15:00 128920 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 16:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-16 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-11 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-04 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 17:16]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\MFGeisler\Application Data\Mozilla\Firefox\Profiles\64842qrs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 19:46:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-15 19:47:32
ComboFix-quarantined-files.txt 2009-03-16 02:47:26

Pre-Run: 1,852,137,472 bytes free
Post-Run: 2,058,473,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
147
--------------------------------------------------------------------------------------------

I continue to thank you.
  • 0

#4
JSntgRvr
Posted 15 March 2009 - 11:01 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, GotMeBeat :)

  • Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
    "NameServer"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]
    "NameServer"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters]
    "NameServer"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
    "NameServer"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EA18EB03-20C4-4046-9786-201C34035FF4}]
    "NameServer"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{EA18EB03-20C4-4046-9786-201C34035FF4}]
    "NameServer"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{EA18EB03-20C4-4046-9786-201C34035FF4}]
    "NameServer"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EA18EB03-20C4-4046-9786-201C34035FF4}]
    "NameServer"=-

    :Commands
    [emptytemp]
    [Reboot]

  • Return to OTListIt2, right click in the "Custom Scans/Fixes" window and choose Paste.
  • Click the red Run Fix button.
  • The computer will restart
  • A report will be produced and saved in the C:\_OTListIt\MovedFiles folder. Open that report and post its contents in a reply.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply. Rescan with OTListIt2 once again and post along the resulting report.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) JRE 6 Update 12.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u12-windows-i586-p.exe and select "Run as an Administrator.")

  • 0

#5
GotMeBeat
Posted 16 March 2009 - 01:36 PM

GotMeBeat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Alright, I ran the Kaspersky web scanner and the OTList again. Of interest to note, two new folders have appeared in both partitions of my master drive and on the one partition of my slave drive. The folders are titled "RECYCLER" which I thought I removed days ago and "SYSTEM VOLUME INFORMATION" which I cannot access and which I hope is related to the system restore point that I was advised to create.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, March 16, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 16, 2009 13:27:05
Records in database: 1915326
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
V:\

Scan statistics:
Files scanned: 78190
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 05:19:40

No malware has been detected. The scan area is clean.

The selected area was scanned.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

OTListIt logfile created on: 3/16/2009 3:35:25 PM - Run 6
OTListIt2 by OldTimer - Version 2.0.3.7 Folder = C:\Documents and Settings\MFGeisler\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18372)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 73.61% Memory free
3.85 Gb Paging File | 3.41 Gb Available in Paging File | 88.58% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9.77 Gb Total Space | 1.72 Gb Free Space | 17.63% Space Free | Partition Type: NTFS
Drive D: | 180.14 Gb Total Space | 61.92 Gb Free Space | 34.37% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive V: | 298.09 Gb Total Space | 82.22 Gb Free Space | 27.58% Space Free | Partition Type: NTFS

Computer Name: ZEKE
Current User Name: MFGeisler
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Advanced Micro Devices Inc.)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
PRC - C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe (AMD)
PRC - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Documents and Settings\MFGeisler\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (getPlus® Helper [On_Demand | Stopped]) -- File not found
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (Lavasoft Ad-Aware Service [Auto | Stopped]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

========== Driver Services (SafeList) ==========

DRV - (ALCXWDM [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (dtscsi [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\dtscsi.sys ()
DRV - (Lbd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (nvata [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\nvata.sys (NVIDIA Corporation)
DRV - (NVENETFD [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\NVENETFD.sys (NVIDIA Corporation)
DRV - (nvnetbus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nvnetbus.sys (NVIDIA Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sptd [Boot | Running]) -- C:\WINDOWS\System32\Drivers\sptd.sys ()

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...&ar=msnhome
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder:
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.7
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.61
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/02/05 04:06:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/03/16 08:29:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/03/14 14:40:13 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/03/16 08:29:32 | 00,000,000 | ---D | M]
[2009/01/05 23:05:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MFGeisler\Application Data\mozilla\Extensions
[2009/01/05 23:05:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MFGeisler\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/16 08:30:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MFGeisler\Application Data\mozilla\Firefox\Profiles\64842qrs.default\extensions
[2009/03/09 19:54:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MFGeisler\Application Data\mozilla\Firefox\Profiles\64842qrs.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2009/01/07 17:27:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MFGeisler\Application Data\mozilla\Firefox\Profiles\64842qrs.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2009/03/16 08:30:19 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/08 19:04:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/16 08:29:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2009/03/08 19:04:47 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/03/08 19:04:47 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" (ATI Technologies, Inc.)
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [HydraVisionDesktopManager] "C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" (AMD)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleStartMenu = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Microsoft Office 2007\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1231792056250 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/03/16 08:30:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/03/16 08:29:20 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/03/16 08:28:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MFGeisler\Application Data\Sun
[2009/03/16 08:22:53 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/03/15 23:15:39 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/03/15 19:47:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/03/15 19:42:46 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/03/15 19:42:43 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/03/15 19:42:42 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/03/15 19:42:00 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/03/15 19:42:00 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/03/15 19:42:00 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/03/15 19:42:00 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/03/15 19:42:00 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009/03/15 19:42:00 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/03/15 19:42:00 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/03/15 19:42:00 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009/03/15 19:42:00 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/03/15 19:41:56 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/03/15 19:35:17 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/03/15 19:31:55 | 02,933,823 | R--- | C] () -- C:\Documents and Settings\MFGeisler\Desktop\ComboFix.exe
[2009/03/14 15:00:02 | 00,497,152 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\MFGeisler\Desktop\OTListIt2.exe
[2009/03/14 14:53:46 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/03/14 14:48:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/03/14 14:47:44 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/03/14 14:41:58 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/14 14:41:58 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/14 14:41:56 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/14 14:41:55 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/14 14:41:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/14 14:40:55 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/14 13:35:09 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\MFGeisler\Desktop\Rooter.exe
[2009/03/13 20:06:27 | 00,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2009/03/13 19:35:37 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2009/03/11 17:02:47 | 00,000,000 | ---D | C] -- C:\Program Files\Realtek AC97
[2009/03/11 15:08:31 | 00,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2009/03/11 14:59:27 | 00,000,000 | ---D | C] -- C:\Program Files\Autorun Eater
[2009/03/08 18:05:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Lang
[2009/03/08 15:05:15 | 00,940,794 | ---- | C] () -- C:\WINDOWS\System32\LoopyMusic.wav
[2009/03/08 15:05:15 | 00,146,650 | ---- | C] () -- C:\WINDOWS\System32\BuzzingBee.wav
[2009/02/16 22:43:23 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/02/16 18:16:45 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/02/16 18:16:39 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/02/16 18:16:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/02/16 18:11:42 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
[2009/02/16 18:11:36 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/02/16 18:11:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/03/16 09:06:45 | 34,098,246 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/03/16 08:24:08 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/16 08:24:04 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/16 08:24:03 | 00,056,728 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2009/03/15 22:28:04 | 00,037,975 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/03/15 19:46:47 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/03/15 19:42:46 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/03/15 19:41:28 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/15 19:32:01 | 02,933,823 | R--- | M] () -- C:\Documents and Settings\MFGeisler\Desktop\ComboFix.exe
[2009/03/14 15:00:03 | 00,497,152 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MFGeisler\Desktop\OTListIt2.exe
[2009/03/14 14:57:59 | 00,000,080 | -HS- | M] () -- C:\Documents and Settings\MFGeisler\My Documents\desktop.ini
[2009/03/14 14:41:58 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/14 13:35:09 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\MFGeisler\Desktop\Rooter.exe
[2009/03/14 13:32:35 | 06,947,104 | -H-- | M] () -- C:\Documents and Settings\MFGeisler\Local Settings\Application Data\IconCache.db
[2009/03/11 17:06:34 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\MFGeisler\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/11 15:08:31 | 00,000,169 | ---- | M] () -- C:\WINDOWS\RtlRack.ini
[2009/03/11 03:07:02 | 00,264,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/11 03:01:00 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/03/09 17:16:48 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/03/09 17:16:42 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/03/09 17:16:38 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/03/08 15:06:01 | 00,462,344 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/08 15:06:01 | 00,395,200 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/08 15:06:01 | 00,059,440 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/08 15:05:15 | 00,940,794 | ---- | M] () -- C:\WINDOWS\System32\LoopyMusic.wav
[2009/03/08 15:05:15 | 00,146,650 | ---- | M] () -- C:\WINDOWS\System32\BuzzingBee.wav
[2009/02/19 09:05:29 | 00,401,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
< End of report >
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Thank you.
  • 0

#6
JSntgRvr
Posted 16 March 2009 - 06:00 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, GotMeBeat :)

Logs look clear. How is the computer doing?
  • 0

#7
GotMeBeat
Posted 17 March 2009 - 07:08 AM

GotMeBeat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
By Jove! I think you've got it!

I am entirely symptom free for now; however, what should I do about the RECYCLER and SYSTEM VOLUME INFORMATION folders? They aren't associated with any program I know and that makes me nervous.


Thank you for all your hard work these past few days.
  • 0

#8
JSntgRvr
Posted 17 March 2009 - 09:37 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, GotMeBeat :)

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image
Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! Posted Image
  • 0

#9
JSntgRvr
Posted 20 March 2009 - 08:38 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP