Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Assistance required | Trojan lurking? [Solved]


  • This topic is locked This topic is locked

#1
Versacci

Versacci

    Member

  • Member
  • PipPip
  • 42 posts
Hi peeplz.

Please could someon take a look at my HJT log. Recently the computer is freezing, and the CPU is hitting 100% frequently when nothing (appears) to be running. Comp also taking an age to start up, so think I may have picked up something somwhere.

I'd really appreciate it if one of you pro's could take a look for me. :)

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:15:01, on 26/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1209815663\ee\AOLSoftware.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://google.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1209815663\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valu...018/flashax.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVRedirector - Unknown owner - C:\Program Files\Invisible IP Map\AVRedirector.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCProxy - Unknown owner - C:\WINDOWS\system32\PCProxy.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe

--
End of file - 6918 bytes
  • 0

Advertisements


#2
Versacci

Versacci

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Anyone? :)
  • 0

#3
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Take a look at this topic which will give instructions for help when your topic is at least three days old and you haven't received help.

The topic is also pinned at the top of this forum.
  • 0

#4
hammerman

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello Versacci and welcome to GeeksToGo :)
I'm hammerman and I'm going to help you fix your problem.

Before we begin, I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.

Sorry for the delay in replying to you.

Please follow these steps.

-- Step 1 --

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

-- Step 2 --

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

-- Step 3 --

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

  • 0

#5
Versacci

Versacci

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Attached File  OTS.Txt   152.17KB   405 downloadsHi, hammerman, thanks for helping :)

OK, here's the info you requested, and hope all's there.

P.S One thing tat has also happened lately, is that AntiVir won't update, and windows is telling me my antivirus uis out of date. I've tried to update AntiVir myself and it stalls and won;t update. Just thought I should mntion this anyway.

Ok here are the logs:

MBAM:

Malwarebytes' Anti-Malware 1.41
Database version: 2823
Windows 5.1.2600 Service Pack 2

19/09/2009 13:31:32
mbam-log-2009-09-19 (13-31-32).txt

Scan type: Quick Scan
Objects scanned: 102224
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTS atachment (see atachments)

RootRepeal Log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/19 13:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEC895000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79CD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEB580000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\VZDGDX2X.DJJ\QW62PAVC.HJD\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\VZDGDX2X.DJJ\QW62PAVC.HJD\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7a8c446

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7a8c43c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7a8c44b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7a8c455

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7a8c45a

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7a8c428

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7a8c42d

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7a8c464

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7a8c45f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7a8c450

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7a8c437

==EOF==
  • 0

#6
hammerman

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello,

Please follow these steps and then give me an update on the problems you are having.

-- Step 1 --

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Win32 Services - Safe List]
YY -> (AVRedirector) AVRedirector [Win32_Own | On_Demand | Stopped] ->
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > ->
YN -> HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://gb10.hpwis.com/
YN -> HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://srch-gb10.hpwis.com/
YN -> HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://gb10.hpwis.com/
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-57929295-3719358328-2888033797-1003\] > ->
YN -> HKEY_USERS\S-1-5-21-57929295-3719358328-2888033797-1003\: Main\\"Default_Page_URL" -> http://gb10.hpwis.com/
YN -> HKEY_USERS\S-1-5-21-57929295-3719358328-2888033797-1003\: Main\\"Default_Search_URL" -> http://srch-gb10.hpwis.com/
< Drives with AutoRun files > ->
YY -> D:\autorun.inf.vir -> D:\autorun.inf.vir [ FAT32 ]
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

-- Step 2 --

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google....rotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.
  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new Window should appear.
  • Make sure Scan all drives is selected and click on the Start button.
  • When it is complete a new Window will appear to indicate that the scan is finished.
  • The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.
-- Step 3 --

Please carry out a full scan with AntiVir and post back the results.

-- Step 4 --
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

  • 0

#7
Versacci

Versacci

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Hi, ammerman, thanks again for your help.

Computer running a litle better, though still a little slow at times.

Antivir picked up 7 viruses after full scan! Results posted below, and what is the 'sharing meta data' that sysport picked up? Anyway, all rsults posted below:

OTS Log:

All Processes Killed
[Win32 Services - Safe List]
Service AVRedirector stopped successfully!
Service AVRedirector deleted successfully!
File not found.
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page deleted successfully.
Registry key HKEY_USERS\1-5-21-57929295-3719358328-2888033797-1003\SOFTWARE\Microsoft\Internet Explorer\Main not found.
Registry key HKEY_USERS\1-5-21-57929295-3719358328-2888033797-1003\SOFTWARE\Microsoft\Internet Explorer\Main not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\\torun.inf.vir not found.
D:\autorun.inf.vir moved successfully.
[Empty Temp Folders]


User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 585038 bytes
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 4704231 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 22211584 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 26.35 mb

< End of fix log >
OTS by OldTimer - Version 3.0.12.1 fix logfile created on 09192009_225314

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

SysProt Log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 508
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 592
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 616
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 660
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 672
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 832
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 888
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 956
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1020
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1132
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1268
Hidden: No
Window Visible: No

Name: C:\Program Files\Avira\AntiVir Desktop\sched.exe
PID: 1316
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1380
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1588
Hidden: No
Window Visible: No

Name: C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PID: 1668
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PID: 1680
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 1724
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
PID: 1764
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\nvsvc32.exe
PID: 1792
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 1108
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wscntfy.exe
PID: 1140
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
PID: 1176
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
PID: 248
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\AOL\1209815663\ee\aolsoftware.exe
PID: 256
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
PID: 272
Hidden: No
Window Visible: No

Name: C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
PID: 280
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 296
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 304
Hidden: No
Window Visible: No

Name: C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PID: 372
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\rundll32.exe
PID: 1456
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
PID: 1568
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 2064
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 2412
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 2496
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 2668
Hidden: No
Window Visible: No

Name: C:\Program Files\Avant Browser\avant.exe
PID: 2812
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Owner\Desktop\SysProt\SysProt\SysProt.exe
PID: 3744
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Owner\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: EB924000
Module End: EB92F000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806EB580
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806EC000
Module End: 8070C380
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7987000
Module End: F7989000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7897000
Module End: F789A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F7438000
Module End: F7466000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7989000
Module End: F798B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7427000
Module End: F7438000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7487000
Module End: F7490000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7A4F000
Module End: F7A50000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7707000
Module End: F770E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F7497000
Module End: F74A2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F7408000
Module End: F7427000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F770F000
Module End: F7714000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F74A7000
Module End: F74B4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F73F0000
Module End: F7408000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F74B7000
Module End: F74C0000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F74C7000
Module End: F74D4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F73D0000
Module End: F73F0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F73BE000
Module End: F73D0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F73A7000
Module End: F73BE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F731A000
Module End: F73A7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F72ED000
Module End: F731A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\SISAGPX.sys
Service Name: SISAGP
Module Base: F74D7000
Module End: F74E0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaagp1.sys
Service Name: viaagp1
Module Base: F7717000
Module End: F771E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F74E7000
Module End: F74F6000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F74F7000
Module End: F7504000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\nv_agp.sys
Service Name: nv_agp
Module Base: F771F000
Module End: F7725000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F72D2000
Module End: F72ED000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: F7507000
Module End: F7512000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F75A7000
Module End: F75B7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F76D7000
Module End: F76E0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: F713C000
Module End: F7274000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F7128000
Module End: F713C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F77CF000
Module End: F77D4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F7105000
Module End: F7128000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F77D7000
Module End: F77DE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\delta.sys
Service Name: DELTA
Module Base: F70BB000
Module End: F7105000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\portcls.sys
Service Name: ---
Module Base: F7097000
Module End: F70BB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\drmk.sys
Service Name: ---
Module Base: F76E7000
Module End: F76F6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ks.sys
Service Name: ---
Module Base: F7074000
Module End: F7097000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys
Service Name: HSFHWBS2
Module Base: F7044000
Module End: F7074000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_DP.sys
Service Name: HSF_DP
Module Base: F6F40000
Module End: F7044000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys
Service Name: winachsf
Module Base: F6EA5000
Module End: F6F40000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F77DF000
Module End: F77E7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\R8139n51.SYS
Service Name: rtl8139
Module Base: F76F7000
Module End: F7703000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F7537000
Module End: F7547000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F793B000
Module End: F793F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F6E91000
Module End: F6EA5000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F7547000
Module End: F7554000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\PS2.sys
Service Name: Ps2
Module Base: F793F000
Module End: F7943000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F77EF000
Module End: F77F5000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F77F7000
Module End: F77FD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7557000
Module End: F7562000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pfc.sys
Service Name: pfc
Module Base: F7943000
Module End: F7946000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Service Name: AFS2K
Module Base: F7567000
Module End: F7570000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F7577000
Module End: F7584000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F7587000
Module End: F7596000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7B3E000
Module End: F7B3F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F7597000
Module End: F75A4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F794F000
Module End: F7952000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F6DDA000
Module End: F6DF1000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F75B7000
Module End: F75C2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F75C7000
Module End: F75D3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F77FF000
Module End: F7804000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F6DC9000
Module End: F6DDA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F75D7000
Module End: F75E0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7807000
Module End: F780C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F780F000
Module End: F7814000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanatw4.sys
Service Name: wanatw
Module Base: F7817000
Module End: F781D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F75E7000
Module End: F75F1000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F79B3000
Module End: F79B5000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: F6D70000
Module End: F6DC9000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F795F000
Module End: F7963000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F75F7000
Module End: F7601000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F7607000
Module End: F7616000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F79BB000
Module End: F79BD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: F781F000
Module End: F7824000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F79BD000
Module End: F79BF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7AAF000
Module End: F7AB0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F79BF000
Module End: F79C1000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F782F000
Module End: F7835000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F79C1000
Module End: F79C3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F79C3000
Module End: F79C5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F7837000
Module End: F783C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F783F000
Module End: F7847000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F7284000
Module End: F7287000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EC6B4000
Module End: EC6C7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EC65C000
Module End: EC6B4000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\MpFirewall.sys
Service Name: MPFIREWL
Module Base: F7637000
Module End: F7645000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EC594000
Module End: EC5BC000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EC572000
Module End: EC594000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7647000
Module End: F7650000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Service Name: ssmdrv
Module Base: F7847000
Module End: F784D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srvkp.sys
Service Name: SiSkp
Module Base: F727C000
Module End: F727F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EC547000
Module End: EC572000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EC4D8000
Module End: EC547000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F7677000
Module End: F7680000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EC4B7000
Module End: EC4D8000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F7687000
Module End: F7690000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: F7697000
Module End: F76A6000
Hidden: No

Module Name: \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
Service Name: SunkFilt
Module Base: F7857000
Module End: F785E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: F785F000
Module End: F7866000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Service Name: avipbb
Module Base: EC473000
Module End: EC48F000
Hidden: No

Module Name: \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
Service Name: avgio
Module Base: F79C7000
Module End: F79C9000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: EC450000
Module End: EC473000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EC438000
Module End: EC450000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F79CB000
Module End: F79CD000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F6D50000
Module End: F6D53000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F787F000
Module End: F7884000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7B64000
Module End: F7B65000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\avgntflt.sys
Service Name: avgntflt
Module Base: EBF0D000
Module End: EBF21000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: EBF41000
Module End: EBF45000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: EBCB1000
Module End: EBCDD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: EBC74000
Module End: EBC89000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: EBFD9000
Module End: EBFE8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F7A3D000
Module End: F7A3F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: EBC68000
Module End: EBC6B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: EBABC000
Module End: EBB0E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
Service Name: IpFilterDriver
Module Base: EB904000
Module End: EB90D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: EB57C000
Module End: EB58C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: EB2A8000
Module End: EB2E9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: EB115000
Module End: EB140000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F77E7000
Module End: F77EE000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: F7B4FC3E
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: F7B4FC34
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteKey
Address: F7B4FC43
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteValueKey
Address: F7B4FC4D
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadKey
Address: F7B4FC52
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcess
Address: F7B4FC20
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: F7B4FC25
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwReplaceKey
Address: F7B4FC5C
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwRestoreKey
Address: F7B4FC57
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: F7B4FC48
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: F7B4FC2F
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1207
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1206
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1205
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1204
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1203
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1202
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1201
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1200
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1199
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1198
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1197
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1196
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1195
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1194
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1193
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1192
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1191
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1190
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1189
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1188
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1187
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1186
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1185
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1184
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1183
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1182
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1181
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1180
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1179
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1178
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1177
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1176
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1175
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1174
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1173
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1172
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1171
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1170
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1169
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1168
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1167
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1166
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1165
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1164
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:2869
Remote Address: DSLDEVICE.LAN:1163
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:1164
Remote Address: 72.26.193.130:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:1147
Remote Address: WW-IN-F101.GOOGLE.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:1140
Remote Address: 64.225.158.191:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:1129
Remote Address: WW-IN-F101.GOOGLE.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: YOUR-G2ASVV4L2M.LAN:1056
Remote Address: HACKERWATCH.ORG:HTTP
Type: TCP
Process: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
State: ESTABLISHED

Local Address: YOUR-G2ASVV4L2M.LAN:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: YOUR-G2ASVV4L2M:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: YOUR-G2ASVV4L2M:1026
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: YOUR-G2ASVV4L2M:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: YOUR-G2ASVV4L2M:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: YOUR-G2ASVV4L2M:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: YOUR-G2ASVV4L2M.LAN:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: YOUR-G2ASVV4L2M.LAN:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: YOUR-G2ASVV4L2M.LAN:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: YOUR-G2ASVV4L2M.LAN:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: YOUR-G2ASVV4L2M:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: YOUR-G2ASVV4L2M:1061
Remote Address: NA
Type: UDP
Process: C:\Program Files\Avant Browser\avant.exe
State: NA

Local Address: YOUR-G2ASVV4L2M:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: YOUR-G2ASVV4L2M:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: YOUR-G2ASVV4L2M:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: YOUR-G2ASVV4L2M:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\<email address>\SharingMetadata\<email address>\DFSR\Staging\CS{30D24023-8990-D0DD-9257-7DCC82773327}\01\10-{30D24023-8990-D0DD-9257-7DCC82773327}-v
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\<email address>\SharingMetadata\<email address>\DFSR\Staging\CS{30D24023-8990-D0DD-9257-7DCC82773327}\17\17-{863BAFB8-E7FF-4718-8616-AA517D56B43C}-v
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\<email address>\SharingMetadata\<email address>\DFSR\Staging\CS{30D24023-8990-D0DD-9257-7DCC82773327}\18\18-{863BAFB8-E7FF-4718-8616-AA517D56B43C}-v
Status: Hidden

Object: C:\Program Files\IObit\IObit SmartDefrag\language\Lietuviu.lng
Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{E2428E38-B8A4-48ED-9563-FAC66F28201E}
Status: Access denied

AntiVir Log:



Avira AntiVir Personal
Report file date: 19 September 2009 23:06

Scanning for 1562564 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : YOUR-G2ASVV4L2M

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 29/07/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 13:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 10:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 12:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 09:21:42
ANTIVIR2.VDF : 7.1.4.253 1779200 Bytes 19/07/2009 22:08:01
ANTIVIR3.VDF : 7.1.5.19 139776 Bytes 23/07/2009 07:36:13
Engineversion : 8.2.0.228
AEVDF.DLL : 8.1.1.1 106868 Bytes 28/07/2009 13:31:50
AESCRIPT.DLL : 8.1.2.18 442746 Bytes 23/07/2009 09:59:39
AESCN.DLL : 8.1.2.4 127348 Bytes 23/07/2009 09:59:39
AERDL.DLL : 8.1.2.4 430452 Bytes 23/07/2009 09:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 28/07/2009 13:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 23/07/2009 09:59:39
AEHEUR.DLL : 8.1.0.143 1864055 Bytes 23/07/2009 09:59:39
AEHELP.DLL : 8.1.5.3 233846 Bytes 23/07/2009 09:59:39
AEGEN.DLL : 8.1.1.50 352629 Bytes 23/07/2009 09:59:39
AEEMU.DLL : 8.1.0.9 393588 Bytes 09/10/2008 14:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 23/07/2009 09:59:39
AEBB.DLL : 8.1.0.3 53618 Bytes 09/10/2008 14:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 05/12/2008 10:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/05/2009 15:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 10:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,

Start of the scan: 19 September 2009 23:06

Starting search for hidden objects.
'50114' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'SysProt.exe' - '1' Module(s) have been scanned
Scan process 'avant.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'GoogleCrashHandler.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'MpfTray.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'MpfAgent.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'MpfService.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
34 processes with 34 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '58' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Owner\My Documents\Downloads\HIDE%2520MY%2520IP%25202009%2520(latest).rar
[0] Archive type: RAR
--> HIDE MY IP 2009 (latest)\Hide My Ip 2009.EXE
[1] Archive type: RSRC
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acscore.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.bah.2 Trojan
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acslang.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.bah.1 Trojan
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acslang_uk.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.bah.1 Trojan
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\UK\ACSLAN~1.EXE
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.bah.1 Trojan
C:\System Volume Information\_restore{E2428E38-B8A4-48ED-9563-FAC66F28201E}\RP50\A0044038.exe
[DETECTION] Contains recognition pattern of the DR/PSW.Cain.284.57 dropper
C:\System Volume Information\_restore{E2428E38-B8A4-48ED-9563-FAC66F28201E}\RP51\A0046110.rbf
[DETECTION] Is the TR/Spy.Gen Trojan
Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:
C:\Documents and Settings\Owner\My Documents\Downloads\HIDE%2520MY%2520IP%25202009%2520(latest).rar
[NOTE] The file was moved to '4af96177.qua'!
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acscore.exe
[NOTE] The file was moved to '4b286192.qua'!
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acslang.exe
[NOTE] The file was moved to '4aae8f73.qua'!
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acslang_uk.exe
[NOTE] The file was moved to '4870667b.qua'!
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\UK\ACSLAN~1.EXE
[NOTE] The file was moved to '4b086172.qua'!
C:\System Volume Information\_restore{E2428E38-B8A4-48ED-9563-FAC66F28201E}\RP50\A0044038.exe
[DETECTION] Contains recognition pattern of the DR/PSW.Cain.284.57 dropper
[NOTE] The file was moved to '4ae5615f.qua'!
C:\System Volume Information\_restore{E2428E38-B8A4-48ED-9563-FAC66F28201E}\RP51\A0046110.rbf
[DETECTION] Is the TR/Spy.Gen Trojan
[NOTE] The file was moved to '4ae56160.qua'!


End of the scan: 19 September 2009 23:54
Used time: 47:52 Minute(s)

The scan has been done completely.

6951 Scanned directories
438833 Files were scanned
7 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
7 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
438824 Files not concerned
19373 Archives were scanned
2 Warnings
9 Notes
50114 Objects were scanned with rootkit scan
0 Hidden objects were found

OTL Text:

OTL logfile created on: 20/09/2009 - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1023.30 Mb Total Physical Memory | 671.23 Mb Available Physical Memory | 65.59% Memory free
2.41 Gb Paging File | 2.12 Gb Available in Paging File | 88.10% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.01 Gb Total Space | 55.20 Gb Free Space | 78.85% Space Free | Partition Type: NTFS
Drive D: | 4.50 Gb Total Space | 0.55 Gb Free Space | 12.19% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-G2ASVV4L2M
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (AOL LLC)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe (McAfee Corporation)
PRC - C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\System32\wscntfy.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee.com\Personal Firewall\MpfAgent.exe (McAfee Security)
PRC - C:\Program Files\Common Files\AOL\1209815663\ee\AOLSoftware.exe (America Online, Inc.)
PRC - C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe (McAfee Security)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe (Google Inc.)
PRC - C:\Program Files\Avant Browser\avant.exe (Avant Force)
PRC - C:\Documents and Settings\Owner\Desktop\SysProt\SysProt\SysProt.exe ()
PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AntiVirSchedulerService [Auto | Running]) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (AntiVirService [Auto | Running]) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AOL ACS [Auto | Running]) -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (AOL LLC)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (MpfService [Auto | Running]) -- C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe (McAfee Corporation)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
SRV - (rpcapd [On_Demand | Stopped]) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies, Inc.)
SRV - (StumbleUponUpdateService [On_Demand | Stopped]) -- C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe (stumbleupon.com)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (AFS2K [System | Running]) -- C:\WINDOWS\System32\drivers\AFS2K.SYS (Oak Technology Inc.)
DRV - (avgio [System | Running]) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (avgntflt [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\avgntflt.sys (Avira GmbH)
DRV - (avipbb [System | Running]) -- C:\WINDOWS\System32\DRIVERS\avipbb.sys (Avira GmbH)
DRV - (DELTA [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\delta.sys (Midiman/M-Audio)
DRV - (HSFHWBS2 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSF_DP [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (ialm [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (MPFIREWL [System | Running]) -- C:\WINDOWS\System32\Drivers\MpFirewall.sys ()
DRV - (nm [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\NMnt.sys (Microsoft Corporation)
DRV - (NPF [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (nv_agp [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys (NVIDIA Corporation)
DRV - (pfc [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\pfc.sys (Padus, Inc.)
DRV - (Ps2 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\PS2.sys (Hewlett-Packard Company)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (rtl8139 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\R8139n51.SYS (Realtek Semiconductor Corporation )
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SiS315 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (SISAGP [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys (Silicon Integrated Systems Corporation)
DRV - (SiSkp [System | Running]) -- C:\WINDOWS\System32\DRIVERS\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (ssmdrv [System | Running]) -- C:\WINDOWS\System32\DRIVERS\ssmdrv.sys (Avira GmbH)
DRV - (SunkFilt [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\sunkfilt.sys (Alcor Micro Corp.)
DRV - (tap0901 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\tap0901.sys (The OpenVPN Project)
DRV - (viaagp1 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (viagfx [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\vtmini.sys (Copyright © VIA/S3 Graphics, Inc.)
DRV - (wanatw [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys (America Online, Inc.)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\ialmsbw.sys (Intel Corporation)
DRV - ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\ialmkchw.sys (Intel Corporation)
DRV - (SysProtDrv.sys [On_Demand | Running]) -- C:\Documents and Settings\Owner\Desktop\SysProt\SysProt\SysProtDrv.sys ()

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,AutoSearch = http://ie.search.msn...autosearch.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = socks=

FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/21 20:02:49 | 00,000,000 | ---D | M]


O1 HOSTS File: (324359 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11100 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (StumbleUpon Launcher) - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (stumbleupon.com)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (StumbleUpon Toolbar) - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (stumbleupon.com)
O3 - HKLM\..\Toolbar: (HP View) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (HP View) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\WebBrowser: (HP View) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll (Hewlett-Packard Company)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1209815663\ee\AOLSoftware.exe (America Online, Inc.)
O4 - HKLM..\Run: [MPFExe] C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe (McAfee Security)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [Acme.PCHButton] C:\Program Files\HP Pavilion PC Help\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe (Motive Communications, Inc.)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [NVIEW] C:\WINDOWS\System32\nview.DLL (NVIDIA Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 61 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} http://www.kaspersky...can_unicode.cab (CKAVWebScan Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} http://download.macr...ash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} https://signin3.valu...018/flashax.cab (FlashXControl Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/01/01 09:36:50 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 21:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/19 23:24:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/09/19 23:06:20 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/09/19 22:59:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\SysProt
[2009/09/19 22:59:39 | 00,354,396 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SysProt.zip
[2009/09/19 22:53:14 | 00,000,000 | ---D | C] -- C:\_OTS
[2009/09/19 17:26:48 | 00,100,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/09/19 17:26:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/09/19 17:26:16 | 11,067,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2009/09/19 17:26:16 | 01,985,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2009/09/19 17:26:16 | 00,594,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2009/09/19 17:26:16 | 00,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll
[2009/09/19 17:26:16 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2009/09/19 17:26:16 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll
[2009/09/19 17:26:01 | 00,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2009/09/19 17:24:52 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll
[2009/09/19 17:24:52 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieencode.dll
[2009/09/19 17:24:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-US
[2009/09/19 17:19:02 | 00,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/09/19 17:17:14 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll
[2009/09/19 15:15:13 | 00,001,718 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/09/19 15:15:01 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/09/19 15:15:01 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/09/19 15:15:01 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/09/19 15:15:00 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/09/19 15:14:57 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2009/09/19 15:14:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2009/09/19 14:51:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Security
[2009/09/19 14:41:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2009/09/19 14:27:07 | 00,000,384 | ---- | C] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2009/09/19 14:27:00 | 00,000,000 | ---D | C] -- C:\Program Files\IObit
[2009/09/19 14:18:27 | 00,000,000 | ---D | C] -- C:\Program Files\Eusing Free Registry Cleaner
[2009/09/19 14:15:58 | 00,000,000 | ---D | C] -- C:\Program Files\WinASO
[2009/09/19 13:08:57 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTS.exe
[2009/09/18 14:21:19 | 00,049,995 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\1253276190196.jpg
[2009/09/17 00:07:56 | 00,185,565 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\kj11-dimitri-kjeragbolten.jpg
[2009/09/17 00:07:51 | 00,498,925 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\2725713935_2e67cf74e8_b.jpg
[2009/09/17 00:06:57 | 01,618,675 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\moher.jpg
[2009/09/17 00:06:23 | 00,074,132 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\swimpc.jpg
[2009/09/17 00:04:22 | 00,062,355 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\_prekestol_jpg_465461a.jpg
[2009/09/15 14:51:14 | 00,000,709 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avant Browser.lnk
[2009/09/15 13:28:05 | 00,000,043 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\lightn.gif
[2009/09/13 00:29:07 | 00,227,358 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\cross eyed.bmp
[2009/09/13 00:12:26 | 00,041,130 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\twaddle.jpg
[2009/09/08 13:35:18 | 00,048,752 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\humor,scrabble,you,lost,the,game,board,game,game,lost-c1ada83f8a8c5d3742b5ffa7e41730d3_h.jpg
[2009/09/06 18:54:13 | 00,302,431 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Zelle-des-Jahres-2009-a18358050.jpg
[2009/09/06 16:09:40 | 00,324,662 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\butter.bmp
[2009/09/06 00:47:08 | 00,109,245 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\1252193549647.jpg
[2009/09/05 22:53:10 | 01,284,054 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\fw.bmp
[2009/09/05 22:34:26 | 00,075,017 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\3.jpg
[2009/09/05 22:33:45 | 00,113,760 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\2.jpg
[2009/09/04 18:24:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\TC150x150SuggestedLogo
[2009/09/04 18:24:06 | 00,013,645 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\TC150x150SuggestedLogo.zip
[2009/09/04 17:47:10 | 00,190,577 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\this thread is.jpg
[2009/09/04 17:46:24 | 00,041,754 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\dnt make me.jpg
[2009/09/04 15:24:47 | 00,082,221 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\manhat.jpg
[2009/09/03 01:09:39 | 00,036,060 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\hoers.jpg
[2009/09/03 01:05:34 | 00,108,490 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\harp.jpg
[2009/09/03 00:31:08 | 00,229,694 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\esca.jpg
[2009/09/02 21:14:49 | 00,130,614 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\pb.bmp
[2009/09/02 17:50:00 | 00,142,774 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\12519187523XwEbIs (1).jpg
[2009/09/02 16:00:26 | 00,004,888 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\thrfai.jpg
[2009/09/01 18:10:22 | 00,062,139 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\tacti.jpg
[2009/09/01 17:52:33 | 00,106,279 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\1251823779998.jpg
[2009/09/01 15:33:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RealHideIP
[2009/09/01 01:29:32 | 00,422,628 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\SE1U3.gif
[2009/08/31 23:20:22 | 00,081,573 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\vomphot.jpg
[2009/08/31 01:28:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Simply Super Software
[2009/08/31 00:39:48 | 00,140,191 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\451.jpg
[2009/08/30 14:34:53 | 10,730,74176 | -HS- | C] () -- C:\hiberfil.sys
[2009/08/29 13:46:02 | 00,269,518 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\three_frames_18.gif
[2009/08/29 13:33:43 | 00,060,164 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\kTCKf.jpg
[2009/08/28 21:59:41 | 00,029,013 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\brill.jpg
[2009/08/28 00:01:23 | 00,061,758 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\tumblr_kp014ixsYi1qz5njko1_500.jpg
[2009/08/26 22:41:52 | 00,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2009/08/26 22:41:52 | 00,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2009/08/26 22:41:52 | 00,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2009/08/26 22:41:52 | 00,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll
[2009/08/26 22:41:51 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2009/08/26 22:41:49 | 00,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2009/08/26 22:41:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software
[2009/08/26 15:39:17 | 00,000,000 | ---D | C] -- C:\Program Files\NetConceal Anonymizer
[2009/08/26 15:39:14 | 00,000,125 | ---- | C] () -- C:\ioSpecial.ini
[2009/08/26 15:30:23 | 00,000,000 | ---D | C] -- C:\Program Files\Invisible IP Map
[2009/08/26 15:14:47 | 00,000,000 | ---D | C] -- C:\Program Files\Privacy Shield
[2009/08/26 14:49:29 | 00,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\SpOrder.dll
[2009/08/25 19:53:03 | 00,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2009/08/25 19:52:49 | 00,000,000 | ---D | C] -- C:\Program Files\Cain
[2009/08/23 11:28:10 | 20,555,320 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\video2.flv
[2009/08/23 00:52:14 | 24,152,774 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\video.flv
[2009/08/22 23:33:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\gifs
[2009/08/21 23:41:45 | 00,030,656 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\8tpi5l.jpg
[2009/08/21 23:16:50 | 01,290,438 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\templ.bmp
[2009/08/21 23:12:38 | 00,009,204 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\1250892327235.jpg
[2009/08/21 22:58:02 | 00,037,663 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\1250889623322.jpg
[2009/08/08 19:35:48 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\AVLibrary.dll
[2009/02/19 19:39:49 | 00,000,062 | ---- | C] () -- C:\WINDOWS\MyProg.ini
[2008/12/23 16:33:18 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2008/08/08 12:47:37 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\MpfApi.dll
[2008/08/08 12:47:36 | 00,055,936 | ---- | C] () -- C:\WINDOWS\System32\drivers\MpFirewall.sys
[2008/05/26 21:21:01 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\SimpleExt.dll
[2008/05/03 12:13:46 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2008/04/18 14:50:36 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/03/16 16:24:40 | 00,000,302 | ---- | C] () -- C:\WINDOWS\ARColorCodes.ini
[2007/12/05 14:43:31 | 00,000,540 | ---- | C] () -- C:\WINDOWS\AppRun.ini
[2003/06/09 20:25:04 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[2003/01/01 16:25:02 | 00,000,531 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/01/01 16:24:46 | 00,000,779 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/01/01 16:24:44 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/01 12:05:46 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2003/01/01 11:53:15 | 00,028,986 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2003/01/01 11:52:51 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2003/01/01 11:52:15 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2003/01/01 10:48:22 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/01/01 10:20:42 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/01/01 10:11:43 | 00,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2003/01/01 10:11:43 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2003/01/01 10:11:23 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2003/01/01 09:40:09 | 00,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/01/01 09:34:24 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/01/01 09:33:51 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\iAlmcoin.dll
[2003/01/01 09:14:03 | 00,000,438 | ---- | C] () -- C:\WINDOWS\System32\1_ssetup.ini
[2003/01/01 09:14:03 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\sunistlog.ini

========== Files - Modified Within 30 Days ==========

[2009/09/19 23:33:01 | 00,000,976 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-57929295-3719358328-2888033797-1003UA.job
[2009/09/19 23:06:25 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/09/19 22:59:40 | 00,354,396 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SysProt.zip
[2009/09/19 22:56:31 | 00,149,984 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
[2009/09/19 22:55:40 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/19 22:55:38 | 10,730,74176 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/19 22:55:38 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/19 19:09:51 | 05,333,732 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/09/19 17:34:07 | 00,002,295 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk
[2009/09/19 17:33:00 | 00,000,924 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-57929295-3719358328-2888033797-1003Core.job
[2009/09/19 17:26:55 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/09/19 15:15:13 | 00,001,718 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/09/19 14:27:07 | 00,000,384 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2009/09/19 13:09:01 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTS.exe
[2009/09/18 17:19:37 | 00,000,779 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/09/18 14:21:19 | 00,049,995 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\1253276190196.jpg
[2009/09/18 12:02:09 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\My Sharing Folders.lnk
[2009/09/17 00:07:56 | 00,185,565 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\kj11-dimitri-kjeragbolten.jpg
[2009/09/17 00:07:51 | 00,498,925 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\2725713935_2e67cf74e8_b.jpg
[2009/09/17 00:06:57 | 01,618,675 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\moher.jpg
[2009/09/17 00:06:23 | 00,074,132 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\swimpc.jpg
[2009/09/17 00:04:22 | 00,062,355 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\_prekestol_jpg_465461a.jpg
[2009/09/15 14:51:14 | 00,000,709 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avant Browser.lnk
[2009/09/15 13:28:05 | 00,000,043 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\lightn.gif
[2009/09/13 00:29:07 | 00,227,358 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\cross eyed.bmp
[2009/09/13 00:12:26 | 00,041,130 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\twaddle.jpg
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/08 13:35:13 | 00,048,752 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\humor,scrabble,you,lost,the,game,board,game,game,lost-c1ada83f8a8c5d3742b5ffa7e41730d3_h.jpg
[2009/09/06 18:53:54 | 00,302,431 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Zelle-des-Jahres-2009-a18358050.jpg
[2009/09/06 16:09:40 | 00,324,662 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\butter.bmp
[2009/09/06 00:47:08 | 00,109,245 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\1252193549647.jpg
[2009/09/05 22:53:10 | 01,284,054 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\fw.bmp
[2009/09/05 22:34:26 | 00,075,017 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\3.jpg
[2009/09/05 22:33:45 | 00,113,760 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\2.jpg
[2009/09/05 22:33:36 | 00,028,646 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\1.jpg
[2009/09/04 18:24:07 | 00,013,645 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\TC150x150SuggestedLogo.zip
[2009/09/04 17:47:10 | 00,190,577 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\this thread is.jpg
[2009/09/04 17:46:24 | 00,041,754 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\dnt make me.jpg
[2009/09/04 15:24:28 | 00,082,221 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\manhat.jpg
[2009/09/03 01:09:39 | 00,036,060 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\hoers.jpg
[2009/09/03 01:05:34 | 00,108,490 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\harp.jpg
[2009/09/03 00:31:08 | 00,229,694 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\esca.jpg
[2009/09/02 21:14:49 | 00,130,614 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\pb.bmp
[2009/09/02 17:50:00 | 00,142,774 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\12519187523XwEbIs (1).jpg
[2009/09/02 16:00:26 | 00,004,888 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\thrfai.jpg
[2009/09/01 18:10:22 | 00,062,139 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\tacti.jpg
[2009/09/01 17:52:35 | 00,106,279 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\1251823779998.jpg
[2009/09/01 01:27:13 | 00,422,628 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\SE1U3.gif
[2009/08/31 23:19:46 | 00,081,573 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\vomphot.jpg
[2009/08/31 00:38:18 | 00,140,191 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\451.jpg
[2009/08/30 14:30:56 | 00,324,359 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/08/29 13:44:28 | 00,269,518 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\three_frames_18.gif
[2009/08/29 13:31:36 | 00,060,164 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\kTCKf.jpg
[2009/08/29 12:11:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/08/28 22:38:20 | 24,689,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/08/28 21:59:41 | 00,029,013 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\brill.jpg
[2009/08/28 00:01:06 | 00,061,758 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\tumblr_kp014ixsYi1qz5njko1_500.jpg
[2009/08/26 22:46:16 | 00,000,856 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090830-143056.backup
[2009/08/26 16:16:28 | 00,000,125 | ---- | M] () -- C:\ioSpecial.ini
[2009/08/26 14:49:29 | 00,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\SpOrder.dll
[2009/08/23 11:28:11 | 20,555,320 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\video2.flv
[2009/08/23 00:52:15 | 24,152,774 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\video.flv
[2009/08/22 01:01:21 | 01,290,438 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\templ.bmp
[2009/08/21 23:27:13 | 00,030,656 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\8tpi5l.jpg
[2009/08/21 23:12:38 | 00,009,204 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\1250892327235.jpg
[2009/08/21 22:58:02 | 00,037,663 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\1250889623322.jpg
[2009/08/21 10:46:35 | 00,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jscript.dll
[2009/08/21 10:46:35 | 00,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jscript.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AF1D8F55
< End of report >

OTL Extras:

OTL Extras logfile created on: 20/09/2009 - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1023.30 Mb Total Physical Memory | 671.23 Mb Available Physical Memory | 65.59% Memory free
2.41 Gb Paging File | 2.12 Gb Available in Paging File | 88.10% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.01 Gb Total Space | 55.20 Gb Free Space | 78.85% Space Free | Partition Type: NTFS
Drive D: | 4.50 Gb Total Space | 0.55 Gb Free Space | 12.19% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-G2ASVV4L2M
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Avant Browser\avant.exe (Avant Force)
.url [@ = InternetShortcut] -- C:\Program Files\Avant Browser\avant.exe (Avant Force)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Avant Browser\avant.exe" %1 (Avant Force)
htmlfile [opennew] -- "C:\Program Files\Avant Browser\avant.exe" %1 (Avant Force)
http [open] -- "C:\Program Files\Avant Browser\avant.exe" %1 (Avant Force)
https [open] -- "C:\Program Files\Avant Browser\avant.exe" %1 (Avant Force)
InternetShortcut [open] -- "C:\Program Files\Avant Browser\avant.exe" %1 (Avant Force)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialler -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL Connectivity Services -- (AOL LLC)
"C:\Program Files\AOL\RC\regClient.exe" = C:\Program Files\AOL\RC\regClient.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\AOL 9.0 VRa\waol.exe" = C:\Program Files\AOL 9.0 VRa\waol.exe:*:Enabled:AOL -- (AOL, LLC.)
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe" = C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed -- (AOL LLC)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL System Information -- (AOL LLC)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\Program Files\Avant Browser\avant.exe" = C:\Program Files\Avant Browser\avant.exe:*:Enabled:Avant Browser -- (Avant Force)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 14
"{27F00C63-449B-2FAB-CBE8-24AB80E17449}" = Acrobat.com
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{45B6180B-DCAB-4093-8EE8-6164457517F0}" = Photosmart 140,240,7200,7600,7700,7900 Series
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{791B20D4-AE59-4DE9-B45F-BA01F3D0A493}" = ArcSoft ShowBiz 2
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD Player
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A4810699-E859-43A6-8F40-1743873E72AB}" = Delta
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}" = HP PSC & OfficeJet 3.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AOL Regclient" = AOL Registration
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"AvantBrowser" = Avant Browser (remove only)
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BlueVoda_Website_Builder_1.0" = BlueVoda Website Builder 9.2
"CCleaner" = CCleaner (remove only)
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"FLV Player" = FLV Player 2.0 (build 25)
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Photo & Imaging 3.1
"InstallShield_{145CACAF-9B34-41FC-BE49-7D510A253E78}" = Multimedia Card Reader
"Kaspersky Online Scanner" = Kaspersky Online Scanner
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Personal Firewall Plus" = McAfee Personal Firewall Plus
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"NVIDIA GART Driver" = NVIDIA GART Driver
"RealPlayer 6.0" = RealPlayer
"Smart Defrag_is1" = Smart Defrag 1.20
"StreetPlugin" = Learn2 Player (Uninstall Only)
"StumbleUponIEToolbar" = StumbleUpon IE Toolbar
"Trojan Remover_is1" = Trojan Remover 6.8.1
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinPcapInst" = WinPcap 4.1 beta5
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 26/08/2009 10:00:47 | Computer Name = YOUR-G2ASVV4L2M | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module pcproxy.dll, version 0.0.0.0, fault address 0x00006047.

Error - 27/08/2009 16:35:50 | Computer Name = YOUR-G2ASVV4L2M | Source = Application Error | ID = 1000
Description = Faulting application avant.exe, version 11.7.0.9, faulting module
unknown, version 0.0.0.0, fault address 0x09b99934.

Error - 29/08/2009 10:03:15 | Computer Name = YOUR-G2ASVV4L2M | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module flash10b.ocx, version 10.0.22.87, fault address 0x001f6002.

Error - 30/08/2009 09:29:50 | Computer Name = YOUR-G2ASVV4L2M | Source = Application Error | ID = 1000
Description = Faulting application mpftray.exe, version 4.5.3.30, faulting module
kernel32.dll, version 5.1.2600.3541, fault address 0x00012a6b.

Error - 02/09/2009 15:14:17 | Computer Name = YOUR-G2ASVV4L2M | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module mshtml.dll, version 6.0.2900.3603, fault address 0x0010f5f5.

Error - 14/09/2009 05:31:42 | Computer Name = YOUR-G2ASVV4L2M | Source = Application Error | ID = 1000
Description = Faulting application avant.exe, version 11.7.0.9, faulting module
unknown, version 0.0.0.0, fault address 0x07399934.

Error - 16/09/2009 07:24:28 | Computer Name = YOUR-G2ASVV4L2M | Source = Application Hang | ID = 1002
Description = Hanging application avant.exe, version 11.7.0.37, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 17/09/2009 17:31:41 | Computer Name = YOUR-G2ASVV4L2M | Source = Application Hang | ID = 1002
Description = Hanging application avant.exe, version 11.7.0.37, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 18/09/2009 13:20:19 | Computer Name = YOUR-G2ASVV4L2M | Source = Application Hang | ID = 1002
Description = Hanging application avant.exe, version 11.7.0.37, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 19/09/2009 09:42:01 | Computer Name = YOUR-G2ASVV4L2M | Source = IS360srv.exe | ID = 0
Description =

[ System Events ]
Error - 18/09/2009 06:57:52 | Computer Name = YOUR-G2ASVV4L2M | Source = Service Control Manager | ID = 7034
Description = The AOL Connectivity Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 18/09/2009 08:13:19 | Computer Name = YOUR-G2ASVV4L2M | Source = Service Control Manager | ID = 7034
Description = The AOL Connectivity Service service terminated unexpectedly. It
has done this 2 time(s).

Error - 18/09/2009 12:20:36 | Computer Name = YOUR-G2ASVV4L2M | Source = Service Control Manager | ID = 7034
Description = The AOL Connectivity Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 19/09/2009 09:50:45 | Computer Name = YOUR-G2ASVV4L2M | Source = Service Control Manager | ID = 7034
Description = The IS360service service terminated unexpectedly. It has done this
1 time(s).

Error - 19/09/2009 12:14:47 | Computer Name = YOUR-G2ASVV4L2M | Source = DCOM | ID = 10005
Description = DCOM got error "%1055" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 19/09/2009 12:44:17 | Computer Name = YOUR-G2ASVV4L2M | Source = DCOM | ID = 10005
Description = DCOM got error "%1055" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 19/09/2009 17:53:25 | Computer Name = YOUR-G2ASVV4L2M | Source = Service Control Manager | ID = 7034
Description = The AOL Connectivity Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 19/09/2009 17:53:26 | Computer Name = YOUR-G2ASVV4L2M | Source = Service Control Manager | ID = 7034
Description = The McAfee Personal Firewall Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 19/09/2009 17:53:26 | Computer Name = YOUR-G2ASVV4L2M | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Driver Helper Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 19/09/2009 17:53:29 | Computer Name = YOUR-G2ASVV4L2M | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).


< End of report >

Edited by hammerman, 20 September 2009 - 04:09 AM.
E-mail address removed

  • 0

#8
hammerman

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello,

and what is the 'sharing meta data' that sysport picked up?


This is associated with the Sharing folder in Windows Live Messenger.

I'm not seeing much in your logs but we'll carry out a thorough scan. When your CPU usage goes up to 100%, can you open the Task Manager and see which process is taking 100%.

Please follow these steps.

-- Step 1 --

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/
    IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • This fix will produce a report. Please add this to your reply.
-- Step 2 --

Download and run Auslogics Disc Defragmenter

-- Step 3 --

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

-- Step 4 --

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter
    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


  • 0

#9
Versacci

Versacci

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
hi, again hammerman.

OK, latest is that comp seems to be running much better, although I couldn't run the entire AVP Kaspersky scan, becuase it ater 3hrs 30 minutes it was still only on 29% of te scan, and said it was going to take until 11.40pm (another 7 hours) until it finished. I'm a co0llege student, and have work to do, so just couldn;t run te entire scan, but will do if I must?

It did pick up win32.hupigon.huap at about 25% through the scam, and I deleted it, so please let me know if you'd advise to run it again. I just takes forever though.

The rest of your info is as follows:

OTL Log:

All processes killed
========== OTL ==========
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Search_URL| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32835 bytes

User: Owner
->Temp folder emptied: 25696 bytes
->Temporary Internet Files folder emptied: 11022245 bytes
->Java cache emptied: 16439 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 39452169 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 48.30 mb


OTL by OldTimer - Version 3.0.14.0 log created on 09202009_135105

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Ran the defreagger OK, and it cleared alot of stuff up

Downloaded Java OK

Please let me know what you recommend with regars to the rest of the AVP scan.
Was win32.hupigon.huap something bad?

All the best...
  • 0

#10
hammerman

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello,

Please let me know what you recommend with regars to the rest of the AVP scan.
Was win32.hupigon.huap something bad?


win32.hupigon.huap is a backdoor trojan. Was there any filename given by AVP for this detection?

Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

You should run AVP again when it's convenient for you.
  • 0

Advertisements


#11
Versacci

Versacci

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
hi, hammerman.

Here's screen shots for that virus that was found. I took them just before i turned off AVP:

So, it is that serious? Blimey, I had better run the scan right now then? It's gonna take some time, but if you suggest I do that, then I shall right away.

http://a.imagehost.o...nload/0585/1_25

http://a.imagehost.o...nload/0087/2_21

http://a.imagehost.o...nload/0950/3_11

http://a.imagehost.o...wnload/0446/4_4

I don;t use my comp for any financial business, and my paypal is linked to a opay as you got credit card, so there;s no cnace of myself or anone else on this compter having money stolen. But nonetheless, if you think I am at any risk..let me know if I should run the scan again now, and I shall do.

Many thanks..
  • 0

#12
Versacci

Versacci

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Update

Just went to change my ebay password, and it won't let me log in. Someone must have changed it. I can't believe this is happening to me.

Please let me know wat to do.

Thanks,

P.S - Changed all other passwords including windows OK, but ebay was the last one I was going to chnage just now, and I can't get into my account.
  • 0

#13
hammerman

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello,

That file could be a false detection by AVP. I suggest you run AVP again when you get the chance. College work should come first. Can you get a password reminder from ebay?
  • 0

#14
Versacci

Versacci

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I hope so. I'll try and get an ebay reminder, but it does seem odd that I've never had problems signing into ebay and as soon as I get a dodgy trojan, I can;t sign in.

Shall I run the scan now?
  • 0

#15
hammerman

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
If it's convenient for you then run the scan. If not, another time will be fine.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP