Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32/Rootkit.Agent.ODG trojan


  • Please log in to reply

#1
kylewilk04

kylewilk04

    Member

  • Member
  • PipPip
  • 30 posts
Hey G2G,

I've used this forum before to solve some problems, and it's always been great. Amazing people, amazing results...so here I am again lol I just got back from School to find the family computer in bad shape. Full of viruses, I d/l Nod32 and run a few scans gets rid of some of them. Yet, one in particular is giving me problems.

"Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean"

...it hogs my memory, it redirects my google links, It's annoying.

I hope this is what is expected by pasting this.

OTL.Txt:

OTL logfile created on: 28/08/2009 5:54:30 AM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Family\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

511.53 Mb Total Physical Memory | 206.04 Mb Available Physical Memory | 40.28% Memory free
1.22 Gb Paging File | 0.92 Gb Available in Paging File | 75.52% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 64.99 Gb Free Space | 85.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WILKINSON
Current User Name: Family
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/04/09 15:19:08 | 00,731,840 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/04/13 20:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2004/07/10 21:10:00 | 00,339,968 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2002/07/02 05:56:00 | 00,024,576 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTHELPER.EXE
PRC - [2002/07/22 02:10:00 | 00,577,602 | ---- | M] (Logitech Inc. ) -- C:\Program Files\Logitech\iTouch\iTouch.exe
PRC - [2007/04/03 12:50:00 | 01,603,152 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
PRC - [2007/02/04 12:02:14 | 00,079,400 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
PRC - [2006/09/20 08:35:26 | 00,020,480 | ---- | M] () -- C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
PRC - [2006/10/30 16:59:34 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe
PRC - [2009/04/09 15:17:56 | 02,029,640 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2009/08/04 17:48:40 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/08/28 05:54:11 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Family\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Disabled | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2004/07/10 21:35:10 | 00,385,024 | ---- | M] () -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Disabled | Stopped])
SRV - [2004/07/10 21:10:00 | 00,516,096 | ---- | M] () -- C:\WINDOWS\System32\ati2sgag.exe -- (ATI Smart [Disabled | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Disabled | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/04/09 15:29:20 | 00,020,680 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv [On_Demand | Stopped])
SRV - [2009/04/09 15:19:08 | 00,731,840 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/06/05 13:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2009/07/03 10:49:06 | 01,029,456 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Stopped])
SRV - [2006/10/27 00:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [Disabled | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [Disabled | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [Disabled | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Disabled | Stopped])
SRV - File not found -- -- (x10nets [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.c...c...amp;gc=1&q=
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.c...c...amp;gc=1&q=
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://today.ask.com...?o=101676&l=dis
IE - URLSearchHook: {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Ask"
FF - prefs.js..browser.search.order.1: "Ask"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-US.start2....en-US:official"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.13
FF - prefs.js..keyword.URL: "http://toolbar.ask.c...4&gct=&gc=1&q="
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/05 17:56:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/27 13:38:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/04 17:48:47 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2009/06/05 14:55:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Family\Application Data\mozilla\Extensions
[2009/06/05 14:55:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Family\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/27 13:39:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Family\Application Data\mozilla\Firefox\Profiles\27cxlj2k.default\extensions
[2009/06/13 20:41:11 | 00,000,682 | ---- | M] () -- C:\Documents and Settings\Family\Application Data\Mozilla\FireFox\Profiles\27cxlj2k.default\searchplugins\ask.xml
[2009/08/27 17:29:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/04 17:48:40 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/06/13 20:33:39 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/08/04 17:48:40 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/04 17:48:40 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/08/04 17:48:41 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/06/26 13:03:01 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/06/26 13:03:01 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/06/26 13:03:01 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/06/26 13:03:01 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/06/26 13:03:01 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/06/26 13:03:02 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/06/26 13:03:02 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/04/23 20:39:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/23 20:39:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/23 20:39:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/23 20:39:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/23 20:39:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/23 20:39:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/23 20:39:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [net] C:\WINDOWS\System32\net.net File not found
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [WINDVDPatch] C:\WINDOWS\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [winnt2] C:\winnt_\winnt2.exe File not found
O4 - HKLM..\Run: [winnt3] C:\winnt_\winnt3.exe File not found
O4 - HKLM..\Run: [winnt4] C:\winnt_\winnt4.exe File not found
O4 - HKLM..\Run: [winnt6] C:\winnt_\winnt6.exe File not found
O4 - HKLM..\Run: [winntR1] C:\winnt_\winntR1.exe File not found
O4 - HKLM..\Run: [winntR2] C:\winnt_\winntR2.exe File not found
O4 - HKLM..\Run: [WrtMon.exe] C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe ()
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc. )
O4 - HKCU..\Run: [] File not found
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1244223376953 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/04 14:16:07 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[5 C:\WINDOWS\*.tmp files]
[2009/08/28 05:54:04 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Family\Desktop\OTL.exe
[2009/08/28 05:33:22 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/28 05:33:18 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/28 05:33:16 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/28 05:33:16 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/28 05:30:34 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/08/27 23:54:08 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/08/27 23:36:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Family\Application Data\Malwarebytes
[2009/08/27 23:36:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/27 23:27:47 | 03,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Family\Desktop\mbam-setup.exe
[2009/08/27 23:15:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/08/27 23:13:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Family\Local Settings\Application Data\ESET
[2009/08/27 23:11:14 | 00,000,234 | -H-- | C] () -- C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
[2009/08/27 23:11:12 | 00,000,234 | -H-- | C] () -- C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
[2009/08/27 19:03:10 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/08/27 14:00:08 | 00,000,000 | ---D | C] -- C:\Program Files\ESET

========== Files - Modified Within 14 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/08/28 05:54:11 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Family\Desktop\OTL.exe
[2009/08/28 05:33:22 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/28 05:32:56 | 03,374,149 | ---- | M] () -- C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000002-80651102}.CDF
[2009/08/28 05:32:56 | 03,374,149 | ---- | M] () -- C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000002-80651102}.BAK
[2009/08/28 05:30:46 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/28 05:30:33 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/28 02:50:58 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
[2009/08/28 02:50:58 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
[2009/08/28 02:50:58 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
[2009/08/28 02:50:58 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
[2009/08/28 02:50:58 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/08/28 02:50:58 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/08/28 02:50:58 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000000-00000000-0000000D-00001102-00000002-80651102}.dat
[2009/08/28 02:50:58 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000000-00000000-0000000D-00001102-00000002-80651102}.dat
[2009/08/28 02:50:24 | 06,412,826 | -H-- | M] () -- C:\Documents and Settings\Family\Local Settings\Application Data\IconCache.db
[2009/08/28 02:00:00 | 00,000,234 | -H-- | M] () -- C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
[2009/08/28 02:00:00 | 00,000,234 | -H-- | M] () -- C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
[2009/08/27 23:54:26 | 00,000,435 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/27 23:28:12 | 03,942,048 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Family\Desktop\mbam-setup.exe
[2009/08/27 13:49:13 | 00,000,592 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/08/27 13:49:13 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/08/27 13:37:28 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/24 16:30:28 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

========== LOP Check ==========

[2009/08/27 23:36:33 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/06/26 13:07:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/07/13 16:30:29 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
[2009/06/25 16:20:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ATI MMC
[2009/06/07 04:16:29 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/08/27 14:00:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2009/06/05 13:32:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive
[2009/06/05 13:35:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
[2009/08/27 13:39:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/07/17 18:00:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/06/07 04:23:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/08/27 23:36:52 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Family\Application Data
[2009/06/07 17:03:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Family\Application Data\ATI MMC
[2009/06/27 15:00:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Family\Application Data\ESET
[2009/08/25 11:54:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Family\Application Data\FrostWire
[2009/06/05 13:40:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Family\Application Data\InterTrust
[2009/06/07 04:23:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Family\Application Data\ScanSoft
[2009/08/24 16:30:28 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2002/08/29 08:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/08/28 05:30:46 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/08/28 02:00:00 | 00,000,234 | -H-- | M] () -- C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
[2009/08/28 02:00:00 | 00,000,234 | -H-- | M] () -- C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >
[2008/04/13 20:11:53 | 00,062,976 | ---- | M] () -- C:\WINDOWS\system32\eventlog.dll
[1 C:\WINDOWS\system32\*.tmp files]

< %systemroot%\system32\scecli.dll >
[2008/04/13 20:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll
[1 C:\WINDOWS\system32\*.tmp files]

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >
[2008/04/13 20:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logevent.dll
[1 C:\WINDOWS\system32\*.tmp files]
< End of report >

Extras.txt

OTL Extras logfile created on: 28/08/2009 5:54:30 AM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Family\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

511.53 Mb Total Physical Memory | 206.04 Mb Available Physical Memory | 40.28% Memory free
1.22 Gb Paging File | 0.92 Gb Available in Paging File | 75.52% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 64.99 Gb Free Space | 85.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WILKINSON
Current User Name: Family
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- (FrostWire Group)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{036AA4D4-6D32-11D4-9875-00105ACE7734}" = Logitech iTouch Software
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX300_series" = Canon MX300 series
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{3347F781-9C89-4C9B-B471-B1FFC3BC4A84}" = ATIRW2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{76756402-BF1E-4A0F-AFCC-0EE6CF58F58C}" = ESET NOD32 Antivirus
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{8988F5D0-C83F-41F4-B41B-86031F9B37F5}" = ATI Multimedia Center
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{9115E7DB-3B29-445A-802D-11E0AA945B7F}" = Sound Blaster Live!
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}" = DAO
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}" = Presto! PageManager 7.15.16
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DEE88727-779B-47A9-ACEF-F87CA5F92A65}" = ScanSoft OmniPage SE 4
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{EDE28287-D32C-415E-9C97-2BF9F9260150}" = ATI Decoder
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Ad-Aware" = Ad-Aware
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"ATI Display Driver" = ATI Display Driver
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CodeBaby Player (Remove Only)1.0.2.19" = CodeBaby Player (Remove Only) 1.0.2.19
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FrostWire" = FrostWire 4.18.0
"InstallShield_{3347F781-9C89-4C9B-B471-B1FFC3BC4A84}" = ATI Remote Wonder 2.3
"InstallShield_{8988F5D0-C83F-41F4-B41B-86031F9B37F5}" = ATI Multimedia Center 9.01
"InstallShield_{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}" = DAO
"InstallShield_{EDE28287-D32C-415E-9C97-2BF9F9260150}" = ATI Decoder
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.9.0 (Standard)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.13)" = Mozilla Firefox (3.0.13)
"MP Navigator EX 1.0" = Canon MP Navigator EX 1.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"net" = Advertisement Service
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/06/2009 10:14:15 AM | Computer Name = WILKINSON | Source = Application Hang | ID = 1002
Description = Hanging application ATIMMC.exe, version 9.1.0.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 28/06/2009 1:28:59 AM | Computer Name = WILKINSON | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3439, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/07/2009 11:19:16 PM | Computer Name = WILKINSON | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 12.0.4518.1014, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/07/2009 11:19:24 PM | Computer Name = WILKINSON | Source = Application Hang | ID = 1001
Description = Fault bucket 341938951.

Error - 13/07/2009 4:30:39 PM | Computer Name = WILKINSON | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 23/07/2009 3:43:27 PM | Computer Name = WILKINSON | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module mshtml.dll, version 6.0.2900.5803, fault address 0x00068706.

Error - 27/08/2009 11:19:08 PM | Computer Name = WILKINSON | Source = Application Error | ID = 1000
Description = Faulting application itouch.exe, version 2.10.0.0, faulting module
itouch.exe, version 2.10.0.0, fault address 0x000296e9.

Error - 27/08/2009 11:28:26 PM | Computer Name = WILKINSON | Source = Application Hang | ID = 1002
Description = Hanging application QuickTimePlayer.exe, version 7.62.14.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 28/08/2009 2:46:48 AM | Computer Name = WILKINSON | Source = Application Hang | ID = 1002
Description = Hanging application QuickTimePlayer.exe, version 7.62.14.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 27/08/2009 11:14:36 PM | Computer Name = WILKINSON | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 27/08/2009 11:14:39 PM | Computer Name = WILKINSON | Source = Service Control Manager | ID = 7000
Description = The Lavasoft Ad-Aware Service service failed to start due to the following
error: %%5

Error - 27/08/2009 11:16:11 PM | Computer Name = WILKINSON | Source = Service Control Manager | ID = 7000
Description = The Lavasoft Ad-Aware Service service failed to start due to the following
error: %%5

Error - 27/08/2009 11:16:13 PM | Computer Name = WILKINSON | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 27/08/2009 11:16:13 PM | Computer Name = WILKINSON | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 28/08/2009 5:30:55 AM | Computer Name = WILKINSON | Source = Service Control Manager | ID = 7000
Description = The Lavasoft Ad-Aware Service service failed to start due to the following
error: %%5

Error - 28/08/2009 5:30:57 AM | Computer Name = WILKINSON | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 28/08/2009 5:30:57 AM | Computer Name = WILKINSON | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 28/08/2009 5:33:21 AM | Computer Name = WILKINSON | Source = System Error | ID = 1003
Description = Error code 00000024, parameter1 001902fe, parameter2 a606e318, parameter3
a606e014, parameter4 f844a022.


< End of report >
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello kylewilk04

Welcome to G2Go. :)
=====================
Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

  • 0

#3
kylewilk04

kylewilk04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi Kahdah,

Thanks for the quick reply. If my memory serves me correctly, you helped me before, So I know I'm in good hands.

Here is the log you asked for.

GMER 1.0.15.15077 [n8dn5ov0.exe] - http://www.gmer.net
Rootkit scan 2009-08-28 14:49:58
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT FF607A60 ZwOpenProcess
SSDT FF607E80 ZwOpenThread
SSDT FF608460 ZwSuspendProcess
SSDT FF608280 ZwSuspendThread
SSDT FF607C90 ZwTerminateProcess
SSDT FF6080B0 ZwTerminateThread

Code 821B500E ZwEnumerateKey
Code 821B64B6 ZwFlushInstructionCache
Code 821B581E ZwSaveKey
Code 821B58F6 ZwSaveKeyEx
Code 821B32F5 IofCallDriver
Code 821A916D IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 821B32FA
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 821A9172
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 821B5012
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 821B64BA
PAGE ntoskrnl.exe!ZwSaveKey 8064ED72 5 Bytes JMP 821B5822
PAGE ntoskrnl.exe!ZwSaveKeyEx 8064EE5D 5 Bytes JMP 821B58FA
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[852] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\system32\svchost.exe[852] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\system32\svchost.exe[852] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\system32\svchost.exe[952] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\system32\svchost.exe[952] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\explorer.exe[1012] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A2000A
.text C:\WINDOWS\System32\svchost.exe[1032] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1032] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1032] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1196] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1196] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1196] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1276] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1276] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1276] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1384] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1384] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1384] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2F051F92.x86.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1384] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2F051F92.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\svchost.exe[852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2F051F92.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2F051F92.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[952] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2F051F92.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[952] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2F051F92.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2F051F92.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2F051F92.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1196] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2F051F92.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1196] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2F051F92.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1276] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2F051F92.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1276] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2F051F92.x86.dll
IAT C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2F051F92.x86.dll
IAT C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2F051F92.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:344] FF606790
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\2F051F92.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [852] 0x35670000
Library \\?\globalroot\Device\__max++>\2F051F92.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [952] 0x35670000
Library \\?\globalroot\Device\__max++>\2F051F92.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1032] 0x35670000
Library \\?\globalroot\Device\__max++>\2F051F92.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1196] 0x35670000
Library \\?\globalroot\Device\__max++>\2F051F92.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1276] 0x35670000
Library \\?\globalroot\Device\__max++>\2F051F92.x86.dll (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [1384] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmrqqumhlk.sys (*** hidden *** ) [SYSTEM] kbiwkmiyobqpdl <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\kbiwkmyvrowpxg.sys (*** hidden *** ) [SYSTEM] kbiwkmowkmovyf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmiyobqpdl
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \systemroot\system32\drivers\kbiwkmrqqumhlk.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmiyobqpdl\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmiyobqpdl\[email protected] 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmiyobqpdl\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmiyobqpdl\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmiyobqpdl\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmiyobqpdl\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmiyobqpdl\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmiyobqpdl\[email protected] \systemroot\system32\drivers\kbiwkmrqqumhlk.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmiyobqpdl\[email protected] \systemroot\system32\kbiwkmdhbenxdq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmiyobqpdl\[email protected] \systemroot\system32\kbiwkmbtnlsxef.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \systemroot\system32\drivers\kbiwkmyvrowpxg.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\[email protected] 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\[email protected] 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\main\[email protected]* kbiwkmwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\[email protected] \systemroot\system32\drivers\kbiwkmyvrowpxg.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\[email protected] \systemroot\system32\kbiwkmbsjkvtlm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\[email protected] \systemroot\system32\kbiwkmoeyalmuj.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\[email protected] \systemroot\system32\kbiwkmxvmpkkab.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmowkmovyf\[email protected] \systemroot\system32\kbiwkmnqbfhwea.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmiyobqpdl (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] \systemroot\system32\drivers\kbiwkmrqqumhlk.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmiyobqpdl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmiyobqpdl\[email protected] 10002
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmiyobqpdl\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmiyobqpdl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmiyobqpdl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmiyobqpdl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmiyobqpdl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmiyobqpdl\[email protected] \systemroot\system32\drivers\kbiwkmrqqumhlk.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmiyobqpdl\[email protected] \systemroot\system32\kbiwkmdhbenxdq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmiyobqpdl\[email protected] \systemroot\system32\kbiwkmbtnlsxef.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] \systemroot\system32\drivers\kbiwkmyvrowpxg.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\[email protected] 10002
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\[email protected] 14400
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\main\[email protected]* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\[email protected] \systemroot\system32\drivers\kbiwkmyvrowpxg.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\[email protected] \systemroot\system32\kbiwkmbsjkvtlm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\[email protected] \systemroot\system32\kbiwkmoeyalmuj.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\mo[email protected] \systemroot\system32\kbiwkmxvmpkkab.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmowkmovyf\[email protected] \systemroot\system32\kbiwkmnqbfhwea.dat

---- EOF - GMER 1.0.15 ----
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome. :)
========================
One or more of the identified infections is a backdoor trojan or rootkit.

This can allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions
to apprise them of your situation.

Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
=======================
Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
  • 0

#5
kylewilk04

kylewilk04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hmm...well, that isn't very welcoming news :)

What are the odds, do you think, that actual information was taken from my computer. Would be through a keylogger, or through saved information on this HDD?

Here it is:

Log file is located at: C:\Documents and Settings\Family\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\News\News

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5599132effaee562760dce29f8ca8491\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5599132effaee562760dce29f8ca8491\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Adobe\update\update

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-04 03:56:48 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe (Microsoft Corporation)

[2] 2002-08-29 08:00:00 9216 C:\System Volume Information\_restore{9CDAA790-4058-4DDE-BB58-BDCFCB78BB98}\RP16\A0001753.dll (Microsoft Corporation)

[2] 2002-08-29 08:00:00 9216 C:\System Volume Information\_restore{9CDAA790-4058-4DDE-BB58-BDCFCB78BB98}\RP16\A0002865.exe (Microsoft Corporation)

[2] 2004-08-04 03:56:48 10752 C:\System Volume Information\_restore{9CDAA790-4058-4DDE-BB58-BDCFCB78BB98}\RP19\A0004798.exe (Microsoft Corporation)

[2] 2004-08-04 03:56:48 10752 C:\System Volume Information\_restore{9CDAA790-4058-4DDE-BB58-BDCFCB78BB98}\RP19\A0006169.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[2] 2002-08-29 08:00:00 49152 C:\System Volume Information\_restore{9CDAA790-4058-4DDE-BB58-BDCFCB78BB98}\RP16\A0001736.dll (Microsoft Corporation)

[2] 2002-08-29 08:00:00 49152 C:\System Volume Information\_restore{9CDAA790-4058-4DDE-BB58-BDCFCB78BB98}\RP16\A0002852.dll (Microsoft Corporation)

[2] 2002-08-29 08:00:00 49152 C:\System Volume Information\_restore{9CDAA790-4058-4DDE-BB58-BDCFCB78BB98}\RP16\A0003631.dll (Microsoft Corporation)

[2] 2004-08-04 03:56:42 55808 C:\System Volume Information\_restore{9CDAA790-4058-4DDE-BB58-BDCFCB78BB98}\RP19\A0004785.dll (Microsoft Corporation)

[2] 2004-08-04 03:56:42 55808 C:\System Volume Information\_restore{9CDAA790-4058-4DDE-BB58-BDCFCB78BB98}\RP19\A0006197.dll (Microsoft Corporation)

[2] 2004-08-04 03:56:42 55808 C:\System Volume Information\_restore{9CDAA790-4058-4DDE-BB58-BDCFCB78BB98}\RP19\A0007318.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\BellCanadaPhaseIV\BellCanadaPhaseIV

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\BellCanadaPhaseIV\BellCanadaPhaseIV

Found mount point : C:\WINDOWS\Temp\CTZAPXX\Drivers\Drivers

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\CTZAPXX\Drivers\Drivers

Found mount point : C:\WINDOWS\Temp\SaveReport\SaveReport

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SaveReport\SaveReport

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I'm not saying that it even has been but I see a need to alert you to the type of infection and the capabilities that it has.
Malware of this nature can do many things such as even take screen shots of webpages collect stored passwords that are saved to the system from a normal day to day basis,keylog bank sites that you visit and record login credentials.
============================================

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt.

===========================Next============================

Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah then save it to your desktop.
Link 1
Link 2
--------------------------------------------------------------------

Double click on kahdah.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

  • 0

#7
kylewilk04

kylewilk04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hey Kahdah,

Thanks for the information, I have ran the programs and here are the outputs.

Avenger:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


---------------------------------------
Combofix:

ComboFix 09-08-28.06 - Family 29/08/2009 15:47.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.512.287 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\Kahdah.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\Installer\WMEncoder.msi
c:\windows\run.log
c:\windows\system32\drivers\kbiwkmrqqumhlk.sys
c:\windows\system32\drivers\kbiwkmyvrowpxg.sys
c:\windows\system32\kbiwkmbsjkvtlm.dll
c:\windows\system32\kbiwkmbtnlsxef.dat
c:\windows\system32\kbiwkmdhbenxdq.dll
c:\windows\system32\kbiwkmnqbfhwea.dat
c:\windows\system32\kbiwkmoeyalmuj.dat
c:\windows\system32\kbiwkmxvmpkkab.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmiyobqpdl
-------\Legacy_kbiwkmiyobqpdl
-------\Service_kbiwkmowkmovyf
-------\Legacy_kbiwkmowkmovyf
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.

2009-08-29 18:45 . 2009-08-29 18:45 -------- d-----w- c:\program files\ESET
2009-08-29 06:47 . 2009-08-29 06:47 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-28 18:23 . 2009-08-28 18:23 288768 ----a-w- C:\n8dn5ov0.exe
2009-08-28 18:21 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-28 18:21 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-08-28 03:54 . 2009-08-29 18:43 -------- d--h--w- c:\windows\PIF
2009-08-28 03:36 . 2009-08-28 03:36 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2009-08-28 03:36 . 2009-08-28 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-28 03:13 . 2009-08-29 19:47 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\ESET
2009-08-27 23:03 . 2009-08-27 23:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-27 18:52 . 2009-08-27 18:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-08-13 07:02 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-12 22:32 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 19:52 . 2009-06-05 18:26 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000D-00001102-00000002-80651102}.dat
2009-08-29 19:52 . 2009-06-05 18:26 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000D-00001102-00000002-80651102}.dat
2009-08-29 06:46 . 2009-06-05 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-27 18:00 . 2009-06-27 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-08-27 17:39 . 2009-07-17 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-27 17:39 . 2009-07-05 21:53 -------- d-----w- c:\program files\Norton Security Scan
2009-08-27 17:39 . 2009-07-05 21:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-25 15:54 . 2009-06-14 00:34 -------- d-----w- c:\documents and settings\Family\Application Data\FrostWire
2009-08-05 09:01 . 2009-06-04 18:28 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 22:00 . 2009-07-17 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-17 22:00 . 2009-07-17 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-17 19:01 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-13 20:30 . 2009-07-13 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-13 20:30 . 2009-07-13 20:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-13 20:30 . 2009-07-13 20:30 -------- d-----w- c:\program files\Lavasoft
2009-07-13 20:26 . 2009-07-13 20:22 60857536 ----a-w- c:\program files\Ad-AwareAE.exe
2009-07-08 17:28 . 2009-07-13 20:30 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-04 16:40 . 2009-07-04 16:40 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-04 16:40 . 2009-07-04 16:40 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-03 14:49 . 2009-07-13 20:30 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-03 14:49 . 2009-07-13 20:35 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-26 16:50 . 2002-08-29 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2002-08-29 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-08-29 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 00:40 . 2009-06-14 00:40 0 ----a-w- c:\documents and settings\Family\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-06-12 12:31 . 2002-08-29 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2002-08-29 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2009-06-04 18:12 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2002-08-29 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-06 00:30 . 2009-06-05 18:28 69232 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-05 19:18 . 2009-06-04 18:15 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-06-05 18:55 . 2009-06-05 18:55 0 ----a-w- c:\windows\nsreg.dat
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 17:33 . 2009-06-05 17:33 2678 ----a-w- c:\windows\java\Packages\Data\1R7V3XBN.DAT
2009-06-05 17:33 . 2009-06-05 17:33 2678 ----a-w- c:\windows\java\Packages\Data\N9B5RJLV.DAT
2009-06-05 17:33 . 2009-06-05 17:33 2678 ----a-w- c:\windows\java\Packages\Data\84PFLN5Z.DAT
2009-06-05 17:33 . 2009-06-05 17:33 2678 ----a-w- c:\windows\java\Packages\Data\65JZP75F.DAT
2009-06-05 17:33 . 2009-06-05 17:33 2678 ----a-w- c:\windows\java\Packages\Data\PN1RRZJZ.DAT
2009-06-05 15:42 . 2009-06-26 17:01 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 15:42 . 2009-06-26 17:01 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 01:58 . 2009-06-05 17:59 676224 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-06-04 18:24 . 2009-06-04 18:24 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-04 18:15 . 2009-06-04 18:15 558142 ----a-w- c:\windows\java\Packages\8WVDB37L.ZIP
2009-06-04 18:15 . 2009-06-04 18:15 155995 ----a-w- c:\windows\java\Packages\LRJTZXBP.ZIP
2009-06-04 18:13 . 2009-06-04 18:13 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-03 19:09 . 2009-06-04 18:28 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-11 339968]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-07-22 577602]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-02-06 2021400]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-02 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Family^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
path=c:\documents and settings\Family\Start Menu\Programs\Startup\FrostWire On Startup.lnk
backup=c:\windows\pss\FrostWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"idsvc"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [13/07/2009 4:30 PM 64160]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [06/02/2009 2:23 PM 106208]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [06/02/2009 2:23 PM 727720]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 10:49 AM 1029456]
.
Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-winntR1 - c:\winnt_\winntR1.exe
HKLM-Run-winntR2 - c:\winnt_\winntR2.exe
HKLM-Run-winnt3 - c:\winnt_\winnt3.exe
HKLM-Run-winnt4 - c:\winnt_\winnt4.exe
HKLM-Run-winnt6 - c:\winnt_\winnt6.exe
HKLM-Run-net - c:\windows\system32\net.net


.
------- Supplementary Scan -------
.
uStart Page = hxxp://today.ask.com/frostwire?o=101676&l=dis
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\27cxlj2k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=
FF - prefs.js: network.proxy.type - 4
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 15:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3984)
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
.
**************************************************************************
.
Completion time: 2009-08-29 15:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-29 19:56

Pre-Run: 69,753,352,192 bytes free
Post-Run: 69,739,859,968 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

209 --- E O F --- 2009-08-29 06:47
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
First: Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
Second: Online Scanner
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#9
kylewilk04

kylewilk04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Sorry Kahdah for the late reply.

Here are the following logs:

Malwarebytes' Anti-Malware 1.40
Database version: 2719
Windows 5.1.2600 Service Pack 3

30/08/2009 5:58:23 PM
mbam-log-2009-08-30 (17-58-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 137309
Time elapsed: 38 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmbsjkvtlm.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmdhbenxdq.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmxvmpkkab.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.


-------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 30, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 31, 2009 00:28:20
Records in database: 2730606
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 47009
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:58:04


File name / Threat / Threats count
C:\System Volume Information\_restore{9CDAA790-4058-4DDE-BB58-BDCFCB78BB98}\RP76\A0020185.exe Infected: Trojan-Downloader.Win32.Dirt.s 1

Selected area has been scanned.
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Looks good let's run one more scan with OTL and let me know how things are running?

  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open one notepad window. OTListIt.Txt a This is saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

  • 0

#11
kylewilk04

kylewilk04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Here ya go:

OTL logfile created on: 31/08/2009 12:12:33 PM - Run 2
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Family\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

511.53 Mb Total Physical Memory | 132.17 Mb Available Physical Memory | 25.84% Memory free
1.22 Gb Paging File | 0.91 Gb Available in Paging File | 74.71% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 64.66 Gb Free Space | 84.72% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WILKINSON
Current User Name: Family
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)
PRC - C:\WINDOWS\System32\PnkBstrA.exe ()
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
PRC - C:\WINDOWS\System32\CTHELPER.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc. )
PRC - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
PRC - C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe (Nuance Communications, Inc.)
PRC - C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe ()
PRC - C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
PRC - C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe ()
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Documents and Settings\Family\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Disabled | Stopped]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Disabled | Stopped]) -- C:\WINDOWS\System32\Ati2evxx.exe ()
SRV - (ATI Smart [Disabled | Stopped]) -- C:\WINDOWS\System32\ati2sgag.exe ()
SRV - (Bonjour Service [Disabled | Stopped]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (EhttpSrv [On_Demand | Stopped]) -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe (ESET)
SRV - (ekrn [Auto | Running]) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (Lavasoft Ad-Aware Service [Auto | Stopped]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe ()
SRV - (Microsoft Office Groove Audit Service [Disabled | Stopped]) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (odserv [Disabled | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [Disabled | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PnkBstrA [Auto | Running]) -- C:\WINDOWS\System32\PnkBstrA.exe ()
SRV - (WMPNetworkSvc [Disabled | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (x10nets [On_Demand | Stopped]) -- File not found

========== Driver Services (SafeList) ==========

DRV - (ATI Remote Wonder II [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ATIRWVD.SYS (Jungo)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (basic2 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys (Conexant)
DRV - (bcm4sbxp [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation)
DRV - (ctac32k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (ctaud2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (ctljystk [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ctljystk.sys (Creative Technology Ltd.)
DRV - (ctprxy2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (eamon [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\eamon.sys (ESET)
DRV - (ehdrv [System | Running]) -- C:\WINDOWS\System32\DRIVERS\ehdrv.sys (ESET)
DRV - (emupia [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (epfw [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\epfw.sys (ESET)
DRV - (Epfwndis [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\Epfwndis.sys (ESET)
DRV - (epfwtdi [System | Running]) -- C:\WINDOWS\System32\DRIVERS\epfwtdi.sys (ESET)
DRV - (Fallback [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys (Conexant)
DRV - (Fsks [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys (Conexant)
DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (ha10kx2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (HSFHWBS2 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSFBS2S2.sys (Conexant Systems, Inc.)
DRV - (HSF_DP [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSFDPSP2.sys (Conexant Systems, Inc.)
DRV - (hsf_msft [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys (Conexant)
DRV - (itchfltr [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\itchfltr.sys (Logitech, Inc.)
DRV - (K56 [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys (Conexant)
DRV - (Lbd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (NuidFltr [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\NuidFltr.sys (Microsoft Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Rksample [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys (Conexant)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SoftFax [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys (Conexant)
DRV - (Tones [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys (Conexant)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.)
DRV - (V124 [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_V124.sys (Conexant)
DRV - (viaagp1 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (VIAPFD [System | Running]) -- C:\WINDOWS\System32\Drivers\VIAPFD.SYS (VIA Technologies. Inc.)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSFCXTS2.sys (Conexant Systems, Inc.)

========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.c...c...amp;gc=1&q=
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://today.ask.com...?o=101676&l=dis
IE - URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\System32\shdocvw.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Ask"
FF - prefs.js..browser.search.order.1: "Ask"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-US.start2....en-US:official"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2
FF - prefs.js..keyword.URL: "http://toolbar.ask.c...4&gct=&gc=1&q="
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/29 02:47:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/29 18:37:37 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/29 18:37:37 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird

[2009/06/05 14:55:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Family\Application Data\mozilla\Extensions
[2009/06/05 14:55:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Family\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/30 20:17:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Family\Application Data\mozilla\Firefox\Profiles\27cxlj2k.default\extensions
[2009/08/29 18:39:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Family\Application Data\mozilla\Firefox\Profiles\27cxlj2k.default\extensions\[email protected]
[2009/06/13 20:41:11 | 00,000,682 | ---- | M] () -- C:\Documents and Settings\Family\Application Data\Mozilla\FireFox\Profiles\27cxlj2k.default\searchplugins\ask.xml
[2009/08/30 20:17:29 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/29 18:37:37 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/06/13 20:33:39 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/08/29 18:37:15 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/29 18:37:15 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/08/29 18:37:28 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/06/26 13:03:01 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/06/26 13:03:01 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/06/26 13:03:01 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/06/26 13:03:01 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/06/26 13:03:01 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/06/26 13:03:02 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/06/26 13:03:02 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/08/29 18:37:31 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/08/29 18:37:31 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/08/29 18:37:31 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/08/29 18:37:31 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/08/29 18:37:31 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/08/29 18:37:31 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/08/29 18:37:31 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [WINDVDPatch] C:\WINDOWS\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [WrtMon.exe] C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe ()
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc. )
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1244223376953 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/octet-stream - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-complus - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-msdownload - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - Class Install Handler - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - deflate - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - gzip - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - lzdhtml - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/webviewhtml - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll ()
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\System32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\WlNotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\System32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\System32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O27 - HKLM IFEO\Your Image File Name Here without a path: Debugger - C:\WINDOWS\System32\ntsd.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/04 14:16:07 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[5 C:\WINDOWS\*.tmp files]
[2009/08/31 12:11:04 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Family\Desktop\OTL.exe
[2009/08/31 02:21:16 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\Family\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/30 21:12:36 | 00,111,928 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2009/08/30 21:12:32 | 00,075,064 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2009/08/30 21:12:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Family\Application Data\id Software
[2009/08/30 21:12:29 | 02,373,712 | ---- | C] () -- C:\WINDOWS\System32\pbsvc.exe
[2009/08/30 21:12:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\id Software
[2009/08/30 17:16:34 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/30 17:16:31 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/30 17:16:28 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/30 17:16:27 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/30 12:19:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Family\My Documents\Downloads
[2009/08/29 15:59:55 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/08/29 15:57:05 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/08/29 15:56:00 | 01,614,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfcfiles.dll
[2009/08/29 15:56:00 | 00,435,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntmssvc.dll
[2009/08/29 15:56:00 | 00,253,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\es.dll
[2009/08/29 15:56:00 | 00,198,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\netman.dll
[2009/08/29 15:56:00 | 00,192,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\schedsvc.dll
[2009/08/29 15:56:00 | 00,185,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\upnphost.dll
[2009/08/29 15:56:00 | 00,171,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\srsvc.dll
[2009/08/29 15:56:00 | 00,142,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\aec.sys
[2009/08/29 15:56:00 | 00,135,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\shsvcs.dll
[2009/08/29 15:56:00 | 00,088,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rasauto.dll
[2009/08/29 15:56:00 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ssdpsrv.dll
[2009/08/29 15:56:00 | 00,059,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\regsvc.dll
[2009/08/29 15:56:00 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\linkinfo.dll
[2009/08/29 15:56:00 | 00,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wscntfy.exe
[2009/08/29 15:55:59 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comctl32.dll
[2009/08/29 15:55:59 | 00,574,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntfs.sys
[2009/08/29 15:55:59 | 00,409,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\qmgr.dll
[2009/08/29 15:55:59 | 00,407,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\netlogon.dll
[2009/08/29 15:55:59 | 00,249,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\tapisrv.dll
[2009/08/29 15:55:59 | 00,245,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mswsock.dll
[2009/08/29 15:55:59 | 00,181,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\scecli.dll
[2009/08/29 15:55:59 | 00,129,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\xmlprov.dll
[2009/08/29 15:55:59 | 00,077,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\browser.dll
[2009/08/29 15:55:59 | 00,062,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\cryptsvc.dll
[2009/08/29 15:55:59 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\eventlog.dll
[2009/08/29 15:55:59 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\msgsvc.dll
[2009/08/29 15:55:59 | 00,027,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mspmsnsv.dll
[2009/08/29 15:55:59 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\asyncmac.sys
[2009/08/29 15:55:59 | 00,011,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\acpiec.sys
[2009/08/29 15:55:59 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfc.dll
[2009/08/29 15:55:58 | 03,069,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mshtml.dll
[2009/08/29 15:55:58 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kernel32.dll
[2009/08/29 15:55:58 | 00,927,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mfc40u.dll
[2009/08/29 15:55:58 | 00,792,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comres.dll
[2009/08/29 15:55:58 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rpcss.dll
[2009/08/29 15:55:58 | 00,295,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\termsrv.dll
[2009/08/29 15:55:58 | 00,110,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\imm32.dll
[2009/08/29 15:55:58 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\userinit.exe
[2009/08/29 15:55:58 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kbdclass.sys
[2009/08/29 15:55:58 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lpk.dll
[2009/08/29 15:55:58 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\powrprof.dll
[2009/08/29 15:55:58 | 00,004,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\beep.sys
[2009/08/29 15:55:58 | 00,002,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\null.sys
[2009/08/29 15:55:57 | 02,189,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntoskrnl.exe
[2009/08/29 15:55:57 | 02,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntkrnlpa.exe
[2009/08/29 15:55:57 | 01,033,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\explorer.exe
[2009/08/29 15:55:57 | 00,182,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ndis.sys
[2009/08/29 15:55:57 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\services.exe
[2009/08/29 15:55:57 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\spoolsv.exe
[2009/08/29 15:55:57 | 00,051,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wuauclt.exe
[2009/08/29 15:55:57 | 00,036,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ip6fw.sys
[2009/08/29 15:55:57 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ctfmon.exe
[2009/08/29 15:55:57 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lsass.exe
[2009/08/29 15:55:56 | 00,666,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wininet.dll
[2009/08/29 15:55:56 | 00,578,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\user32.dll
[2009/08/29 15:55:56 | 00,507,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\winlogon.exe
[2009/08/29 15:55:56 | 00,361,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\tcpip.sys
[2009/08/29 15:55:56 | 00,082,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ws2_32.dll
[2009/08/29 15:55:56 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\svchost.exe
[2009/08/29 15:55:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache\cache
[2009/08/29 15:44:03 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/08/29 15:43:59 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/08/29 15:43:58 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/08/29 15:40:59 | 00,229,376 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/08/29 15:40:59 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/08/29 15:40:59 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/08/29 15:40:59 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/08/29 15:40:59 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/08/29 15:40:59 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/08/29 15:40:59 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/08/29 15:40:59 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/08/29 15:40:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/08/29 15:39:02 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/08/29 14:45:19 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/08/29 02:47:15 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2009/08/28 14:23:27 | 00,288,768 | ---- | C] () -- C:\n8dn5ov0.exe
[2009/08/28 14:21:28 | 00,268,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2009/08/28 14:21:28 | 00,208,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\muweb.dll
[2009/08/28 14:21:28 | 00,027,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2009/08/27 23:54:08 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/08/27 23:36:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Family\Application Data\Malwarebytes
[2009/08/27 23:36:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/27 23:15:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/08/27 23:13:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Family\Local Settings\Application Data\ESET
[2009/08/27 19:03:10 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/08/13 03:02:30 | 00,221,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmpns.dll
[2009/08/12 18:32:37 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx
[2009/08/12 18:32:32 | 01,315,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoe.dll
[2009/08/05 13:53:00 | 00,845,414 | ---- | C] () -- C:\Documents and Settings\Family\My Documents\baby hudson.docx
[2009/08/05 05:01:48 | 00,204,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/06/25 16:40:43 | 00,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/06/07 17:03:40 | 00,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI
[2009/06/07 04:24:37 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2009/06/07 04:23:39 | 00,000,412 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2009/06/07 04:15:56 | 00,003,584 | ---- | C] () -- C:\WINDOWS\System32\CNCFLcNL.DLL
[2009/06/05 13:59:34 | 00,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/05 13:39:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2009/06/05 13:39:29 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2009/06/05 13:38:47 | 00,037,727 | ---- | C] () -- C:\WINDOWS\System32\Emu10kx.ini
[2009/06/05 13:38:47 | 00,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/06/05 13:38:41 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2009/06/05 13:38:35 | 00,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2009/06/05 13:32:48 | 00,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2009/06/04 14:28:10 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/06/04 14:27:09 | 00,131,072 | R--- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll
[2009/06/04 14:24:20 | 00,003,852 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/06/04 14:24:18 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2004/07/10 21:35:16 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2004/01/28 11:42:06 | 00,013,601 | ---- | C] () -- C:\WINDOWS\System32\vctest.ini
[2002/08/29 08:00:00 | 00,000,592 | ---- | C] () -- C:\WINDOWS\win.ini
[2002/08/29 08:00:00 | 00,000,435 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/08/31 12:11:48 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Family\Desktop\OTL.exe
[2009/08/31 12:08:06 | 03,374,149 | ---- | M] () -- C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000002-80651102}.CDF
[2009/08/31 12:08:06 | 03,374,149 | ---- | M] () -- C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000002-80651102}.BAK
[2009/08/31 12:01:09 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/31 12:01:06 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/31 02:30:15 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
[2009/08/31 02:30:15 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
[2009/08/31 02:30:15 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
[2009/08/31 02:30:15 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
[2009/08/31 02:30:15 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/08/31 02:30:15 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/08/31 02:30:15 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000000-00000000-0000000D-00001102-00000002-80651102}.dat
[2009/08/31 02:30:15 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000000-00000000-0000000D-00001102-00000002-80651102}.dat
[2009/08/31 02:21:16 | 00,003,584 | ---- | M] () -- C:\Documents and Settings\Family\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/30 21:12:36 | 00,111,928 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2009/08/30 21:12:32 | 00,075,064 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2009/08/30 21:12:29 | 02,373,712 | ---- | M] () -- C:\WINDOWS\System32\pbsvc.exe
[2009/08/30 17:59:13 | 03,771,536 | -H-- | M] () -- C:\Documents and Settings\Family\Local Settings\Application Data\IconCache.db
[2009/08/30 17:16:34 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/29 15:53:53 | 00,000,435 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/29 15:53:22 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/08/29 15:44:04 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/08/28 14:23:35 | 00,288,768 | ---- | M] () -- C:\n8dn5ov0.exe
[2009/08/27 13:49:13 | 00,000,592 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/08/27 13:49:13 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/08/27 13:37:28 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/27 01:37:01 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/24 16:30:28 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/08/23 03:09:13 | 00,229,376 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/08/05 13:53:01 | 00,845,414 | ---- | M] () -- C:\Documents and Settings\Family\My Documents\baby hudson.docx
[2009/08/05 05:01:48 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mswebdvd.dll
[2009/08/05 05:01:48 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
< End of report >
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://today.ask.com/frostwire?o=101676&l=dis
    FF - prefs.js..browser.search.defaultenginename: "Ask"
    FF - prefs.js..browser.search.order.1: "Ask"
    FF - prefs.js..keyword.URL: "http://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q="
  • Then click the Run Fix button at the top
  • Let the program run unhindered,when it is done it will say "Fix Complete press ok to open log"
  • Please post that log in your next reply.

Also let me know how things are running?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP