Google redirect/pop-up virus [Closed]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Google redirect/pop-up virus [Closed] trojan dropper & svchost.exe infection

#1 Khada

Group: Member
Posts: 6
Joined: 12-December 09

Posted 12 December 2009 - 05:10 AM

Gday GeeksToGo!

I have recently managed to infect my computer (and the other 2 on the network) with what appears to be a nasty trojan dropper. I fancy myself as a pretty tech-savvy fellow and this is the first virus i have encountered that i have not been able to get rid of on my own (and a little help from google) so no need to baby step me through the obvious things

The symptoms are as follows:
1.Google links are often redirected to other url's that advertise various goods/services.
2.When a new tab is opened via a link, an additional tab with open and be automatically directed to an above mentioned url's.
3.I am currently getting pop-ups from AVG informing me that:

Threat was blocked!
File name: 91.212.226.178/260-new.exe
Threat name: Virus found Win32/Cryptor
Process name: C:\Windows\System32\svchost.exe
Process ID: 924

and i just got one right now that says:

Threat was blocked!
File name: software-online-scanner.biz/secure1/?id=259b4c25aa08557e7c8892c5d64253db
Threat name: Exploit Rogue spyware scanner (type 504)
Process name: C:\Program Files\Mozilla Firefox\firefox.exe
Process ID: 2668

I will try to explain what it is i have done so far etc...
I first contracted the virus after installing a piece of dodgy software (obviously my full version of AVG 9.0 didnt do any good lol and i did scan the installer prior to installing with nothing found). The software didnt do what i wanted it to and i uninstalled it right away. i then noticed the virus when i encountered symptoms 1 & 2. At that point i did a scan with avg which found a few trojans which were soon removed. I also did a registry clean (I think with RegCure but not sure). The symptoms didnt go away however and further scans (also in safemode) would only continue to find the same duplicate files each time and removing them made no difference. It was then i knew that there was something somewhere else creating these files in the background. A few days went by (was busy with work) and over that time AVG updated and suddenly the duplicate trojan files were no longer showing up in my scans (AVG & Malwarebytes by this point) It was then that symptom 3 started to happen (the first threat mentioned pops up every few minutes whilst the second has only occurred once so far)

I will post my scan reports from Malwarebytes and OTL below:

Malwarebytes Quick Scan (Full scan reported no infections either)

Quote

Malwarebytes' Anti-Malware 1.42
Database version: 3348
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/12/2009 9:38:29 PM
mbam-log-2009-12-12 (21-38-29).txt

Scan type: Quick Scan
Objects scanned: 100759
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL Scan

Quote

OTL logfile created on: 12/12/2009 10:05:52 PM - Run 1
OTL by OldTimer - Version 3.1.16.0 Folder = C:\Users\Khada\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.81 Gb Available Physical Memory | 90.58% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.66 Gb Total Space | 362.36 Gb Free Space | 77.82% Space Free | Partition Type: NTFS
Drive D: | 465.75 Gb Total Space | 16.88 Gb Free Space | 3.62% Space Free | Partition Type: NTFS
Drive E: | 7.84 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KHADACOMP
Current User Name: Khada
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/12 21:21:49 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Users\Khada\Downloads\OTL.exe
PRC - [2009/12/11 10:55:29 | 02,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/12/11 10:55:28 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/12/11 10:55:28 | 00,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/11/24 13:34:31 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/11/21 16:55:55 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/21 16:55:55 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/21 16:55:53 | 00,827,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe
PRC - [2009/11/21 16:55:52 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/11/07 13:26:24 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/26 18:33:41 | 00,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2009/09/27 17:47:00 | 00,215,656 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe
PRC - [2009/09/27 16:48:00 | 00,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/09/23 00:12:56 | 07,739,936 | ---- | M] (Realtek Semiconductor) -- C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
PRC - [2009/07/14 12:14:42 | 00,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/14 12:14:20 | 02,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/09/01 04:30:00 | 02,711,552 | ---- | M] () -- C:\Program Files\RivaTuner v2.10\RivaTuner.exe
PRC - [2008/07/11 11:28:06 | 40,999,448 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
PRC - [2008/07/10 02:49:44 | 00,098,840 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2007/01/09 09:48:58 | 00,147,456 | ---- | M] (Razer Inc.) -- C:\Program Files\Razer\Copperhead\razerofa.exe
PRC - [2005/11/25 10:54:32 | 00,147,456 | ---- | M] () -- C:\Program Files\Razer\Copperhead\razertra.exe
PRC - [2005/11/25 10:53:40 | 00,155,648 | ---- | M] () -- C:\Program Files\Razer\Copperhead\razerhid.exe

========== Modules (SafeList) ==========

MOD - [2009/12/12 21:21:49 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Users\Khada\Downloads\OTL.exe
MOD - [2009/11/21 16:56:10 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
MOD - [2009/10/26 18:33:32 | 00,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll
MOD - [2009/07/14 12:16:15 | 00,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 12:16:13 | 00,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 12:16:13 | 00,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 12:16:12 | 00,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 12:16:03 | 00,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 12:15:35 | 00,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 12:15:13 | 00,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 12:15:11 | 00,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 12:15:07 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 12:15:02 | 00,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 12:03:50 | 01,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/11/21 16:55:52 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/10/31 14:35:01 | 00,320,760 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/10/29 16:12:04 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) [Disabled | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/09/27 17:47:00 | 00,215,656 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Windows\System32\nvvsvc.exe -- (nvsvc)
SRV - [2009/09/27 16:48:00 | 00,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/07/26 06:43:14 | 00,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/07/14 12:16:21 | 00,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 12:16:17 | 00,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 12:16:17 | 00,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 12:16:16 | 00,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 12:16:15 | 00,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 12:16:13 | 00,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 12:16:13 | 00,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 12:16:12 | 01,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 12:16:12 | 00,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 12:16:12 | 00,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 12:16:12 | 00,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 12:16:12 | 00,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 12:15:41 | 00,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 12:15:36 | 00,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 12:15:21 | 00,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 12:15:11 | 00,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 12:15:10 | 00,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 12:14:59 | 00,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 12:14:58 | 00,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 12:14:53 | 00,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 12:14:29 | 03,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2008/07/11 11:28:06 | 40,999,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2008/07/11 11:28:06 | 00,369,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE -- (SQLAgent$SQLEXPRESS) SQL Server Agent (SQLEXPRESS)
SRV - [2008/07/11 11:28:04 | 00,047,128 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE -- (MSSQLServerADHelper100)
SRV - [2008/07/10 02:49:44 | 00,098,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/07/10 02:49:34 | 00,258,072 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/09/20 15:35:38 | 00,382,248 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2007/09/20 09:51:46 | 00,853,288 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3)
SRV - [2006/10/27 00:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) [Disabled | Stopped] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ninemsn.com.au/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-au
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 3E EE D4 EF 42 58 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..extensions.enabledItems: {35106bca-6c78-48c7-ac28-56df30b51d2d}:1.2.4

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/12/11 13:58:28 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/10 17:43:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/24 13:34:40 | 00,000,000 | ---D | M]

[2009/10/29 14:15:47 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Mozilla\Extensions
[2009/12/11 23:24:13 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Mozilla\Firefox\Profiles\ihim7dwi.default\extensions
[2009/12/04 23:00:36 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Mozilla\Firefox\Profiles\ihim7dwi.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2d}
[2009/10/30 09:41:48 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Mozilla\Firefox\Profiles\ihim7dwi.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009/10/30 09:42:19 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Mozilla\Firefox\Profiles\ihim7dwi.default\extensions\tubestop@efinke.com
[2009/12/11 23:24:13 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (824 bytes) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - Reg Error: Value error. File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - Reg Error: Value error. File not found
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe ()
O4 - HKLM..\Run: [RivaTuner] C:\Program Files\RivaTuner v2.10\RivaTunerWrapper.exe ()
O4 - HKLM..\Run: [RivaTunerStartupDaemon] C:\Program Files\RivaTuner v2.10\RivaTunerWrapper.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/11 08:42:20 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2008/05/27 18:00:23 | 00,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/07/17 09:13:07 | 01,246,440 | R--- | M] (BioWare) - E:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2009/04/14 14:17:18 | 00,000,058 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{cb4a77e1-c434-11de-82a3-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{cb4a77e1-c434-11de-82a3-806e6f6e6963}\Shell\AutoRun\command - "" = E:\autorun.exe -- [2009/07/17 09:13:07 | 01,246,440 | R--- | M] (BioWare)
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\AUTOSTARTER.EXE -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/07/14 13:37:08 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/12 20:35:33 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2009/12/12 20:35:08 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/12 20:13:48 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/12/10 19:39:28 | 00,000,000 | ---D | C] -- C:\ProgramData\BioWare
[2009/12/10 19:37:20 | 00,000,000 | ---D | C] -- C:\Users\Khada\Documents\BioWare
[2009/12/10 19:26:23 | 00,000,000 | ---D | C] -- C:\ProgramData\Media Center Programs
[2009/12/10 19:12:48 | 00,000,000 | ---D | C] -- C:\Program Files\Dragon Age
[2009/12/10 19:12:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\BioWare
[2009/12/03 22:27:52 | 00,000,000 | ---D | C] -- C:\Program Files\Eusing Free Registry Cleaner
[2009/12/03 22:09:01 | 00,000,000 | ---D | C] -- C:\Users\Khada\AppData\Roaming\Malwarebytes
[2009/12/03 22:08:58 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/03 22:08:57 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/03 22:08:57 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/12/03 22:08:57 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes
[2009/12/03 14:22:20 | 00,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan
[2009/12/03 14:22:16 | 00,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2009/12/03 14:16:23 | 00,000,000 | ---D | C] -- C:\Windows\pss
[2009/12/02 19:04:51 | 00,000,000 | ---D | C] -- C:\Users\Khada\AppData\Roaming\NetMeter
[2009/12/01 19:50:21 | 00,000,000 | ---D | C] -- C:\Users\Khada\AppData\Roaming\dvdcss
[2004/11/25 05:25:52 | 00,335,872 | ---- | C] ( ) -- C:\Windows\System32\drvc.dll

========== Files - Modified Within 14 Days ==========

[2009/12/12 22:06:59 | 04,456,448 | -HS- | M] () -- C:\Users\Khada\ntuser.dat
[2009/12/12 20:35:10 | 00,000,894 | ---- | M] () -- C:\Users\Khada\Desktop\NTREGOPT.lnk
[2009/12/12 20:35:10 | 00,000,875 | ---- | M] () -- C:\Users\Khada\Desktop\ERUNT.lnk
[2009/12/12 20:33:36 | 00,016,944 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2009/12/12 20:33:36 | 00,016,944 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2009/12/12 20:32:44 | 00,805,724 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/12/12 20:32:44 | 00,684,518 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/12/12 20:32:44 | 00,131,790 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/12/12 20:28:33 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/12/12 20:28:28 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/12/12 20:28:25 | 39,817,2068 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/12/12 20:28:23 | 26,160,57856 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/12 20:25:35 | 00,000,000 | ---- | M] () -- C:\Users\Khada\AppData\Local\prvlcl.dat
[2009/12/12 20:13:49 | 00,001,831 | ---- | M] () -- C:\Users\Khada\Desktop\CCleaner.lnk
[2009/12/12 10:12:30 | 46,509,712 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2009/12/12 10:12:19 | 00,123,577 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2009/12/12 00:03:34 | 02,826,686 | -H-- | M] () -- C:\Users\Khada\AppData\Local\IconCache.db
[2009/12/11 23:20:29 | 00,001,515 | ---- | M] () -- C:\Users\Khada\Desktop\DAOrigins.lnk
[2009/12/04 15:01:09 | 00,001,977 | ---- | M] () -- C:\Users\Public\Desktop\Titan Quest.lnk
[2009/12/03 21:58:27 | 00,000,805 | ---- | M] () -- C:\Users\Khada\Documents\Shortcut to CoreT.exe.lnk
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/03 15:24:51 | 00,524,288 | -HS- | M] () -- C:\Users\Khada\ntuser.dat{d5c5fdaf-dfb3-11de-b830-001fd08590a7}.TMContainer00000000000000000002.regtrans-ms
[2009/12/03 15:24:51 | 00,524,288 | -HS- | M] () -- C:\Users\Khada\ntuser.dat{d5c5fdaf-dfb3-11de-b830-001fd08590a7}.TMContainer00000000000000000001.regtrans-ms
[2009/12/03 15:24:51 | 00,065,536 | -HS- | M] () -- C:\Users\Khada\ntuser.dat{d5c5fdaf-dfb3-11de-b830-001fd08590a7}.TM.blf
[2009/12/03 15:23:54 | 00,000,551 | ---- | M] () -- C:\Users\Khada\AppData\Roaming\AutoGK.ini

========== Files Created - No Company Name ==========

[2009/12/12 20:35:10 | 00,000,894 | ---- | C] () -- C:\Users\Khada\Desktop\NTREGOPT.lnk
[2009/12/12 20:35:10 | 00,000,875 | ---- | C] () -- C:\Users\Khada\Desktop\ERUNT.lnk
[2009/12/12 20:13:49 | 00,001,831 | ---- | C] () -- C:\Users\Khada\Desktop\CCleaner.lnk
[2009/12/10 19:29:06 | 00,001,515 | ---- | C] () -- C:\Users\Khada\Desktop\DAOrigins.lnk
[2009/12/04 15:01:09 | 00,001,977 | ---- | C] () -- C:\Users\Public\Desktop\Titan Quest.lnk
[2009/12/04 14:53:13 | 00,040,960 | ---- | C] () -- C:\Windows\System32\psfind.dll
[2009/12/03 15:16:31 | 00,524,288 | -HS- | C] () -- C:\Users\Khada\ntuser.dat{d5c5fdaf-dfb3-11de-b830-001fd08590a7}.TMContainer00000000000000000002.regtrans-ms
[2009/12/03 15:16:31 | 00,524,288 | -HS- | C] () -- C:\Users\Khada\ntuser.dat{d5c5fdaf-dfb3-11de-b830-001fd08590a7}.TMContainer00000000000000000001.regtrans-ms
[2009/12/03 15:16:31 | 00,065,536 | -HS- | C] () -- C:\Users\Khada\ntuser.dat{d5c5fdaf-dfb3-11de-b830-001fd08590a7}.TM.blf
[2009/12/03 14:32:43 | 00,000,000 | ---- | C] () -- C:\Users\Khada\AppData\Local\prvlcl.dat
[2009/11/28 14:41:07 | 00,281,760 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys
[2009/11/28 14:41:06 | 00,025,888 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys
[2009/11/14 11:18:44 | 00,000,551 | ---- | C] () -- C:\Users\Khada\AppData\Roaming\AutoGK.ini
[2009/11/06 10:58:04 | 00,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/10/29 17:07:55 | 00,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2009/10/29 16:55:05 | 00,146,432 | ---- | C] () -- C:\Windows\System32\APOMngr.DLL
[2009/10/29 16:55:05 | 00,072,704 | ---- | C] () -- C:\Windows\System32\CmdRtr.DLL
[2009/10/29 16:53:38 | 00,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/10/29 15:58:07 | 00,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/10/23 06:15:56 | 00,143,872 | ---- | C] () -- C:\Windows\System32\libmpeg2_ff.dll
[2009/10/17 10:58:06 | 00,183,296 | ---- | C] () -- C:\Windows\System32\ff_samplerate.dll
[2009/10/17 10:57:06 | 00,146,944 | ---- | C] () -- C:\Windows\System32\ff_tremor.dll
[2009/10/17 10:04:24 | 00,178,688 | ---- | C] () -- C:\Windows\System32\ff_libmad.dll
[2009/10/17 10:04:08 | 00,113,152 | ---- | C] () -- C:\Windows\System32\ff_unrar.dll
[2009/10/17 10:03:48 | 00,257,024 | ---- | C] () -- C:\Windows\System32\ff_libdts.dll
[2009/10/17 10:03:44 | 00,142,848 | ---- | C] () -- C:\Windows\System32\ff_liba52.dll
[2009/10/17 10:03:40 | 00,484,864 | ---- | C] () -- C:\Windows\System32\ff_libfaad2.dll
[2009/10/17 09:10:10 | 00,281,748 | ---- | C] () -- C:\Windows\System32\ff_kernelDeint.dll
[2009/10/17 06:38:20 | 00,914,464 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/10/17 06:35:50 | 00,311,204 | ---- | C] () -- C:\Windows\System32\TomsMoComp_ff.dll
[2009/10/17 06:04:28 | 01,632,375 | ---- | C] () -- C:\Windows\System32\ffmpegmt.dll
[2009/08/03 00:21:54 | 00,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009/08/03 00:21:52 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009/08/03 00:21:52 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2009/07/14 10:51:43 | 00,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 10:42:10 | 00,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/01/26 08:10:48 | 00,179,200 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/01/11 09:17:32 | 00,163,840 | ---- | C] () -- C:\Windows\System32\ts.dll
[2009/01/11 09:16:56 | 00,148,480 | ---- | C] () -- C:\Windows\System32\mkx.dll
[2009/01/11 09:16:50 | 00,108,032 | ---- | C] () -- C:\Windows\System32\avi.dll
[2009/01/11 09:16:14 | 00,141,312 | ---- | C] () -- C:\Windows\System32\mp4.dll
[2009/01/11 09:15:54 | 00,120,832 | ---- | C] () -- C:\Windows\System32\ogm.dll
[2009/01/11 09:15:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\mmfinfo.dll
[2009/01/11 09:15:32 | 00,102,400 | ---- | C] () -- C:\Windows\System32\avss.dll
[2009/01/11 09:15:28 | 00,246,784 | ---- | C] () -- C:\Windows\System32\dxr.dll
[2009/01/11 09:15:12 | 00,097,280 | ---- | C] () -- C:\Windows\System32\avs.dll
[2009/01/11 09:14:08 | 00,079,360 | ---- | C] () -- C:\Windows\System32\mkzlib.dll
[2009/01/11 09:14:06 | 00,023,552 | ---- | C] () -- C:\Windows\System32\mkunicode.dll
[2008/12/20 01:15:58 | 04,338,246 | ---- | C] () -- C:\Windows\System32\libavcodec.dll
[2008/12/18 03:41:18 | 00,884,237 | ---- | C] () -- C:\Windows\System32\ff_x264.dll
[2008/12/18 03:22:58 | 00,093,184 | ---- | C] () -- C:\Windows\System32\ff_wmv9.dll
[2008/12/18 03:22:48 | 00,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008/12/18 03:17:34 | 00,239,247 | ---- | C] () -- C:\Windows\System32\ff_theora.dll
[2008/12/18 02:59:54 | 00,560,802 | ---- | C] () -- C:\Windows\System32\libmplayer.dll
[2008/12/11 21:27:02 | 00,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2008/11/07 03:37:32 | 03,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/11/07 03:34:00 | 00,000,416 | ---- | C] () -- C:\Windows\System32\dtu100.dll.manifest
[2007/10/13 20:30:20 | 00,000,137 | ---- | C] () -- C:\Windows\System32\Registration.ini
[2004/10/04 03:50:54 | 00,129,024 | ---- | C] () -- C:\Windows\System32\ff_mpeg2enc.dll
[2002/10/16 09:54:04 | 00,153,088 | ---- | C] () -- C:\Windows\System32\unrar.dll

========== LOP Check ==========

[2009/11/08 08:48:53 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Leadertech
[2009/11/28 15:39:10 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Multi File Downloader
[2009/12/03 15:15:05 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\NetMeter
[2009/12/03 15:14:47 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Octoshape
[2009/11/12 09:38:31 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\runic games
[2009/12/03 15:15:07 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\uTorrent
[2009/07/14 15:53:46 | 00,021,510 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2009/07/14 12:26:15 | 00,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009/07/14 12:26:15 | 00,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/14 12:26:15 | 00,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/12/07 19:56:12 | 00,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/14 12:26:15 | 00,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/14 12:26:15 | 00,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/14 12:15:06 | 00,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/14 12:15:06 | 00,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/14 12:20:36 | 00,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/14 12:20:36 | 00,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/14 12:20:36 | 00,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/14 12:16:02 | 00,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/14 12:16:02 | 00,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/14 12:20:44 | 00,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/14 12:20:44 | 00,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/14 12:20:44 | 00,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/14 12:16:13 | 00,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/14 12:16:13 | 00,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

< %systemroot%\*. /mp /s >

========== Files - Unicode (All) ==========
[2009/12/10 17:02:10 | 00,000,006 | ---- | M] ()(C:\Users\Khada\Documents\??) -- C:\Users\Khada\Documents\キス
[2009/12/10 17:02:10 | 00,000,006 | ---- | C] ()(C:\Users\Khada\Documents\??) -- C:\Users\Khada\Documents\キス

========== Alternate Data Streams ==========

@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:05EE1EEF

< End of report >

And OTL Extras

Quote

OTL Extras logfile created on: 12/12/2009 10:05:52 PM - Run 1
OTL by OldTimer - Version 3.1.16.0 Folder = C:\Users\Khada\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.81 Gb Available Physical Memory | 90.58% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.66 Gb Total Space | 362.36 Gb Free Space | 77.82% Space Free | Partition Type: NTFS
Drive D: | 465.75 Gb Total Space | 16.88 Gb Free Space | 3.62% Space Free | Partition Type: NTFS
Drive E: | 7.84 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KHADACOMP
Current User Name: Khada
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SystemRoot%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{007BECB0-17DD-4230-9D2F-185287262B14}" = Microsoft XNA Game Studio 3.1 (Platformer)
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0C19D563-5F25-4621-BF10-01F741BD283F}" = Microsoft SQL Server Compact 3.5 SP1 Design Tools English
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0DC16794-7E69-4534-82FA-9DD0500FF338}" = Microsoft XNA Game Studio 3.1 (Redists)
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{155F4A0E-76ED-45A2-91FB-FF2A2133C31A}" = Risen
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{196E77C5-F524-4B50-BD1A-2C21EEE9B8F7}" = Microsoft SQL Server 2008 Common Files
"{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{28A946E1-E83B-4662-BC7C-23451851489E}" = Razer Copperhead
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2A539CD9-0F75-4875-9A32-E06DD93C4114}" = Adobe Extension Manager CS3
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{3898934B-05AE-41CD-96BE-70DA9BFBCE1F}" = Microsoft XNA Framework Redistributable 3.0
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3A12C952-61D5-4C3B-B68B-8CFBE47E22F1}" = Adobe Setup
"{3BA37E38-B53D-4520-B8DA-1DD62AD3A74E}" = Microsoft XNA Game Studio 3.1 (VCSExpress)
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}" = Titan Quest
"{4815BD99-96A4-49FE-A885-DCF06E9E4E78}" = Microsoft SQL Server 2008 Database Engine Shared
"{4A6F34E2-09E5-4616-B227-4A26A488A6F9}" = Microsoft SQL Server 2008 Common Files
"{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}" = Adobe Setup
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{58721EC3-8D4E-4B79-BC51-1054E2DDCD10}" = Microsoft SQL Server 2008 Database Engine Services
"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7FD30AE7-281D-455F-AF9F-0C6C5E334EAD}" = Microsoft XNA Game Studio 3.1 Documentation
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows Vista and Later
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9D6D76A6-4328-49E8-97A7-531A74841DA5}" = Microsoft SQL Server 2008 Setup Support Files (English)
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A4418082-E601-3954-805B-D56A2B50EC8B}" = Microsoft Visual C# 2008 Express Edition with SP1 - ENU
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AF9BDE67-11A5-449A-B9F0-BE572A093DDB}" = Microsoft XNA Game Studio 3.1 (Shared Components)
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B5153233-9AEE-4CD4-9D2C-4FAAC870DBE2}" = Microsoft SQL Server 2008 Database Engine Services
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B857D868-F8B0-43EE-BC2B-D9E5ED21F237}" = Microsoft SQL Server VSS Writer
"{B944FA21-81AF-4A77-8328-CE4F4CC51033}" = Nero 8
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BED4CEEC-863F-4AB3-BA23-541764E2D2CE}" = Microsoft XNA Game Studio Platform Tools
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{C688457E-03FD-4941-923B-A27F4D42A7DD}" = Microsoft SQL Server 2008 Browser
"{C965F01C-76EA-4BD7-973E-46236AE312D7}" = Sql Server Customer Experience Improvement Program
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D1BB4446-AE9C-4256-9A7F-4D46604D2462}" = Adobe Setup
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D9D937B0-E842-4130-9588-B948E876904A}" = Microsoft SQL Server 2008 Native Client
"{DA703982C580418795BF4001AA9D7061}" = DivX Plus Media Foundation Components
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DFB81F19-ED3A-4DA5-AFE4-1B999E2A8DC5}" = Microsoft XNA Game Studio 3.1 (XnaLiveProxy)
"{E1D78366-91DA-4AD0-B417-28155743CC22}" = Microsoft XNA Game Studio 3.1 (ARP entry)
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{F01D5ED5-D53A-4468-B428-149DC2CB3110}" = Adobe Dreamweaver CS3
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F112F66E-25CA-42DD-983C-6118EB38F606}" = Microsoft Games for Windows - LIVE
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1DC7648-8623-442F-92B7-E118DF61872E}" = Microsoft SQL Server 2008 RsFx Driver
"{F3494AB6-6900-41C6-AF57-823626827ED8}" = Microsoft SQL Server 2008 Database Engine Shared
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{FD024BC1-B096-4FD0-A1A1-B3DD2F315854}_is1" = Borderlands
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_2ac78060bc5856b0c1cf873bb919b58" = Adobe Photoshop CS3
"Adobe_435a6af7459cb02a9c1138113a26e93" = Adobe Dreamweaver CS3
"Adobe_a04a925a57548091300ada368235fc6" = Adobe Illustrator CS3
"AutoGK" = Auto Gordian Knot 2.55
"AVG9Uninstall" = AVG 9.0
"AviSynth" = AviSynth 2.5
"CCleaner" = CCleaner
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"Fraps" = Fraps (remove only)
"HijackThis" = HijackThis 2.0.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft SQL Server 10" = Microsoft SQL Server 2008
"Microsoft SQL Server 10 Release" = Microsoft SQL Server 2008
"Microsoft Visual C# 2008 Express Edition with SP1 - ENU" = Microsoft Visual C# 2008 Express Edition with SP1 - ENU
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"PowerISO" = PowerISO
"RivaTuner" = RivaTuner v2.10
"Runic Games Torchlight" = Torchlight
"S.T.A.L.K.E.R. - Shadow of Chernobyl_is1" = S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0005]
"Steam App 9460" = Frontlines: Fuel of War
"UltraISO_is1" = UltraISO Premium V9.35
"Unlocker" = Unlocker 1.8.8
"VLC media player" = VLC media player 1.0.2
"VobSub" = VobSub v2.23 (Remove Only)
"Windows 7 - Codec Pack" = Windows 7 Codec Pack 2.2.0
"WinRAR archiver" = WinRAR archiver
"XNA Game Studio 3.1" = Microsoft XNA Game Studio 3.1
"XP Codec Pack" = XP Codec Pack
"XviD MPEG4 Video Codec" = XviD MPEG4 Video Codec (remove only)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"cbd7f51315eab612" = Game1
"Octoshape Streaming Services" = Octoshape Streaming Services
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/12/2009 9:30:14 PM | Computer Name = KhadaComp | Source = VSS | ID = 8194
Description =

Error - 10/12/2009 4:26:33 AM | Computer Name = KhadaComp | Source = MsiInstaller | ID = 1013
Description =

Error - 10/12/2009 4:30:04 AM | Computer Name = KhadaComp | Source = VSS | ID = 8194
Description =

Error - 10/12/2009 7:49:45 PM | Computer Name = KhadaComp | Source = VSS | ID = 8194
Description =

Error - 10/12/2009 7:51:15 PM | Computer Name = KhadaComp | Source = Application Error | ID = 1000
Description = Faulting application name: mcupdate.EXE, version: 6.1.7600.16385,
time stamp: 0x4a5bccd6 Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x000111ff Faulting process id:
0x8e4 Faulting application start time: 0x01ca79f3a83b1c22 Faulting application path:
C:\Windows\ehome\mcupdate.EXE Faulting module path: unknown Report Id: e706985e-e5e6-11de-b7a9-001fd08590a7

Error - 10/12/2009 9:32:13 PM | Computer Name = KhadaComp | Source = Application Error | ID = 1000
Description = Faulting application name: DAUpdaterSvc.Service.exe, version: 1.0.1.0,
time stamp: 0x4a679b94 Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x000111ff Faulting process id:
0xe4c Faulting application start time: 0x01ca7a01c4084b1c Faulting application path:
C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe Faulting module path:
unknown Report Id: 01cb0608-e5f5-11de-b7a9-001fd08590a7

Error - 11/12/2009 2:37:53 AM | Computer Name = KhadaComp | Source = Application Error | ID = 1000
Description = Faulting application name: DAUpdaterSvc.Service.exe, version: 1.0.1.0,
time stamp: 0x4a679b94 Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x000111ff Faulting process id:
0x134 Faulting application start time: 0x01ca7a2c762470e0 Faulting application path:
C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe Faulting module path:
unknown Report Id: b4eda324-e61f-11de-b243-001fd08590a7

Error - 11/12/2009 7:11:34 PM | Computer Name = KhadaComp | Source = Application Error | ID = 1000
Description = Faulting application name: mcupdate.EXE, version: 6.1.7600.16385,
time stamp: 0x4a5bccd6 Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x000111ff Faulting process id:
0xdac Faulting application start time: 0x01ca7ab746647b44 Faulting application path:
C:\Windows\ehome\mcupdate.EXE Faulting module path: unknown Report Id: 860dfeb1-e6aa-11de-b8a2-001fd08590a7

Error - 12/12/2009 4:39:41 AM | Computer Name = KhadaComp | Source = Application Error | ID = 1000
Description = Faulting application name: DAUpdaterSvc.Service.exe, version: 1.0.1.0,
time stamp: 0x4a679b94 Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x000111ff Faulting process id:
0xd98 Faulting application start time: 0x01ca7b06a5c8f52b Faulting application path:
C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe Faulting module path:
unknown Report Id: e39a082d-e6f9-11de-8e93-001fd08590a7

Error - 12/12/2009 5:29:48 AM | Computer Name = KhadaComp | Source = Application Error | ID = 1000
Description = Faulting application name: SysRestorePoint.exe, version: 1.3.0.0,
time stamp: 0x485da791 Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x000111ff Faulting process id:
0x1198 Faulting application start time: 0x01ca7b0da46d3ea8 Faulting application path:
C:\Users\Khada\Downloads\SysRestorePoint.exe Faulting module path: unknown Report
Id: e3ffb74e-e700-11de-894d-001fd08590a7

[ Media Center Events ]
Error - 20/11/2009 5:54:06 PM | Computer Name = KhadaComp | Source = MCUpdate | ID = 0
Description = 8:54:04 AM - Failed to retrieve ClientUpdate (Error: The request failed
with HTTP status 503: Service Unavailable.)

[ System Events ]
Error - 10/12/2009 10:57:09 PM | Computer Name = KhadaComp | Source = Service Control Manager | ID = 7016
Description = The NVIDIA Display Driver Service service has reported an invalid
current state 32.

Error - 10/12/2009 11:00:11 PM | Computer Name = KhadaComp | Source = Service Control Manager | ID = 7016
Description = The NVIDIA Display Driver Service service has reported an invalid
current state 32.

Error - 11/12/2009 2:37:50 AM | Computer Name = KhadaComp | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Dragon
Age: Origins - Content Updater service to connect.

Error - 11/12/2009 2:37:54 AM | Computer Name = KhadaComp | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Dragon
Age: Origins - Content Updater service to connect.

Error - 11/12/2009 9:03:47 AM | Computer Name = KhadaComp | Source = Service Control Manager | ID = 7016
Description = The NVIDIA Display Driver Service service has reported an invalid
current state 32.

Error - 11/12/2009 8:28:31 PM | Computer Name = KhadaComp | Source = Service Control Manager | ID = 7016
Description = The NVIDIA Display Driver Service service has reported an invalid
current state 32.

Error - 12/12/2009 4:39:41 AM | Computer Name = KhadaComp | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Dragon
Age: Origins - Content Updater service to connect.

Error - 12/12/2009 4:39:41 AM | Computer Name = KhadaComp | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Dragon
Age: Origins - Content Updater service to connect.

Error - 12/12/2009 5:28:29 AM | Computer Name = KhadaComp | Source = EventLog | ID = 6008
Description = The previous system shutdown at 8:26:41 PM on ?12/?12/?2009 was unexpected.

Error - 12/12/2009 5:28:31 AM | Computer Name = KHADACOMP | Source = BugCheck | ID = 1001
Description =

< End of report >

If there is anything else i can do to help (and im sure there will be

) please just ask!

Many thanks.

#2 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 12 December 2009 - 06:23 AM

don't put the logs in quotes

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O32 - AutoRun File - [2008/05/27 18:00:23 | 00,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/07/17 09:13:07 | 01,246,440 | R--- | M] (BioWare) - E:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2009/04/14 14:17:18 | 00,000,058 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{cb4a77e1-c434-11de-82a3-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{cb4a77e1-c434-11de-82a3-806e6f6e6963}\Shell\AutoRun\command - "" = E:\autorun.exe -- [2009/07/17 09:13:07 | 01,246,440 | R--- | M] (BioWare)
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\AUTOSTARTER.EXE -- File not found

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#3 Khada

Group: Member
Posts: 6
Joined: 12-December 09

Posted 12 December 2009 - 06:17 PM

thank you for the reply and apologies for using quotes rather than a code box.

Heres the OTL Log:
All processes killed
========== OTL ==========
D:\AUTOEXEC.BAT moved successfully.
File move failed. E:\autorun.exe scheduled to be moved on reboot.
File move failed. E:\autorun.inf scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb4a77e1-c434-11de-82a3-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cb4a77e1-c434-11de-82a3-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb4a77e1-c434-11de-82a3-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cb4a77e1-c434-11de-82a3-806e6f6e6963}\ not found.
File move failed. E:\autorun.exe scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found.
File F:\AUTOSTARTER.EXE not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: JOSHUA~1

User: Khada
->Temp folder emptied: 359942 bytes
->Temporary Internet Files folder emptied: 8365901 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 40074556 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 207429 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 46.74 mb

OTL by OldTimer - Version 3.1.16.0 log created on 12132009_105449

Files\Folders moved on Reboot...
File move failed. E:\autorun.exe scheduled to be moved on reboot.
File move failed. E:\autorun.inf scheduled to be moved on reboot.
C:\Windows\temp\6c05ca3e-4adf-47a7-8d58-f3dba5b377d3.tmp moved successfully.
C:\Windows\temp\90d71c73-aa3d-4c74-b2c9-fa35cd200626.tmp moved successfully.
C:\Windows\temp\bc9bb5b7-74df-495a-87f2-8c1b0477c84d.tmp moved successfully.
C:\Windows\temp\c55fd032-9ba9-42cf-9f48-b13cf9967043.tmp moved successfully.
C:\Windows\temp\cc8d7b93-50f8-4671-afb2-5e6eb46ed165.tmp moved successfully.

Registry entries deleted on Reboot...

And the ComboFix Log:
ComboFix 09-12-11.05 - Khada 13/12/2009 11:01:45.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.61.1033.18.3326.2401 [GMT 11:00]
Running from: c:\users\Khada\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 )))))))))))))))))))))))))))))))
.

2009-12-13 00:07 . 2009-12-13 00:07 -------- d-----w- c:\users\Khada\AppData\Local\temp
2009-12-13 00:07 . 2009-12-13 00:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-12 09:35 . 2009-12-12 09:35 -------- d-----w- c:\program files\ERUNT
2009-12-12 09:13 . 2009-12-12 09:13 -------- d-----w- c:\program files\CCleaner
2009-12-10 23:55 . 2009-11-21 05:55 615704 ----a-w- c:\programdata\avg9\update\backup\avgcertx.dll
2009-12-10 23:55 . 2009-11-21 05:55 502040 ----a-w- c:\programdata\avg9\update\backup\avgrsx.exe
2009-12-10 23:55 . 2009-11-21 05:55 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2009-12-10 23:55 . 2009-11-21 05:55 1082648 ----a-w- c:\programdata\avg9\update\backup\avgxpl.dll
2009-12-10 23:55 . 2009-11-21 05:55 1074456 ----a-w- c:\programdata\avg9\update\backup\avgcmgr.exe
2009-12-10 23:55 . 2009-11-21 05:55 1946392 ----a-w- c:\programdata\avg9\update\backup\avgapix.dll
2009-12-10 23:55 . 2009-11-21 05:55 744728 ----a-w- c:\programdata\avg9\update\backup\avgscanx.exe
2009-12-10 23:55 . 2009-11-21 05:55 562456 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2009-12-10 23:55 . 2009-11-21 05:55 361752 ----a-w- c:\programdata\avg9\update\backup\avgsrmax.exe
2009-12-10 23:55 . 2009-11-21 05:55 1494088 ----a-w- c:\programdata\avg9\update\backup\avgwd.dll
2009-12-10 23:55 . 2009-11-21 05:55 1336600 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2009-12-10 23:49 . 2009-11-21 05:55 798488 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2009-12-10 08:39 . 2009-12-10 08:39 -------- d-----w- c:\programdata\BioWare
2009-12-10 08:26 . 2009-12-10 08:26 -------- d-----w- c:\programdata\Media Center Programs
2009-12-10 08:12 . 2009-12-10 08:29 -------- d-----w- c:\program files\Dragon Age
2009-12-10 08:12 . 2009-12-10 08:26 -------- d-----w- c:\program files\Common Files\BioWare
2009-12-04 03:53 . 2006-09-20 05:58 40960 ----a-w- c:\windows\system32\psfind.dll
2009-12-04 00:28 . 2009-12-04 00:28 336192 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2009-12-03 11:27 . 2009-12-03 11:29 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-12-03 11:09 . 2009-12-03 11:09 -------- d-----w- c:\users\Khada\AppData\Roaming\Malwarebytes
2009-12-03 11:08 . 2009-12-03 05:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 11:08 . 2009-12-12 09:49 -------- d-----w- c:\program files\Malwarebytes
2009-12-03 11:08 . 2009-12-03 11:08 -------- d-----w- c:\programdata\Malwarebytes
2009-12-03 11:08 . 2009-12-03 05:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 03:32 . 2009-12-12 11:25 0 ----a-w- c:\users\Khada\AppData\Local\prvlcl.dat
2009-12-03 03:22 . 2009-12-03 04:15 -------- d-----w- c:\programdata\SecTaskMan
2009-12-03 03:22 . 2009-12-03 04:15 -------- d-----w- c:\program files\Security Task Manager
2009-12-02 08:04 . 2009-12-03 04:15 -------- d-----w- c:\users\Khada\AppData\Roaming\NetMeter
2009-12-01 08:50 . 2009-12-01 08:50 -------- d-----w- c:\users\Khada\AppData\Roaming\dvdcss
2009-11-28 05:04 . 2009-11-28 05:04 -------- d--h--w- c:\windows\PIF
2009-11-28 04:35 . 2009-11-28 04:35 -------- d-----w- c:\programdata\boost_interprocess
2009-11-28 04:35 . 2009-11-28 04:39 -------- d-----w- c:\users\Khada\AppData\Roaming\Multi File Downloader
2009-11-28 04:17 . 2009-12-03 04:15 -------- d-----w- c:\program files\UltraISO
2009-11-28 04:17 . 2009-11-28 04:17 -------- d-----w- c:\program files\Common Files\EZB Systems
2009-11-28 03:41 . 2009-11-28 03:41 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-11-28 03:41 . 2009-11-28 03:41 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-11-27 11:58 . 2009-07-28 09:41 396800 ----a-w- c:\users\Khada\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-0907280-0-libOctoshapeClient.dll
2009-11-27 11:58 . 2009-07-28 09:41 124184 ----a-w- c:\users\Khada\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-0907280-0-apoctoshape.dll
2009-11-27 11:58 . 2009-07-28 09:41 120088 ----a-w- c:\users\Khada\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-0907280-0-npoctoshape.dll
2009-11-27 11:58 . 2009-01-08 13:44 70936 ----a-w- c:\users\Khada\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
2009-11-27 11:48 . 2009-11-27 11:58 120088 ----a-w- c:\users\Khada\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2009-11-27 11:48 . 2009-12-03 04:14 -------- d-----w- c:\users\Khada\AppData\Roaming\Octoshape
2009-11-25 23:52 . 2009-12-04 02:35 -------- d-----r- c:\program files\Modern Warfare 2
2009-11-24 02:35 . 2009-11-24 02:35 -------- d-----w- c:\windows\Sun
2009-11-24 02:34 . 2009-11-24 02:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-24 02:34 . 2009-11-24 02:34 -------- d-----w- c:\program files\Java
2009-11-21 06:00 . 2009-11-21 06:00 3963160 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2009-11-21 06:00 . 2009-11-21 05:55 497944 ----a-w- c:\programdata\avg9\update\backup\avgchjwx.dll
2009-11-21 06:00 . 2009-11-21 06:00 844056 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2009-11-21 06:00 . 2009-11-21 06:00 1658136 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2009-11-21 05:56 . 2009-11-21 05:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-21 05:56 . 2009-11-21 05:56 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-21 05:56 . 2009-11-21 05:56 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-21 05:56 . 2009-11-21 05:56 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-21 05:55 . 2009-12-12 23:35 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-21 05:55 . 2009-11-21 05:55 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-21 05:55 . 2009-11-21 05:55 -------- d-----w- c:\program files\AVG
2009-11-20 22:53 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-11-20 22:53 . 2003-03-18 20:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-11-13 23:53 . 2009-11-13 23:53 -------- d-----w- c:\program files\XviD
2009-11-13 23:53 . 2009-11-13 23:53 -------- d-----w- c:\program files\AviSynth 2.5
2009-11-13 23:53 . 2009-11-13 23:53 -------- d-----w- c:\program files\Gabest
2009-11-13 23:53 . 2009-11-13 23:53 -------- d-----w- c:\program files\AutoGK
2009-11-13 23:52 . 2009-11-13 23:52 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-11-13 23:52 . 2009-11-13 23:52 -------- d-----w- c:\program files\DivX
2009-11-13 23:52 . 2009-11-13 23:52 -------- d-----w- c:\program files\Common Files\DivX Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 23:57 . 2009-10-29 03:27 -------- d-----w- c:\program files\Steam
2009-12-12 23:56 . 2009-10-29 04:19 -------- d-----w- c:\programdata\NVIDIA
2009-12-12 09:46 . 2009-12-12 09:46 4844296 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-10 08:30 . 2009-10-29 05:54 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-10 08:30 . 2009-10-29 05:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-07 08:56 . 2009-07-13 23:11 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-04 03:49 . 2009-10-29 06:57 -------- d-----w- c:\program files\THQ
2009-12-03 04:15 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Sidebar
2009-12-03 04:15 . 2009-10-29 05:11 -------- d-----w- c:\users\Khada\AppData\Roaming\vlc
2009-12-03 04:15 . 2009-10-29 04:45 -------- d-----w- c:\users\Khada\AppData\Roaming\uTorrent
2009-12-03 04:15 . 2009-10-29 04:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-21 05:55 . 2009-10-29 07:35 -------- d-----w- c:\programdata\avg9
2009-11-11 23:17 . 2009-11-07 21:52 -------- d-----w- c:\program files\Atari
2009-11-11 22:38 . 2009-11-11 22:38 -------- d-----w- c:\users\Khada\AppData\Roaming\runic games
2009-11-11 22:30 . 2009-11-11 22:30 -------- d-----w- c:\program files\Runic Games
2009-11-11 10:23 . 2009-11-11 10:23 -------- d-----w- c:\users\Khada\AppData\Roaming\Media Player Classic
2009-11-11 10:23 . 2009-11-11 10:23 -------- d-----w- c:\users\Khada\AppData\Roaming\DivX
2009-11-11 10:23 . 2009-11-11 10:23 -------- d-----w- c:\program files\XP Codec Pack
2009-11-07 21:48 . 2009-11-07 21:48 -------- d-----w- c:\users\Khada\AppData\Roaming\Leadertech
2009-11-07 09:06 . 2009-11-07 09:06 -------- d-----w- c:\program files\AGEIA Technologies
2009-11-07 09:03 . 2009-11-07 08:43 -------- d-----w- c:\program files\Borderlands
2009-11-07 00:40 . 2009-11-07 00:40 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-11-06 06:41 . 2009-11-06 06:40 -------- d-----w- c:\program files\QuickTime
2009-11-06 06:40 . 2009-11-06 06:40 -------- d-----w- c:\programdata\Apple Computer
2009-11-06 06:40 . 2009-11-06 06:40 -------- d-----w- c:\program files\Common Files\Apple
2009-11-06 06:40 . 2009-11-06 06:40 -------- d-----w- c:\programdata\Apple
2009-11-05 23:59 . 2009-11-05 23:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-05 23:59 . 2009-11-05 23:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-03 09:22 . 2009-11-03 09:22 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-01 10:19 . 2009-11-01 00:15 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-01 04:40 . 2009-11-01 04:40 -------- d-----w- c:\program files\Audacity
2009-10-31 23:53 . 2009-10-30 00:26 -------- d-----w- c:\programdata\Avira
2009-10-31 23:15 . 2009-10-29 03:27 -------- d-----w- c:\program files\Common Files\Steam
2009-10-31 09:18 . 2009-10-29 03:04 111648 ----a-w- c:\users\Khada\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-30 02:30 . 2009-10-29 04:41 -------- d-----w- c:\program files\Cpuz
2009-10-30 01:25 . 2009-10-29 10:29 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-10-29 23:35 . 2009-10-29 05:39 -------- d-----w- c:\program files\Lucidity
2009-10-29 10:44 . 2009-10-29 10:44 -------- d-----w- c:\programdata\LucasArts
2009-10-29 10:33 . 2009-10-29 05:01 -------- d-----w- c:\programdata\Microsoft Help
2009-10-29 10:28 . 2009-10-29 10:28 -------- d-----w- c:\program files\Microsoft XNA
2009-10-29 10:23 . 2009-10-29 10:21 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-29 10:22 . 2009-10-29 05:03 -------- d-----w- c:\program files\Microsoft.NET
2009-10-29 10:21 . 2009-10-29 10:19 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-10-29 10:21 . 2009-10-29 10:21 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-10-29 10:21 . 2009-10-29 10:21 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-29 10:19 . 2009-10-29 10:19 -------- d-----w- c:\program files\Microsoft SDKs
2009-10-29 07:37 . 2009-10-29 07:37 -------- d-----w- c:\program files\Winamp
2009-10-29 07:37 . 2009-10-29 07:37 -------- d-----w- c:\program files\GameSpy Arcade
2009-10-29 07:07 . 2009-10-29 07:07 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-29 07:04 . 2009-10-29 05:11 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-29 06:01 . 2009-10-29 05:02 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-29 05:55 . 2009-10-29 05:54 -------- d--h--w- c:\program files\Temp
2009-10-29 05:54 . 2009-10-29 05:53 -------- d-----w- c:\program files\Realtek
2009-10-29 05:35 . 2009-10-29 05:35 -------- d-----w- c:\programdata\FLEXnet
2009-10-29 05:33 . 2009-10-29 05:33 -------- d-----w- c:\programdata\ALM
2009-10-29 05:15 . 2009-10-29 05:15 -------- d-----w- c:\program files\Bonjour
2009-10-29 05:12 . 2009-10-29 05:12 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-10-29 05:11 . 2009-10-29 05:11 -------- d-----w- c:\program files\VideoLAN
2009-10-29 05:09 . 2009-10-29 05:09 -------- d-----w- c:\program files\Razer
2009-10-29 05:09 . 2009-10-29 05:09 -------- d-----w- c:\users\Khada\AppData\Roaming\InstallShield
2009-10-29 05:03 . 2009-10-29 05:03 -------- d-----w- c:\program files\Microsoft Works
2009-10-29 05:03 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2009-10-29 05:00 . 2009-10-29 05:00 -------- d-----w- c:\program files\Fraps
2009-10-29 04:58 . 2009-10-29 04:58 -------- d-----w- c:\users\Khada\AppData\Roaming\Ventrilo
2009-10-29 04:58 . 2009-10-29 04:58 -------- d-----w- c:\program files\Ventrilo
2009-10-29 04:57 . 2009-10-29 04:57 -------- d-----w- c:\users\Khada\AppData\Roaming\Nero
2009-10-29 04:56 . 2009-10-29 04:56 -------- d-----w- c:\program files\Common Files\Nero
2009-10-29 04:56 . 2009-10-29 04:56 -------- d-----w- c:\programdata\Nero
2009-10-29 04:56 . 2009-10-29 04:56 -------- d-----w- c:\program files\Nero
2009-10-29 04:47 . 2009-10-29 04:47 -------- d-----w- c:\program files\RivaTuner v2.10
2009-10-29 04:45 . 2009-10-29 04:45 -------- d-----w- c:\program files\uTorrent
2009-10-29 04:44 . 2009-10-29 04:44 -------- d-----w- c:\program files\PowerISO
2009-10-29 04:22 . 2009-10-29 04:22 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2009-10-29 04:22 . 2009-10-29 04:22 498480 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-10-29 04:19 . 2009-10-29 04:19 -------- d-----w- c:\program files\NVIDIA Corporation
2009-10-29 03:54 . 2009-08-29 22:17 -------- d-----w- c:\program files\EternityRO
2009-10-29 03:51 . 2009-10-29 03:51 -------- d-----w- c:\program files\Unlocker
2009-10-22 19:15 . 2009-10-22 19:15 143872 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2009-10-16 23:58 . 2009-10-16 23:58 183296 ----a-w- c:\windows\system32\ff_samplerate.dll
2009-10-16 23:57 . 2009-10-16 23:57 146944 ----a-w- c:\windows\system32\ff_tremor.dll
2009-10-16 23:04 . 2009-10-16 23:04 178688 ----a-w- c:\windows\system32\ff_libmad.dll
2009-10-16 23:04 . 2009-10-16 23:04 113152 ----a-w- c:\windows\system32\ff_unrar.dll
2009-10-16 23:03 . 2009-10-16 23:03 257024 ----a-w- c:\windows\system32\ff_libdts.dll
2009-10-16 23:03 . 2009-10-16 23:03 142848 ----a-w- c:\windows\system32\ff_liba52.dll
2009-10-16 23:03 . 2009-10-16 23:03 484864 ----a-w- c:\windows\system32\ff_libfaad2.dll
2009-10-16 22:10 . 2009-10-16 22:10 281748 ----a-w- c:\windows\system32\ff_kernelDeint.dll
2009-10-16 19:38 . 2009-10-16 19:38 914464 ----a-w- c:\windows\system32\xvidcore.dll
2009-10-16 19:35 . 2009-10-16 19:35 311204 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2009-10-16 19:04 . 2009-10-16 19:04 1632375 ----a-w- c:\windows\system32\ffmpegmt.dll
2009-09-30 23:29 . 2009-10-29 03:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-27 06:47 . 2009-09-27 06:47 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 06:47 . 2009-09-27 06:47 92776 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-27 06:47 . 2009-09-27 06:47 805480 ----a-w- c:\windows\system32\nvsvc.dll
2009-09-27 06:47 . 2009-09-27 06:47 4033128 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 06:47 . 2009-09-27 06:47 3553896 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 06:47 . 2009-09-27 06:47 3172968 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 06:47 . 2009-09-27 06:47 215656 ----a-w- c:\windows\system32\nvvsvc.exe
2009-09-27 06:47 . 2009-09-27 06:47 195176 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 06:47 . 2009-09-27 06:47 150120 ----a-w- c:\windows\system32\nvshext.dll
2009-09-27 06:47 . 2009-09-27 06:47 1309288 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2009-10-29 1217808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"Copperhead"="c:\program files\Razer\Copperhead\razerhid.exe" [2005-11-24 155648]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-22 7739936]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.10\RivaTunerWrapper.exe" [2008-08-31 24576]
"RivaTuner"="c:\program files\RivaTuner v2.10\RivaTunerWrapper.exe" [2008-08-31 24576]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-10 2033432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-24 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-09-20 04:35 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 13:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-03 05:14 1394000 ----a-w- c:\program files\Malwarebytes\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-19 22:51 1836328 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 04:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
2009-01-08 13:44 70936 ----a-w- c:\users\Khada\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 14:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [21/11/2009 4:56 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [21/11/2009 4:56 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\System32\drivers\avgtdix.sys [21/11/2009 4:56 PM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [21/11/2009 4:55 PM 285392]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [27/09/2009 4:48 PM 240232]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\System32\drivers\Rt86win7.sys [29/10/2009 4:53 PM 189440]
R3 UsbFltr;Razer Copperhead Driver;c:\windows\System32\drivers\copperhd.sys [29/10/2009 4:09 PM 11596]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [10/12/2009 7:20 PM 25832]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 11:28 AM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\System32\drivers\RsFx0102.sys [10/07/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11/07/2008 11:28 AM 369688]
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {E669D814-B040-4E72-AF92-45C6A03A12DC} = 203.8.183.1,192.189.54.33
FF - ProfilePath - c:\users\Khada\AppData\Roaming\Mozilla\Firefox\Profiles\ihim7dwi.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\users\Khada\AppData\Roaming\Mozilla\plugins\npoctoshape.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2009-12-13 11:09:43
ComboFix-quarantined-files.txt 2009-12-13 00:09

Pre-Run: 389,026,119,680 bytes free
Post-Run: 388,700,860,416 bytes free

- - End Of File - - 708039EDADF96A08EF61EF15E16DC168

I am still getting the first AVG popup's i mentioned in my first post and syptoms 1 & 2 are still present just so you know.

Hopefully the ComboFix log will tell us something

#4 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 13 December 2009 - 05:40 AM

Post the logs normally

#5 Khada

Group: Member
Posts: 6
Joined: 12-December 09

Posted 13 December 2009 - 02:25 PM

Oh ok, I thought i was just making it easier to seperate code from comment, my bad.

Have edited previous post to display reports as requested.

thanks.

#6 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 13 December 2009 - 02:40 PM

hi

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
:Processes

:Services

:Reg

:Files
c:\users\Khada\AppData\Local\prvlcl.dat

:Commands
[purity]
[emptytemp]
[Reboot]
```
Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

#7 Khada

Group: Member
Posts: 6
Joined: 12-December 09

Posted 14 December 2009 - 07:40 AM

Ok i did the temp clean and 2 scans, here are the results:

OTM RESULTS:
------------------------------------------------------------------------
------------------------------------------------------------------------
All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\users\Khada\AppData\Local\prvlcl.dat moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: JOSHUA~1
->Temp folder emptied: 0 bytes

User: Khada
->Temp folder emptied: 46994 bytes
->Temporary Internet Files folder emptied: 32969 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 41435268 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 191709 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 39.77 mb

OTM by OldTimer - Version 3.1.2.2 log created on 12142009_151719

Files moved on Reboot...
C:\Windows\temp\14ddb96f-9e8e-49fa-a060-79d303274f0c.tmp moved successfully.
File C:\Windows\temp\2aaf65e7-221a-4a40-9d5d-47fb357a00dd.tmp not found!
C:\Windows\temp\a1908846-52cb-4661-8e29-df5c3819c7bb.tmp moved successfully.
File C:\Windows\temp\adf81435-2642-4463-964a-f4977771e3db.tmp not found!
File C:\Windows\temp\b1317646-2de6-4131-ac6b-8d392fcd2961.tmp not found!
C:\Windows\temp\bacd4d55-95f9-43e2-8b01-00d3d782c8d7.tmp moved successfully.
File C:\Windows\temp\d8e50639-8faf-4cdb-ba3c-05af52741b75.tmp not found!

Registry entries deleted on Reboot...
------------------------------------------------------------------------
------------------------------------------------------------------------

MALWAREBYTES REPORT:
------------------------------------------------------------------------
------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.42
Database version: 3356
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

14/12/2009 4:16:23 PM
mbam-log-2009-12-14 (16-16-23).txt

Scan type: Quick Scan
Objects scanned: 104621
Time elapsed: 1 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
------------------------------------------------------------------------
------------------------------------------------------------------------

KASPERSKY REPORT:
------------------------------------------------------------------------
------------------------------------------------------------------------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, December 15, 2009
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, December 14, 2009 09:35:33
Records in database: 3369796
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 255378
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 03:17:58

File name / Threat / Threats count
D:\Documents and Settings\Joshua Carter\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-6d57a192 Infected: Trojan-Downloader.Java.OpenConnection.at 1
D:\WINDOWS\system32\msupdatgms.exe Infected: Trojan.Win32.Monder.gen 1
D:\WINDOWS\system32\WanPacket.dll Infected: Backdoor.Win32.ForBot.am 1

Selected area has been scanned.
------------------------------------------------------------------------
------------------------------------------------------------------------

It would seem my backup HD has some infected files on it, note: my second drive (D:\\) has been included in my AVG scan and presumably in my malwarebytes scans (provided full scan searched all HD's)

Also note that i am no longer getting AVG pop-ups since your last instruction however the google redirect issue still persists.

many thanks for the help thus far, i shall await further instructions

#8 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 14 December 2009 - 08:11 AM

hi

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL

:Services

:Reg

:Files
D:\WINDOWS\system32\msupdatgms.exe 
D:\WINDOWS\system32\WanPacket.dll 

:Commands
[purity]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

#9 Khada

Group: Member
Posts: 6
Joined: 12-December 09

Posted 14 December 2009 - 11:36 PM

Hi, here is the log from the file relocate:

---------------------------------------------------------------------
---------------------------------------------------------------------
All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
D:\WINDOWS\system32\msupdatgms.exe moved successfully.
D:\WINDOWS\system32\WanPacket.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: JOSHUA~1
->Temp folder emptied: 0 bytes

User: Khada
->Temp folder emptied: 92175732 bytes
->Temporary Internet Files folder emptied: 3535507 bytes
->Java cache emptied: 128020 bytes
->FireFox cache emptied: 11727067 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 1071557 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 103.61 mb

OTL by OldTimer - Version 3.1.16.0 log created on 12152009_095945

Files\Folders moved on Reboot...
C:\Windows\temp\2c5474bc-9acb-4562-9da8-c4664939d23a.tmp moved successfully.

Registry entries deleted on Reboot...
---------------------------------------------------------------------
---------------------------------------------------------------------

And here is the log from the quick scan:
---------------------------------------------------------------------
---------------------------------------------------------------------
OTL logfile created on: 15/12/2009 10:07:13 AM - Run 2
OTL by OldTimer - Version 3.1.16.0 Folder = C:\Users\Khada\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.66 Gb Total Space | 360.27 Gb Free Space | 77.37% Space Free | Partition Type: NTFS
Drive D: | 465.75 Gb Total Space | 16.88 Gb Free Space | 3.62% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KHADACOMP
Current User Name: Khada
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/12 21:21:49 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Users\Khada\Downloads\OTL.exe
PRC - [2009/12/11 10:55:29 | 02,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/12/11 10:55:28 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/12/11 10:55:28 | 00,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/11/24 13:34:31 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/11/21 16:55:55 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/21 16:55:55 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/21 16:55:53 | 00,827,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe
PRC - [2009/11/21 16:55:52 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/11/07 13:26:24 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/30 10:38:45 | 01,217,808 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\Steam.exe
PRC - [2009/10/26 18:33:41 | 00,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2009/09/27 17:47:00 | 00,215,656 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe
PRC - [2009/09/27 16:48:00 | 00,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/09/23 00:12:56 | 07,739,936 | ---- | M] (Realtek Semiconductor) -- C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
PRC - [2009/07/14 12:14:42 | 00,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/14 12:14:20 | 02,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/09/01 04:30:00 | 02,711,552 | ---- | M] () -- C:\Program Files\RivaTuner v2.10\RivaTuner.exe
PRC - [2008/07/11 11:28:06 | 40,999,448 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
PRC - [2008/07/10 02:49:44 | 00,098,840 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2007/01/09 09:48:58 | 00,147,456 | ---- | M] (Razer Inc.) -- C:\Program Files\Razer\Copperhead\razerofa.exe
PRC - [2005/11/25 10:54:32 | 00,147,456 | ---- | M] () -- C:\Program Files\Razer\Copperhead\razertra.exe
PRC - [2005/11/25 10:53:40 | 00,155,648 | ---- | M] () -- C:\Program Files\Razer\Copperhead\razerhid.exe

========== Modules (SafeList) ==========

MOD - [2009/12/12 21:21:49 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Users\Khada\Downloads\OTL.exe
MOD - [2009/10/26 18:33:32 | 00,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll
MOD - [2009/07/14 12:16:15 | 00,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 12:16:13 | 00,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 12:16:13 | 00,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 12:16:12 | 00,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 12:16:03 | 00,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 12:15:35 | 00,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 12:15:13 | 00,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 12:15:11 | 00,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 12:15:07 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 12:15:02 | 00,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 12:03:50 | 01,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/11/21 16:55:52 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/10/31 14:35:01 | 00,320,760 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/10/29 16:12:04 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) [Disabled | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/09/27 17:47:00 | 00,215,656 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Windows\System32\nvvsvc.exe -- (nvsvc)
SRV - [2009/09/27 16:48:00 | 00,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/07/26 06:43:14 | 00,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/07/14 12:16:21 | 00,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 12:16:17 | 00,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 12:16:17 | 00,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 12:16:16 | 00,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 12:16:15 | 00,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 12:16:13 | 00,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 12:16:13 | 00,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 12:16:12 | 01,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 12:16:12 | 00,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 12:16:12 | 00,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 12:16:12 | 00,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 12:16:12 | 00,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 12:15:41 | 00,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 12:15:36 | 00,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 12:15:21 | 00,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 12:15:11 | 00,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 12:15:10 | 00,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 12:14:59 | 00,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 12:14:58 | 00,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 12:14:53 | 00,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 12:14:29 | 03,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2008/07/11 11:28:06 | 40,999,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2008/07/11 11:28:06 | 00,369,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE -- (SQLAgent$SQLEXPRESS) SQL Server Agent (SQLEXPRESS)
SRV - [2008/07/11 11:28:04 | 00,047,128 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE -- (MSSQLServerADHelper100)
SRV - [2008/07/10 02:49:44 | 00,098,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/07/10 02:49:34 | 00,258,072 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/09/20 15:35:38 | 00,382,248 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2007/09/20 09:51:46 | 00,853,288 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3)
SRV - [2006/10/27 00:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) [Disabled | Stopped] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ninemsn.com.au/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-au
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 3E EE D4 EF 42 58 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..extensions.enabledItems: {35106bca-6c78-48c7-ac28-56df30b51d2d}:1.2.4

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/12/11 13:58:28 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/10 17:43:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/24 13:34:40 | 00,000,000 | ---D | M]

[2009/10/29 14:15:47 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Mozilla\Extensions
[2009/12/14 15:50:55 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Mozilla\Firefox\Profiles\ihim7dwi.default\extensions
[2009/12/04 23:00:36 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Mozilla\Firefox\Profiles\ihim7dwi.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2d}
[2009/10/30 09:41:48 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Mozilla\Firefox\Profiles\ihim7dwi.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009/10/30 09:42:19 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Mozilla\Firefox\Profiles\ihim7dwi.default\extensions\tubestop@efinke.com
[2009/12/14 15:50:55 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (824 bytes) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - Reg Error: Value error. File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - Reg Error: Value error. File not found
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe ()
O4 - HKLM..\Run: [RivaTuner] C:\Program Files\RivaTuner v2.10\RivaTunerWrapper.exe ()
O4 - HKLM..\Run: [RivaTunerStartupDaemon] C:\Program Files\RivaTuner v2.10\RivaTunerWrapper.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\Windows\System32\avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/11 08:42:20 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2009/12/14 15:59:57 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/14 15:59:55 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/14 15:59:55 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/14 15:33:39 | 00,343,040 | ---- | C] (OldTimer Tools) -- C:\Users\Khada\Desktop\TFC.exe
[2009/12/14 15:17:19 | 00,000,000 | ---D | C] -- C:\_OTM
[2009/12/14 15:10:30 | 00,425,472 | ---- | C] (OldTimer Tools) -- C:\Users\Khada\Desktop\OTM.exe
[2009/12/13 11:09:47 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2009/12/13 11:09:46 | 00,000,000 | ---D | C] -- C:\Users\Khada\AppData\Local\temp
[2009/12/13 11:00:38 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2009/12/13 11:00:38 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2009/12/13 11:00:38 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2009/12/13 11:00:38 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2009/12/13 11:00:04 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/13 10:59:08 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/12/13 10:54:49 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/12/12 20:35:33 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2009/12/12 20:35:08 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/12 20:13:48 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/12/10 19:39:28 | 00,000,000 | ---D | C] -- C:\ProgramData\BioWare
[2009/12/10 19:37:20 | 00,000,000 | ---D | C] -- C:\Users\Khada\Documents\BioWare
[2009/12/10 19:26:23 | 00,000,000 | ---D | C] -- C:\ProgramData\Media Center Programs
[2009/12/10 19:12:48 | 00,000,000 | ---D | C] -- C:\Program Files\Dragon Age
[2009/12/10 19:12:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\BioWare
[2009/12/03 22:27:52 | 00,000,000 | ---D | C] -- C:\Program Files\Eusing Free Registry Cleaner
[2009/12/03 22:09:01 | 00,000,000 | ---D | C] -- C:\Users\Khada\AppData\Roaming\Malwarebytes
[2009/12/03 22:08:57 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/12/03 14:22:20 | 00,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan
[2009/12/03 14:22:16 | 00,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2009/12/03 14:16:23 | 00,000,000 | ---D | C] -- C:\Windows\pss
[2009/12/02 19:04:51 | 00,000,000 | ---D | C] -- C:\Users\Khada\AppData\Roaming\NetMeter
[2009/12/01 19:50:21 | 00,000,000 | ---D | C] -- C:\Users\Khada\AppData\Roaming\dvdcss
[2004/11/25 05:25:52 | 00,335,872 | ---- | C] ( ) -- C:\Windows\System32\drvc.dll

========== Files - Modified Within 14 Days ==========

[2009/12/15 10:06:04 | 00,016,944 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2009/12/15 10:06:04 | 00,016,944 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2009/12/15 10:05:10 | 00,805,724 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/12/15 10:05:10 | 00,684,518 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/12/15 10:05:10 | 00,131,790 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/12/15 10:04:45 | 46,624,539 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2009/12/15 10:04:36 | 00,123,979 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2009/12/15 10:01:01 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/12/15 10:00:57 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/12/15 10:00:52 | 26,160,57856 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/15 09:59:58 | 04,456,448 | -HS- | M] () -- C:\Users\Khada\ntuser.dat
[2009/12/15 00:43:07 | 02,835,908 | -H-- | M] () -- C:\Users\Khada\AppData\Local\IconCache.db
[2009/12/14 15:59:59 | 00,000,979 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 15:35:14 | 00,343,040 | ---- | M] (OldTimer Tools) -- C:\Users\Khada\Desktop\TFC.exe
[2009/12/14 15:11:15 | 00,425,472 | ---- | M] (OldTimer Tools) -- C:\Users\Khada\Desktop\OTM.exe
[2009/12/14 11:03:23 | 00,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/12/14 11:03:23 | 00,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/12/13 11:07:52 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2009/12/13 10:48:04 | 03,850,336 | R--- | M] () -- C:\Users\Khada\Desktop\ComboFix.exe
[2009/12/12 20:35:10 | 00,000,894 | ---- | M] () -- C:\Users\Khada\Desktop\NTREGOPT.lnk
[2009/12/12 20:35:10 | 00,000,875 | ---- | M] () -- C:\Users\Khada\Desktop\ERUNT.lnk
[2009/12/12 20:28:25 | 39,817,2068 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/12/12 20:13:49 | 00,001,831 | ---- | M] () -- C:\Users\Khada\Desktop\CCleaner.lnk
[2009/12/11 23:20:29 | 00,001,515 | ---- | M] () -- C:\Users\Khada\Desktop\DAOrigins.lnk
[2009/12/09 22:54:07 | 00,261,632 | ---- | M] () -- C:\Windows\PEV.exe
[2009/12/04 15:01:09 | 00,001,977 | ---- | M] () -- C:\Users\Public\Desktop\Titan Quest.lnk
[2009/12/03 21:58:27 | 00,000,805 | ---- | M] () -- C:\Users\Khada\Documents\Shortcut to CoreT.exe.lnk
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/03 15:24:51 | 00,524,288 | -HS- | M] () -- C:\Users\Khada\ntuser.dat{d5c5fdaf-dfb3-11de-b830-001fd08590a7}.TMContainer00000000000000000002.regtrans-ms
[2009/12/03 15:24:51 | 00,524,288 | -HS- | M] () -- C:\Users\Khada\ntuser.dat{d5c5fdaf-dfb3-11de-b830-001fd08590a7}.TMContainer00000000000000000001.regtrans-ms
[2009/12/03 15:24:51 | 00,065,536 | -HS- | M] () -- C:\Users\Khada\ntuser.dat{d5c5fdaf-dfb3-11de-b830-001fd08590a7}.TM.blf
[2009/12/03 15:23:54 | 00,000,551 | ---- | M] () -- C:\Users\Khada\AppData\Roaming\AutoGK.ini

========== Files Created - No Company Name ==========

[2009/12/14 15:59:59 | 00,000,979 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 11:03:23 | 00,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2009/12/14 11:03:23 | 00,000,000 | RHS- | C] () -- C:\IO.SYS
[2009/12/13 11:00:38 | 00,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2009/12/13 11:00:38 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2009/12/13 11:00:38 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2009/12/13 11:00:38 | 00,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2009/12/13 11:00:38 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2009/12/13 10:37:37 | 03,850,336 | R--- | C] () -- C:\Users\Khada\Desktop\ComboFix.exe
[2009/12/12 20:35:10 | 00,000,894 | ---- | C] () -- C:\Users\Khada\Desktop\NTREGOPT.lnk
[2009/12/12 20:35:10 | 00,000,875 | ---- | C] () -- C:\Users\Khada\Desktop\ERUNT.lnk
[2009/12/12 20:13:49 | 00,001,831 | ---- | C] () -- C:\Users\Khada\Desktop\CCleaner.lnk
[2009/12/10 19:29:06 | 00,001,515 | ---- | C] () -- C:\Users\Khada\Desktop\DAOrigins.lnk
[2009/12/04 15:01:09 | 00,001,977 | ---- | C] () -- C:\Users\Public\Desktop\Titan Quest.lnk
[2009/12/04 14:53:13 | 00,040,960 | ---- | C] () -- C:\Windows\System32\psfind.dll
[2009/12/03 15:16:31 | 00,524,288 | -HS- | C] () -- C:\Users\Khada\ntuser.dat{d5c5fdaf-dfb3-11de-b830-001fd08590a7}.TMContainer00000000000000000002.regtrans-ms
[2009/12/03 15:16:31 | 00,524,288 | -HS- | C] () -- C:\Users\Khada\ntuser.dat{d5c5fdaf-dfb3-11de-b830-001fd08590a7}.TMContainer00000000000000000001.regtrans-ms
[2009/12/03 15:16:31 | 00,065,536 | -HS- | C] () -- C:\Users\Khada\ntuser.dat{d5c5fdaf-dfb3-11de-b830-001fd08590a7}.TM.blf
[2009/11/28 14:41:07 | 00,281,760 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys
[2009/11/28 14:41:06 | 00,025,888 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys
[2009/11/14 11:18:44 | 00,000,551 | ---- | C] () -- C:\Users\Khada\AppData\Roaming\AutoGK.ini
[2009/11/06 10:58:04 | 00,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/10/29 17:07:55 | 00,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2009/10/29 16:55:05 | 00,146,432 | ---- | C] () -- C:\Windows\System32\APOMngr.DLL
[2009/10/29 16:55:05 | 00,072,704 | ---- | C] () -- C:\Windows\System32\CmdRtr.DLL
[2009/10/29 16:53:38 | 00,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/10/29 15:58:07 | 00,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/10/23 06:15:56 | 00,143,872 | ---- | C] () -- C:\Windows\System32\libmpeg2_ff.dll
[2009/10/17 10:58:06 | 00,183,296 | ---- | C] () -- C:\Windows\System32\ff_samplerate.dll
[2009/10/17 10:57:06 | 00,146,944 | ---- | C] () -- C:\Windows\System32\ff_tremor.dll
[2009/10/17 10:04:24 | 00,178,688 | ---- | C] () -- C:\Windows\System32\ff_libmad.dll
[2009/10/17 10:04:08 | 00,113,152 | ---- | C] () -- C:\Windows\System32\ff_unrar.dll
[2009/10/17 10:03:48 | 00,257,024 | ---- | C] () -- C:\Windows\System32\ff_libdts.dll
[2009/10/17 10:03:44 | 00,142,848 | ---- | C] () -- C:\Windows\System32\ff_liba52.dll
[2009/10/17 10:03:40 | 00,484,864 | ---- | C] () -- C:\Windows\System32\ff_libfaad2.dll
[2009/10/17 09:10:10 | 00,281,748 | ---- | C] () -- C:\Windows\System32\ff_kernelDeint.dll
[2009/10/17 06:38:20 | 00,914,464 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/10/17 06:35:50 | 00,311,204 | ---- | C] () -- C:\Windows\System32\TomsMoComp_ff.dll
[2009/10/17 06:04:28 | 01,632,375 | ---- | C] () -- C:\Windows\System32\ffmpegmt.dll
[2009/08/03 00:21:54 | 00,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009/08/03 00:21:52 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009/08/03 00:21:52 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2009/07/14 10:51:43 | 00,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 10:42:10 | 00,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/01/26 08:10:48 | 00,179,200 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/01/11 09:17:32 | 00,163,840 | ---- | C] () -- C:\Windows\System32\ts.dll
[2009/01/11 09:16:56 | 00,148,480 | ---- | C] () -- C:\Windows\System32\mkx.dll
[2009/01/11 09:16:50 | 00,108,032 | ---- | C] () -- C:\Windows\System32\avi.dll
[2009/01/11 09:16:14 | 00,141,312 | ---- | C] () -- C:\Windows\System32\mp4.dll
[2009/01/11 09:15:54 | 00,120,832 | ---- | C] () -- C:\Windows\System32\ogm.dll
[2009/01/11 09:15:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\mmfinfo.dll
[2009/01/11 09:15:32 | 00,102,400 | ---- | C] () -- C:\Windows\System32\avss.dll
[2009/01/11 09:15:28 | 00,246,784 | ---- | C] () -- C:\Windows\System32\dxr.dll
[2009/01/11 09:15:12 | 00,097,280 | ---- | C] () -- C:\Windows\System32\avs.dll
[2009/01/11 09:14:08 | 00,079,360 | ---- | C] () -- C:\Windows\System32\mkzlib.dll
[2009/01/11 09:14:06 | 00,023,552 | ---- | C] () -- C:\Windows\System32\mkunicode.dll
[2008/12/20 01:15:58 | 04,338,246 | ---- | C] () -- C:\Windows\System32\libavcodec.dll
[2008/12/18 03:41:18 | 00,884,237 | ---- | C] () -- C:\Windows\System32\ff_x264.dll
[2008/12/18 03:22:58 | 00,093,184 | ---- | C] () -- C:\Windows\System32\ff_wmv9.dll
[2008/12/18 03:22:48 | 00,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008/12/18 03:17:34 | 00,239,247 | ---- | C] () -- C:\Windows\System32\ff_theora.dll
[2008/12/18 02:59:54 | 00,560,802 | ---- | C] () -- C:\Windows\System32\libmplayer.dll
[2008/12/11 21:27:02 | 00,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2008/11/07 03:37:32 | 03,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/11/07 03:34:00 | 00,000,416 | ---- | C] () -- C:\Windows\System32\dtu100.dll.manifest
[2007/10/13 20:30:20 | 00,000,137 | ---- | C] () -- C:\Windows\System32\Registration.ini
[2004/10/04 03:50:54 | 00,129,024 | ---- | C] () -- C:\Windows\System32\ff_mpeg2enc.dll
[2002/10/16 09:54:04 | 00,153,088 | ---- | C] () -- C:\Windows\System32\unrar.dll

========== LOP Check ==========

[2009/11/08 08:48:53 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Leadertech
[2009/11/28 15:39:10 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Multi File Downloader
[2009/12/03 15:15:05 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\NetMeter
[2009/12/03 15:14:47 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\Octoshape
[2009/11/12 09:38:31 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\runic games
[2009/12/03 15:15:07 | 00,000,000 | ---D | M] -- C:\Users\Khada\AppData\Roaming\uTorrent
[2009/07/14 15:53:46 | 00,023,534 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Files - Unicode (All) ==========
[2009/12/10 17:02:10 | 00,000,006 | ---- | M] ()(C:\Users\Khada\Documents\??) -- C:\Users\Khada\Documents\キス
[2009/12/10 17:02:10 | 00,000,006 | ---- | C] ()(C:\Users\Khada\Documents\??) -- C:\Users\Khada\Documents\キス

========== Alternate Data Streams ==========

@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:05EE1EEF
< End of report >

---------------------------------------------------------------------
---------------------------------------------------------------------

And a re-scan with the kaspersky online scanner:
---------------------------------------------------------------------
---------------------------------------------------------------------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, December 15, 2009
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, December 15, 2009 01:55:18
Records in database: 3372651
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 257472
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 03:18:28

File name / Threat / Threats count
C:\_OTL\MovedFiles\12152009_095945\D_WINDOWS\system32\msupdatgms.exe Infected: Trojan.Win32.Monder.gen 1
C:\_OTL\MovedFiles\12152009_095945\D_WINDOWS\system32\WanPacket.dll Infected: Backdoor.Win32.ForBot.am 1
D:\Documents and Settings\Joshua Carter\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-6d57a192 Infected: Trojan-Downloader.Java.OpenConnection.at 1

Selected area has been scanned.
---------------------------------------------------------------------
---------------------------------------------------------------------

sadly the google redirect issue continues to persists.

#10 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 15 December 2009 - 06:31 AM

hi

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

#11 Khada

Group: Member
Posts: 6
Joined: 12-December 09

Posted 15 December 2009 - 07:28 AM

Hi,

I have done the GMER scan which is pasted bellow, before that i would just like to confirm for my own sake that;

"D:\Documents and Settings\Joshua Carter\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-6d57a192 Infected: Trojan-Downloader.Java.OpenConnection.at 1"

...is a false positive?

thanks

GMER LOG
---------------------------------------------------------
---------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-16 00:27:28
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\Khada\AppData\Local\Temp\uwlcapob.sys

---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303AAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303A104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303A3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83022634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83022898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303A1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303A958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303A6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303AF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303B1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C53579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C77F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9F691300, 0x3B6D8, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9F6D4300, 0x1BEE, 0xE8000020]
.text peauth.sys 9F6DEC9D 28 Bytes [CF, 38, 02, 1A, 3F, 7C, 16, ...]
.text peauth.sys 9F6DECC1 28 Bytes [CF, 38, 02, 1A, 3F, 7C, 16, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[704] ole32.dll!CoCreateInstance 76B457FC 3 Bytes JMP 0040000A
.text C:\Windows\system32\svchost.exe[704] ole32.dll!CoCreateInstance + 4 76B45800 1 Byte [89]
.text C:\Windows\Explorer.EXE[3092] SHELL32.dll!SHFileOperationW 75A096B8 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1764] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74FB5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1764] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74FB5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1764] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74FB5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1764] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74FB5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1764] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [74FB5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1764] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74FB5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1764] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74FB5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1764] @ C:\Windows\system32\ole32.dll [ntdll.dll!EtwRegisterTraceGuidsW] [7093B0C6] C:\Windows\AppPatch\AcXtrnal.dll (Windows Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
---------------------------------------------------------
---------------------------------------------------------

#12 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 15 December 2009 - 07:35 AM

yes it is

Please download Dr.Web CureIt . Save it to your desktop:

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, select Complete scan.
Click the green arrow at the right, and the scan will start.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your desktop. The report will be called DrWeb.csv
Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
Please post the Dr.Web.txt report in your next reply
Close Dr.Web Cureit.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

#13 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 28 December 2009 - 10:01 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

Google redirect/pop-up virus [Closed] - Geeks to Go Forums