trojan clicker.aeio; c:\windows\temp\thcx.tmp\svch

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

trojan clicker.aeio; c:\windows\temp\thcx.tmp\svch

#1 mulla10

Group: Member
Posts: 7
Joined: 11-January 10

Posted 12 January 2010 - 02:14 PM

hi lads,
got this trojan clicker.aeio over a week ago,avgfree doesnt seem to
be able to get rid of it.i keep getting warning windows every 5 mins .
i also tried malwarebytes but it didnt sort it either.
i dont know if this is related but i had a vundo.ie virus before xmas ,malwarebytes sorted it(i think).have only had one prob since,till now, i cant get in to safe mode ,it hangs on a line mup.sys.hopefully all this will be helpful.

any help would be greatly appreciated.

mulla10..............................

here are my logs

Malwarebytes' Anti-Malware 1.44
Database version: 3543
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

11/01/2010 23:00:23
mbam-log-2010-01-11 (23-00-23).txt

Scan type: Quick Scan
Objects scanned: 110579
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-12 18:46:54
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\user1\LOCALS~1\Temp\pfryikoc.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\nvata \Device\Harddisk0\DR0 853EC618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\nvata.sys suspicious modification

---- EOF - GMER 1.0.15 ----

OTL logfile created on: 12/01/2010 18:50:24 - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\user1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

894.00 Mb Total Physical Memory | 405.00 Mb Available Physical Memory | 45.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 134.52 Gb Free Space | 45.13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-CA5DAA9914
Current User Name: user1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/12 18:48:50 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user1\Desktop\OTL.exe
PRC - [2010/01/03 10:49:53 | 02,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/01/03 10:43:00 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/01/03 10:43:00 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/01/03 10:43:00 | 00,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/01/03 10:42:59 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/01/03 10:42:55 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/11/12 16:33:10 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/06/10 07:28:50 | 00,168,004 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/01/20 20:49:52 | 00,185,872 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/05/02 02:44:08 | 00,805,392 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2008/05/02 02:40:56 | 00,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2008/04/14 00:12:35 | 00,073,796 | ---- | M] (Smart Link) -- C:\WINDOWS\system32\slserv.exe
PRC - [2008/04/14 00:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/05 20:24:20 | 00,405,504 | ---- | M] (IDT, Inc.) -- C:\WINDOWS\sttray.exe
PRC - [2007/04/19 12:35:46 | 00,075,304 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2007/01/31 14:55:42 | 00,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/07/27 14:19:00 | 00,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006/06/12 14:32:26 | 00,700,416 | ---- | M] () -- C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
PRC - [2003/04/06 00:17:18 | 00,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
PRC - [2003/04/06 00:06:58 | 00,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2003/04/05 23:55:04 | 00,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/05 23:45:10 | 00,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
PRC - [1999/12/12 17:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE

========== Modules (SafeList) ==========

MOD - [2010/01/12 18:48:50 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user1\Desktop\OTL.exe
MOD - [2009/07/12 01:12:06 | 00,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2008/05/02 02:42:50 | 00,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
SRV - [2010/01/03 10:42:55 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/11/02 12:36:40 | 00,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/10/27 09:26:36 | 00,657,408 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/06/10 07:28:50 | 00,168,004 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/05/02 02:42:06 | 00,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2008/04/14 00:12:35 | 00,073,796 | ---- | M] (Smart Link) [Auto | Running] -- C:\WINDOWS\System32\slserv.exe -- (SLService)
SRV - [2007/04/19 12:35:46 | 00,075,304 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2007/01/31 14:55:42 | 00,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2007/01/04 01:40:21 | 00,136,120 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/03/09 20:31:02 | 00,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [1999/12/12 17:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\..\URLSearchHook: {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: ""

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/01/20 20:50:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/01/03 10:42:55 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/01/03 10:43:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/09 22:39:10 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/09 22:39:10 | 00,000,000 | ---D | M]

[2008/08/31 10:39:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\Mozilla\Extensions
[2010/01/03 10:53:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\dqrym7pa.default\extensions
[2009/11/11 23:23:03 | 00,002,252 | ---- | M] () -- C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\dqrym7pa.default\searchplugins\askcom.xml
[2010/01/03 10:53:22 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/10/03 18:59:07 | 00,024,683 | ---- | M] (Ask.com) -- C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
[2008/11/11 07:38:54 | 00,663,552 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
[2006/03/22 02:27:56 | 00,098,304 | ---- | M] (Zylom) -- C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll

O1 HOSTS File: (301555 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10384 more lines...
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - No CLSID value found.
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [IDTSysTrayApp] C:\WINDOWS\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SmartWizard-DPW-939] File not found
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [CTSyncU.exe] C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe ()
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\user1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\user1\Start Menu\Programs\Startup\Logitech . Product Registration.lnk = C:\Program Files\Common Files\Logishrd\eReg\Common\eReg.exe (Leader Technologies/Logitech)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1210847457312 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 89.101.160.4 89.101.160.5
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\user1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/09 10:34:45 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/05/09 10:34:24 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (50950419643367424)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/12 18:48:49 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user1\Desktop\OTL.exe
[2010/01/11 22:53:47 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/11 22:52:23 | 05,115,840 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\user1\Desktop\mbam-setup.exe
[2010/01/11 22:51:12 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/11 22:50:38 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/11 22:48:15 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\user1\Desktop\erunt_setup.exe
[2010/01/11 22:42:32 | 00,439,808 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user1\Desktop\TFC.exe
[2010/01/11 22:14:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nokia
[2010/01/11 22:14:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2010/01/11 22:14:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\MagicDVDRipper
[2010/01/11 22:14:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\MagicDVDCopier
[2010/01/11 22:14:54 | 00,000,000 | ---D | C] -- C:\Avenger
[2010/01/05 18:09:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user1\Application Data\TeamViewer
[2010/01/05 18:09:03 | 00,000,000 | ---D | C] -- C:\Program Files\TeamViewer
[2010/01/05 18:06:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user1\temp
[2010/01/04 16:27:50 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/04 16:27:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/04 16:27:47 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/04 13:35:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2010/01/03 17:41:53 | 00,000,000 | ---D | C] -- C:\Program Files\Eusing Free Registry Cleaner
[2010/01/03 12:47:25 | 00,000,000 | ---D | C] -- C:\Program Files\Nokia
[2010/01/03 11:52:56 | 00,000,000 | ---D | C] -- C:\Program Files\Uninstall Plus v4.1
[2010/01/03 10:53:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user1\Local Settings\Application Data\AVG Security Toolbar
[2010/01/03 10:43:28 | 00,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/01/03 10:43:28 | 00,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/01/03 10:43:22 | 00,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/01/03 10:43:21 | 00,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/01/03 10:43:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/01/03 10:43:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/01/03 10:42:17 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/01/03 10:42:17 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/01/03 10:42:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/03 10:42:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/12/30 20:58:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user1\Application Data\Malwarebytes
[2009/11/02 12:41:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/11/02 12:37:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/03/02 20:38:43 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\user1\Application Data\pcouffin.sys
[2008/08/19 11:55:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple

========== Files - Modified Within 14 Days ==========

[2010/01/12 18:48:50 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user1\Desktop\OTL.exe
[2010/01/12 18:46:01 | 00,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/12 18:46:01 | 00,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/12 18:00:00 | 00,000,258 | -H-- | M] () -- C:\WINDOWS\tasks\A1EE58299185D339.job
[2010/01/12 17:56:47 | 00,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-764733703-725345543-1003UA.job
[2010/01/12 17:34:12 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\user1\Local Settings\Application Data\prvlcl.dat
[2010/01/12 17:31:56 | 47,727,135 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/01/12 17:31:33 | 00,138,891 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/01/12 17:30:40 | 00,284,915 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\gmer.zip
[2010/01/12 17:29:10 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\NTREGOPT.lnk
[2010/01/12 17:29:09 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\ERUNT.lnk
[2010/01/12 17:26:52 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/12 17:26:15 | 00,081,558 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/12 17:26:02 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/01/12 17:26:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/12 17:25:47 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/11 23:41:56 | 11,980,800 | ---- | M] () -- C:\Documents and Settings\user1\ntuser.dat
[2010/01/11 23:41:56 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\user1\ntuser.ini
[2010/01/11 22:53:52 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/11 22:53:10 | 05,115,840 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\user1\Desktop\mbam-setup.exe
[2010/01/11 22:48:20 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\user1\Desktop\erunt_setup.exe
[2010/01/11 22:42:37 | 00,439,808 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user1\Desktop\TFC.exe
[2010/01/11 22:21:19 | 00,525,082 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/11 22:21:19 | 00,443,894 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/11 22:21:19 | 00,071,664 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/11 16:56:00 | 00,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-764733703-725345543-1003Core.job
[2010/01/10 09:32:12 | 00,000,671 | ---- | M] () -- C:\Documents and Settings\user1\Application Data\vso_ts_preview.xml
[2010/01/10 04:58:01 | 00,000,456 | ---- | M] () -- C:\WINDOWS\tasks\Driver Robot.job
[2010/01/08 12:22:26 | 00,222,720 | ---- | M] () -- C:\Documents and Settings\user1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 21:02:03 | 00,000,738 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\Outlook Express.lnk
[2010/01/05 19:22:18 | 12,850,1308 | ---- | M] () -- C:\Documents and Settings\user1\My Documents\reg back up.reg
[2010/01/03 17:41:55 | 00,000,740 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\Eusing Free Registry Cleaner.lnk
[2010/01/03 11:52:57 | 00,000,692 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\Uninstall Plus v4.1.lnk
[2010/01/03 11:28:48 | 00,000,818 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/03 11:28:48 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/03 11:28:48 | 00,000,210 | -HS- | M] () -- C:\boot.ini
[2010/01/03 11:09:37 | 00,000,939 | ---- | M] () -- C:\Documents and Settings\user1\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
[2010/01/03 10:43:28 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/01/03 10:43:28 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/01/03 10:43:28 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/01/03 10:43:22 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/01/03 10:43:21 | 00,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/01/03 10:43:21 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/01/03 10:43:14 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2010/01/03 10:43:14 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2010/01/03 10:36:54 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/30 20:45:51 | 00,000,522 | ---- | M] () -- C:\hpfr3420.xml
[2009/12/30 12:09:26 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

========== Files Created - No Company Name ==========

[2010/01/11 23:04:47 | 00,284,915 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\gmer.zip
[2010/01/11 22:53:52 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/11 22:50:42 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\NTREGOPT.lnk
[2010/01/11 22:50:41 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\ERUNT.lnk
[2010/01/10 01:49:40 | 11,980,800 | ---- | C] () -- C:\Documents and Settings\user1\ntuser.dat
[2010/01/06 21:02:03 | 00,000,738 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\Outlook Express.lnk
[2010/01/03 17:43:41 | 12,850,1308 | ---- | C] () -- C:\Documents and Settings\user1\My Documents\reg back up.reg
[2010/01/03 17:41:55 | 00,000,740 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\Eusing Free Registry Cleaner.lnk
[2010/01/03 11:52:57 | 00,000,692 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\Uninstall Plus v4.1.lnk
[2010/01/03 11:09:37 | 00,000,939 | ---- | C] () -- C:\Documents and Settings\user1\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
[2010/01/03 10:43:28 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/01/03 10:43:21 | 00,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/01/03 10:43:14 | 47,727,135 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/01/03 10:43:14 | 00,492,629 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2010/01/03 10:43:14 | 00,138,891 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/01/03 10:43:13 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/12/19 18:51:48 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\user1\Local Settings\Application Data\prvlcl.dat
[2009/12/17 21:30:58 | 00,000,760 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\setup_ldm.iss
[2009/11/08 23:54:16 | 00,114,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/11/05 18:48:39 | 00,011,394 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\NMM-MetaData.db
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/07 20:55:06 | 00,000,225 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\burnaware.ini
[2009/06/10 07:29:34 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/06/10 07:29:34 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/06/10 07:29:34 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/06/10 07:29:32 | 01,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/03/02 20:39:45 | 00,000,671 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\vso_ts_preview.xml
[2009/03/02 20:38:56 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\pcouffin.log
[2009/03/02 20:38:43 | 00,087,608 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\inst.exe
[2009/03/02 20:38:43 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\pcouffin.cat
[2009/03/02 20:38:43 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\pcouffin.inf
[2009/02/14 16:14:40 | 00,000,667 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/02/10 21:10:30 | 00,000,327 | ---- | C] () -- C:\WINDOWS\AudStu.INI
[2009/02/10 21:04:05 | 00,000,028 | ---- | C] () -- C:\WINDOWS\Robota.INI
[2009/02/10 20:37:35 | 00,000,060 | ---- | C] () -- C:\WINDOWS\magix.ini
[2009/02/10 20:37:34 | 00,000,730 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2008/11/08 16:43:06 | 00,000,771 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/08/17 21:26:42 | 00,000,038 | ---- | C] () -- C:\WINDOWS\System32\net32gdilib.dll
[2008/07/19 09:45:24 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008/06/07 22:29:25 | 00,001,012 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/06/07 22:20:58 | 00,431,104 | R--- | C] () -- C:\WINDOWS\System32\VFCodec.dll
[2008/06/07 11:56:15 | 00,222,720 | ---- | C] () -- C:\Documents and Settings\user1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/29 18:51:21 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/05/15 10:07:23 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/09 11:02:17 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2008/05/09 11:02:17 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2003/03/09 20:31:04 | 00,561,152 | R--- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1618/09/29 22:14:26 | 00,003,120 | ---- | C] () -- C:\WINDOWS\System32\b21672ec-5b1b-40a6-91a9-92cddcd30ac3.dll

========== LOP Check ==========

[2010/01/04 13:22:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/01/11 22:17:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2008/10/03 18:59:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2009/12/28 16:23:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BitDefender
[2010/01/04 13:41:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2009/12/28 16:23:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2008/05/22 15:44:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2009/08/02 17:24:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/11/08 12:40:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NokiaMusic
[2009/11/23 08:20:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\part dead amok eggs
[2009/01/31 18:34:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2009/11/05 18:37:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2008/12/09 22:15:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/04/13 16:45:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2008/10/11 08:37:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zylom
[2009/12/22 13:11:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/21 17:47:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2008/10/05 23:03:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\Azureus
[2009/12/28 00:49:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\BitDefender
[2009/11/11 23:18:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\Blitware
[2009/12/12 12:09:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\Facewebbody
[2009/03/19 23:37:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\HTML Executable
[2008/08/17 21:33:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\InfraRecorder
[2008/08/17 21:26:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\J River
[2009/12/17 21:31:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\Leadertech
[2008/10/31 17:26:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\NCH Swift Sound
[2009/12/04 18:50:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\Nokia
[2009/11/08 12:33:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\PC Suite
[2010/01/05 18:09:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\TeamViewer
[2009/08/26 21:23:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\Teleca
[2010/01/04 13:41:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\Uniblue
[2010/01/11 23:41:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\uTorrent
[2010/01/10 09:32:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\Vso
[2010/01/12 18:00:00 | 00,000,258 | -H-- | M] () -- C:\WINDOWS\Tasks\A1EE58299185D339.job
[2010/01/10 04:58:01 | 00,000,456 | ---- | M] () -- C:\WINDOWS\Tasks\Driver Robot.job
[2008/11/25 21:20:32 | 00,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1219695521.job
[2010/01/12 17:26:02 | 00,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2004/08/04 10:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/05/30 09:28:39 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/05/30 09:28:39 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 10:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/05/30 09:28:39 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/05/30 09:28:39 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 10:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 10:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/07/12 21:35:02 | 00,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 10:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/10/18 22:31:38 | 00,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\dell\nvraid\nvata.sys
[2010/01/12 18:15:00 | 00,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\system32\drivers\nvata.sys

< MD5 for: NVATABUS.SYS >
[2006/10/18 21:31:38 | 00,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys
[2006/10/18 21:31:38 | 00,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\system32\drivers\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 10:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B63300D1
< End of report >

OTL Extras logfile created on: 12/01/2010 18:50:24 - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\user1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

894.00 Mb Total Physical Memory | 405.00 Mb Available Physical Memory | 45.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 134.52 Gb Free Space | 45.13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-CA5DAA9914
Current User Name: user1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\TeamViewer\Version5\TeamViewer.exe" = C:\Program Files\TeamViewer\Version5\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01161F64-6897-4885-93A0-A9F7BE9A4253}" = hp psc 1100 series
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{26A24AE4-039D-4CA4-87B4-2F83216011FB}" = {26A24AE4-039D-4CA4-87B4-2F83216011FB}
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 17
"{26A24AE4-039D-4CA4-87B4-2F83216015FB}" = {26A24AE4-039D-4CA4-87B4-2F83216015FB}
"{2764CA82-DFB9-4498-AF85-719340BF5305}" = Dell Resource CD
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = erLT
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6E0352EE-6F0D-4FBC-B1B8-4FF032C78BE0}" = PC Connectivity Solution
"{6EB6C056-02BB-453E-8448-EC90B9794180}" = Nokia Multimedia Common Components 2.4
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76C24F39-B161-498F-BD8B-C64789812D13}_is1" = ConvertXtoDVD 3.3.4.106e
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}" = Creative ZEN V Series (R2)
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C084BC61-E537-11DE-8616-005056806466}" = Google Earth
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C252EB7B-7AE0-46DE-9BEE-DF681B885F13}" = Modem Diagnostic Tool
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D9B4D7EE-481C-4C36-86AB-A8F7417725FF}" = LightScribe 1.6.43.1
"{DC432844-6914-4421-910C-F1B05B3A761C}" = Nokia Music
"{DD6A5E0D-1141-4BDB-B3C6-E215E1DCA207}" = UPC DPW-939
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"6A630DCEC5EEC912115F2FF59D8C2C769798D930" = Windows Driver Package - Nokia Modem (10/12/2007 3.6)
"819D45A9F73817F5B6D7C71A33ADAB88C5DA1765" = Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2)
"Active@ DVD Eraser v 1.1" = Active@ DVD Eraser v 1.1
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG9Uninstall" = AVG Free 9.0
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative Removable Disk Manager" = Creative Removable Disk Manager
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ERUNT_is1" = ERUNT 1.1j
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"Free iPod Video Converter_is1" = Free iPod Video Converter 1.34
"HP PSC 1100 Series" = HP Photo and Imaging 2.0 - hp psc 1100 series
"HTMLExecutableIERuntimeSetup44" = HTML Executable IERuntime
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InfraRecorder" = InfraRecorder
"Install_is1" = Setup 1.0
"jZip" = jZip
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PhotoStitch" = Canon Utilities PhotoStitch
"Picasa 3" = Picasa 3
"RealPlayer 6.0" = RealPlayer
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Switch" = Switch Sound File Converter
"SysInfo" = Creative System Information
"TeamViewer 5" = TeamViewer 5
"ToolBox" = NCH Toolbox
"Uninstall Plus_is1" = Uninstall Plus v4.1
"Uninstall_is1" = Uninstall 1.0.0.1
"Veetle TV" = Veetle TV 0.9.15
"VLC media player" = VideoLAN VLC media player 0.8.6f
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Keepdownloadford" = CiD Help
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/01/2010 03:56:05 | Computer Name = USER-CA5DAA9914 | Source = Google Update | ID = 20
Description =

Error - 10/01/2010 05:32:06 | Computer Name = USER-CA5DAA9914 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
shlwapi.dll, version 6.0.2900.5512, fault address 0x0002c4a8.

Error - 10/01/2010 06:45:54 | Computer Name = USER-CA5DAA9914 | Source = Application Error | ID = 1000
Description = Faulting application ctimprtu.exe, version 5.0.7.0, faulting module
mfinfou.dll, version 1.4.1.0, fault address 0x00001582.

Error - 10/01/2010 06:46:18 | Computer Name = USER-CA5DAA9914 | Source = Application Error | ID = 1000
Description = Faulting application ctimprtu.exe, version 5.0.7.0, faulting module
mfinfou.dll, version 1.4.1.0, fault address 0x00001582.

Error - 10/01/2010 06:46:44 | Computer Name = USER-CA5DAA9914 | Source = Application Error | ID = 1000
Description = Faulting application ctimprtu.exe, version 5.0.7.0, faulting module
mfinfou.dll, version 1.4.1.0, fault address 0x00001582.

Error - 10/01/2010 07:10:02 | Computer Name = USER-CA5DAA9914 | Source = Application Error | ID = 1000
Description = Faulting application ctimprtu.exe, version 5.0.7.0, faulting module
mfinfou.dll, version 1.4.1.0, fault address 0x00001582.

Error - 10/01/2010 09:53:13 | Computer Name = USER-CA5DAA9914 | Source = Microsoft Management Console | ID = 1000
Description =

Error - 10/01/2010 14:44:32 | Computer Name = USER-CA5DAA9914 | Source = Application Error | ID = 1000
Description = Faulting application ctimprtu.exe, version 5.0.7.0, faulting module
mfinfou.dll, version 1.4.1.0, fault address 0x00001582.

Error - 10/01/2010 16:23:53 | Computer Name = USER-CA5DAA9914 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3642, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/01/2010 15:56:09 | Computer Name = USER-CA5DAA9914 | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 11/01/2010 18:17:19 | Computer Name = USER-CA5DAA9914 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 11/01/2010 18:17:19 | Computer Name = USER-CA5DAA9914 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 11/01/2010 18:18:19 | Computer Name = USER-CA5DAA9914 | Source = Service Control Manager | ID = 7000
Description = The PfModNT service failed to start due to the following error: %%2

Error - 11/01/2010 18:43:14 | Computer Name = USER-CA5DAA9914 | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/01/2010 18:43:14 | Computer Name = USER-CA5DAA9914 | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 11/01/2010 18:43:14 | Computer Name = USER-CA5DAA9914 | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 11/01/2010 18:43:14 | Computer Name = USER-CA5DAA9914 | Source = Service Control Manager | ID = 7034
Description = The Creative Service for CDROM Access service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/01/2010 18:43:14 | Computer Name = USER-CA5DAA9914 | Source = Service Control Manager | ID = 7031
Description = The AVG Free WatchDog service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 11/01/2010 18:43:15 | Computer Name = USER-CA5DAA9914 | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 11/01/2010 18:43:15 | Computer Name = USER-CA5DAA9914 | Source = Service Control Manager | ID = 7034
Description = The SmartLinkService service terminated unexpectedly. It has done
this 1 time(s).

< End of report >

#2 RPMcMurphy

Group: Malware Removal
Posts: 930
Joined: 08-January 10

Posted 12 January 2010 - 03:18 PM

Hello mulla10 and welcome to geekstogo. I’ll be happy to look over your log and help you with your issues. It will be very helpful if you follow these guidelines:

Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
Please do not run any scans or install/uninstall any applications without being directed to do so.
Please follow my instructions carefully and in the order they are posted.
Any underlined text in my posts indicates a clickable link.
You should print any instruction I give you for ease of use and reference.
If you have any questions at all, please stop and ask before proceeding.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.This may cause a delay, but I will do my best to keep it as short as possible.

I will post back shortly with instructions.

#3 RPMcMurphy

Group: Malware Removal
Posts: 930
Joined: 08-January 10

Posted 12 January 2010 - 07:50 PM

mulla10,

P2P - I see you have P2P software (uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares. I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.
If you choose to keep these applications, please do not use them until our fixes at g2g are complete.

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

#4 mulla10

Group: Member
Posts: 7
Joined: 11-January 10

Posted 13 January 2010 - 01:53 PM

hi rp,
thanks for taking this on.
note taken on p2p ,but i have been using it for a while and this ,if it came from a p2p site, is the first virus i would have got.
i think it came from where i was using a free 30 day trial of avg,which i believe has its own firewall,when the 30 days was up i changed back to the free version while online and forgot to turn back on my windows firewall.
just a guess,it could easily have been the p2p site.
anyway thanks again for ur help,

mulla10.............................................

ComboFix 10-01-13.04 - user1 13/01/2010 19:22:02.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.894.328 [GMT 0:00]
Running from: c:\documents and settings\user1\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\documents and settings\user1\Application Data\inst.exe
c:\documents and settings\user1\My Documents\reg back up.reg
c:\documents and settings\user1\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
c:\windows\deca5f07-5a00-4716-8465-3efaca97303b.ocx
c:\windows\system32\b21672ec-5b1b-40a6-91a9-92cddcd30ac3.dll
c:\windows\system32\reboot.txt
c:\windows\system32\xudzrvb.dll
c:\windows\system32\xudzrvb.dll.bak
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_iwaienuh

((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-11 22:53 . 2010-01-11 22:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 22:50 . 2010-01-12 17:29 -------- d-----w- c:\program files\ERUNT
2010-01-11 22:15 . 2010-01-11 22:15 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-11 22:14 . 2010-01-11 22:14 -------- d-----w- c:\program files\Common Files\Nokia
2010-01-11 22:14 . 2010-01-11 22:14 -------- d-----w- c:\program files\Common Files\Nero
2010-01-03 12:47 . 2010-01-03 12:47 -------- d-----w- c:\program files\Nokia
2010-01-03 11:52 . 2010-01-11 22:15 -------- d-----w- c:\program files\Uninstall Plus v4.1
2010-01-03 10:53 . 2010-01-03 10:53 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\AVG Security Toolbar
2010-01-03 10:50 . 2010-01-03 10:42 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-01-03 10:50 . 2010-01-03 10:42 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-01-03 10:43 . 2010-01-03 10:43 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-03 10:43 . 2010-01-03 10:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-03 10:43 . 2010-01-03 10:43 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-03 10:43 . 2010-01-03 10:43 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-03 10:43 . 2010-01-13 18:53 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-23 09:53 . 2010-01-03 10:42 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-23 09:53 . 2009-12-21 09:40 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-22 13:14 . 2009-12-22 13:14 -------- d-----w- c:\program files\Apple Software Update
2009-12-22 13:09 . 2009-12-22 13:09 -------- d-----w- c:\program files\iPod
2009-12-22 13:09 . 2009-12-22 13:11 -------- d-----w- c:\program files\iTunes
2009-12-22 13:09 . 2009-12-22 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-22 12:58 . 2009-12-22 12:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-19 19:16 . 2009-12-19 19:30 -------- d-----w- c:\documents and settings\user1\Application Data\CameraWindowDC
2009-12-19 19:16 . 2009-12-19 19:16 -------- d-----w- c:\documents and settings\user1\Application Data\CANON INC
2009-12-19 19:12 . 2009-12-19 20:18 -------- d-----w- c:\documents and settings\user1\Application Data\ZoomBrowser EX
2009-12-19 18:56 . 2009-12-19 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-12-19 18:55 . 2009-12-19 18:58 -------- d-----w- c:\program files\Canon
2009-12-19 18:53 . 2009-12-19 18:53 -------- d-----w- c:\program files\Common Files\Canon
2009-12-19 18:51 . 2010-01-12 20:33 0 ----a-w- c:\documents and settings\user1\Local Settings\Application Data\prvlcl.dat
2009-12-17 21:31 . 2009-12-17 21:31 -------- d-----w- c:\documents and settings\user1\Application Data\Logitech
2009-12-17 21:31 . 2009-12-17 21:31 -------- d-----w- c:\documents and settings\user1\Application Data\Leadertech
2009-12-17 21:30 . 2009-12-17 21:30 53248 ----a-r- c:\documents and settings\user1\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2009-12-17 21:15 . 2008-05-02 02:38 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-12-17 21:15 . 2008-05-02 02:40 84496 ----a-w- c:\windows\system32\KemXML.dll
2009-12-17 21:15 . 2008-05-02 02:40 117264 ----a-w- c:\windows\system32\KemWnd.dll
2009-12-17 21:15 . 2008-05-02 02:39 145936 ----a-w- c:\windows\system32\KemUtil.dll
2009-12-17 21:15 . 2008-05-02 02:39 170512 ----a-w- c:\windows\system32\kemutb.dll
2009-12-17 21:15 . 2009-12-17 21:30 -------- d-----w- c:\program files\Common Files\Logishrd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 21:48 . 2008-10-14 19:03 -------- d-----w- c:\documents and settings\user1\Application Data\uTorrent
2010-01-12 18:15 . 2006-10-18 22:31 105472 ----a-w- c:\windows\system32\drivers\nvata.sys
2010-01-11 22:17 . 2009-11-20 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-11 22:15 . 2008-08-17 21:55 -------- d-----w- c:\documents and settings\user1\Application Data\dvdcss
2010-01-11 22:14 . 2010-01-11 22:14 -------- d-----w- c:\program files\Common Files\MagicDVDRipper
2010-01-11 22:14 . 2010-01-11 22:14 -------- d-----w- c:\program files\Common Files\MagicDVDCopier
2010-01-11 22:14 . 2010-01-03 17:41 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-01-10 09:32 . 2009-03-02 20:38 -------- d-----w- c:\documents and settings\user1\Application Data\Vso
2010-01-07 22:48 . 2008-06-07 22:16 -------- d-----w- c:\program files\DivX
2010-01-07 22:47 . 2009-04-05 20:27 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-07 16:07 . 2010-01-04 16:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2010-01-04 16:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 18:09 . 2010-01-05 18:09 -------- d-----w- c:\documents and settings\user1\Application Data\TeamViewer
2010-01-05 18:09 . 2010-01-05 18:09 -------- d-----w- c:\program files\TeamViewer
2010-01-04 16:27 . 2010-01-04 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-04 13:41 . 2010-01-04 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2010-01-04 13:41 . 2008-09-08 16:48 -------- d-----w- c:\documents and settings\user1\Application Data\Uniblue
2010-01-04 13:22 . 2010-01-03 10:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-01-03 11:20 . 2009-08-08 19:05 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-01-03 10:43 . 2009-12-23 09:53 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-03 10:42 . 2009-11-22 19:45 3967256 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-01-03 10:42 . 2009-12-11 12:05 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2010-01-02 21:10 . 2009-10-15 19:09 -------- d-----w- c:\documents and settings\user1\Application Data\SUPERAntiSpyware.com
2009-12-30 20:58 . 2009-12-30 20:58 -------- d-----w- c:\documents and settings\user1\Application Data\Malwarebytes
2009-12-29 11:59 . 2009-12-29 11:59 -------- d-----w- c:\program files\Alwil Software
2009-12-28 16:23 . 2008-06-26 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-28 16:23 . 2009-12-27 23:04 -------- d-----w- c:\program files\Common Files\BitDefender
2009-12-28 16:23 . 2009-12-28 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-12-28 00:49 . 2009-12-28 00:25 -------- d-----w- c:\documents and settings\user1\Application Data\BitDefender
2009-12-28 00:25 . 2009-12-28 00:25 -------- d-----w- c:\program files\BitDefender
2009-12-27 18:48 . 2009-12-27 18:20 -------- d-----w- c:\program files\Common Files\Softwin
2009-12-27 18:45 . 2009-12-27 18:33 81984 ----a-w- c:\windows\system32\bdod.bin
2009-12-27 17:34 . 2009-12-27 17:32 -------- d-----w- c:\program files\trend micro
2009-12-22 17:32 . 2008-08-14 16:57 -------- d-----w- c:\documents and settings\user1\Application Data\Apple Computer
2009-12-22 13:09 . 2008-08-14 16:56 -------- d-----w- c:\program files\Common Files\Apple
2009-12-22 13:05 . 2008-08-14 16:56 -------- d-----w- c:\program files\QuickTime
2009-12-19 21:47 . 2008-08-14 22:26 -------- d-----w- c:\program files\Google
2009-12-17 21:16 . 2009-12-17 21:16 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-12-17 21:16 . 2009-12-17 21:16 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-12-17 21:15 . 2008-09-06 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-12-17 21:15 . 2008-09-06 12:55 -------- d-----w- c:\program files\Logitech
2009-12-17 21:15 . 2008-05-09 11:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-14 13:47 . 2009-12-14 13:47 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-12-14 13:47 . 2009-12-14 13:47 -------- d-----w- c:\program files\UPC
2009-12-14 09:27 . 2009-02-14 15:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-12 12:09 . 2009-10-06 20:57 -------- d-----w- c:\documents and settings\user1\Application Data\Facewebbody
2009-12-09 19:22 . 2009-12-09 19:22 -------- d-----w- c:\program files\LSoft Technologies
2009-12-09 19:16 . 2009-12-09 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-12-09 19:16 . 2008-05-22 15:43 -------- d-----w- c:\program files\Nero
2009-12-09 19:12 . 2009-12-09 19:11 -------- d-----w- c:\documents and settings\user1\Application Data\Nero
2009-12-09 18:25 . 2008-05-09 10:57 42944 -c--a-w- c:\documents and settings\user1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-04 18:50 . 2008-06-26 17:06 -------- d-----w- c:\documents and settings\user1\Application Data\Nokia
2009-11-25 13:01 . 2010-01-04 13:22 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-23 08:20 . 2009-10-06 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\part dead amok eggs
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 19:01 . 2009-11-20 19:01 -------- d-----w- c:\program files\PC Connectivity Solution
2009-11-20 18:59 . 2009-11-20 18:59 95232 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-11-20 18:59 . 2009-11-20 18:59 8192 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-11-20 18:59 . 2009-11-20 18:59 61440 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-11-20 18:59 . 2009-11-20 18:59 10240 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-11-20 18:48 . 2009-11-20 19:00 34429264 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-11-20 13:39 . 2008-05-15 10:48 -------- d-----w- c:\program files\AVG
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-11 23:02 . 2009-11-11 23:02 1266580 ----a-w- C:\output.dat
2009-11-08 23:54 . 2009-11-08 23:54 114272 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-06 10:52 . 2009-11-06 10:52 152576 -c--a-w- c:\documents and settings\user1\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-05 18:31 . 2008-06-26 17:04 8192 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Installer\CommonCustomActions\UninstCCD.exe
2009-11-05 18:31 . 2008-06-26 17:04 61440 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-11-05 18:31 . 2008-06-26 17:04 10240 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Installer\CommonCustomActions\UninstPCS.exe
2009-10-29 07:46 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-19 16:04 . 2009-10-19 16:04 110984 ----a-w- c:\windows\system32\drivers\bdfndisf.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"Google Update"="c:\documents and settings\user1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartWizard-DPW-939"="1" [X]
"IDTSysTrayApp"="sttray.exe" [2007-09-05 405504]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-20 185872]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"nwiz"="nwiz.exe" [2009-06-10 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-03 2033432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-12-17 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-03 10:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/01/2010 10:43 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/01/2010 10:43 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [03/01/2010 10:42 285392]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [19/10/2009 16:04 110984]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/11/2009 12:36 133104]
S3 acfva;acfva;c:\windows\system32\DRIVERS\ACFVA32.sys --> c:\windows\system32\DRIVERS\ACFVA32.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [11/11/2009 22:47 16512]
S3 dgcfltr;DGC Filter Driver;c:\windows\system32\DRIVERS\ACFDCP32.sys --> c:\windows\system32\DRIVERS\ACFDCP32.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 12:23 452136 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-01-10 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.14\DriverRobot.exe [2009-11-11 13:53]

2008-11-25 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1100 series5E771253C1676EBED677BF361FDFC537825E15B8219695521.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-02 12:36]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-02 12:36]

2010-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-764733703-725345543-1003Core.job
- c:\documents and settings\user1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-04 08:46]

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-764733703-725345543-1003UA.job
- c:\documents and settings\user1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-04 08:46]

2010-01-13 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\dqrym7pa.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL -
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\user1\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
BHO-{63ABEBC3-FEAB-4D2F-B7F4-038446F0185F} - c:\windows\system32\xudzrvb.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 19:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85197618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(1280)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3988)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\sttray.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\stsystra.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-13 19:40:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-13 19:40

Pre-Run: 144,816,562,176 bytes free
Post-Run: 144,673,554,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 81A4F11EE0C1042DC0BBED898D605F0F

#5 RPMcMurphy

Group: Malware Removal
Posts: 930
Joined: 08-January 10

Posted 14 January 2010 - 04:07 AM

mulla10,

You have a rootkit infection. You should change your passwords from a computer that you know is clean and refrain from using this machine for any financial transactions until we have you cleaned up.

Here are your next instructions.

Download TDSSKiller and save it to your Desktop.

Extract the file and run it.
Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
Please post the content of that log TDSSKiller.

#6 mulla10

Group: Member
Posts: 7
Joined: 11-January 10

Posted 15 January 2010 - 02:56 AM

rp,
here is tdss log

17:46:34:578 2240 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
17:46:34:578 2240 ================================================================================
17:46:34:578 2240 SystemInfo:

17:46:34:578 2240 OS Version: 5.1.2600 ServicePack: 3.0
17:46:34:578 2240 Product type: Workstation
17:46:34:578 2240 ComputerName: USER-CA5DAA9914
17:46:34:578 2240 UserName: user1
17:46:34:578 2240 Windows directory: C:\WINDOWS
17:46:34:578 2240 Processor architecture: Intel x86
17:46:34:578 2240 Number of processors: 1
17:46:34:578 2240 Page size: 0x1000
17:46:34:578 2240 Boot type: Normal boot
17:46:34:578 2240 ================================================================================
17:46:34:578 2240 UnloadDriverW: NtUnloadDriver error 2
17:46:34:578 2240 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:46:34:578 2240 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:46:34:656 2240 UtilityInit: KLMD drop and load success
17:46:34:656 2240 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
17:46:34:656 2240 UtilityInit: KLMD open success
17:46:34:656 2240 UtilityInit: Initialize success
17:46:34:656 2240
17:46:34:656 2240 Scanning Services ...
17:46:34:656 2240 CreateRegParser: Registry parser init started
17:46:34:656 2240 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
17:46:34:656 2240 CreateRegParser: DisableWow64Redirection error
17:46:34:656 2240 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:46:34:656 2240 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
17:46:34:656 2240 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:46:34:656 2240 wfopen_ex: Trying to KLMD file open
17:46:34:656 2240 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
17:46:34:656 2240 wfopen_ex: File opened ok (Flags 2)
17:46:34:656 2240 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 284998
17:46:34:656 2240 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:46:34:656 2240 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
17:46:34:656 2240 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:46:34:656 2240 wfopen_ex: Trying to KLMD file open
17:46:34:656 2240 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
17:46:34:656 2240 wfopen_ex: File opened ok (Flags 2)
17:46:34:656 2240 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 284A40
17:46:34:656 2240 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
17:46:34:656 2240 CreateRegParser: EnableWow64Redirection error
17:46:34:656 2240 CreateRegParser: RegParser init completed
17:46:34:781 2240 GetAdvancedServicesInfo: Raw services enum returned 377 services
17:46:34:781 2240 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:46:34:781 2240 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:46:34:781 2240
17:46:34:781 2240 Scanning Kernel memory ...
17:46:34:781 2240 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
17:46:34:781 2240 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8544AAE0
17:46:34:781 2240 DetectCureTDL3: KLMD_GetDeviceObjectList returned 10 DevObjects
17:46:34:781 2240
17:46:34:781 2240 DetectCureTDL3: DEVICE_OBJECT: 84E43C68
17:46:34:781 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84E43C68
17:46:34:781 2240 KLMD_ReadMem: Trying to ReadMemory 0x84E43C68[0x38]
17:46:34:781 2240 DetectCureTDL3: DRIVER_OBJECT: 8544AAE0
17:46:34:781 2240 KLMD_ReadMem: Trying to ReadMemory 0x8544AAE0[0xA8]
17:46:34:781 2240 KLMD_ReadMem: Trying to ReadMemory 0xE100ADE8[0x18]
17:46:34:781 2240 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:46:34:781 2240 DetectCureTDL3: IrpHandler (0) addr: F74CDBB0
17:46:34:781 2240 DetectCureTDL3: IrpHandler (1) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (2) addr: F74CDBB0
17:46:34:781 2240 DetectCureTDL3: IrpHandler (3) addr: F74C7D1F
17:46:34:781 2240 DetectCureTDL3: IrpHandler (4) addr: F74C7D1F
17:46:34:781 2240 DetectCureTDL3: IrpHandler (5) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (6) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (7) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (8) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (9) addr: F74C82E2
17:46:34:781 2240 DetectCureTDL3: IrpHandler (10) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (11) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (12) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (13) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (14) addr: F74C83BB
17:46:34:781 2240 DetectCureTDL3: IrpHandler (15) addr: F74CBF28
17:46:34:781 2240 DetectCureTDL3: IrpHandler (16) addr: F74C82E2
17:46:34:781 2240 DetectCureTDL3: IrpHandler (17) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (18) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (19) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (20) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (21) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (22) addr: F74C9C82
17:46:34:781 2240 DetectCureTDL3: IrpHandler (23) addr: F74CE99E
17:46:34:781 2240 DetectCureTDL3: IrpHandler (24) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (25) addr: 804F355A
17:46:34:781 2240 DetectCureTDL3: IrpHandler (26) addr: 804F355A
17:46:34:781 2240 TDL3_FileDetect: Processing driver: Disk
17:46:34:781 2240 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:46:34:781 2240 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:46:34:828 2240 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:46:34:828 2240
17:46:34:828 2240 DetectCureTDL3: DEVICE_OBJECT: 84C7EC68
17:46:34:828 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84C7EC68
17:46:34:828 2240 KLMD_ReadMem: Trying to ReadMemory 0x84C7EC68[0x38]
17:46:34:828 2240 DetectCureTDL3: DRIVER_OBJECT: 8544AAE0
17:46:34:828 2240 KLMD_ReadMem: Trying to ReadMemory 0x8544AAE0[0xA8]
17:46:34:828 2240 KLMD_ReadMem: Trying to ReadMemory 0xE100ADE8[0x18]
17:46:34:828 2240 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:46:34:828 2240 DetectCureTDL3: IrpHandler (0) addr: F74CDBB0
17:46:34:828 2240 DetectCureTDL3: IrpHandler (1) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (2) addr: F74CDBB0
17:46:34:828 2240 DetectCureTDL3: IrpHandler (3) addr: F74C7D1F
17:46:34:828 2240 DetectCureTDL3: IrpHandler (4) addr: F74C7D1F
17:46:34:828 2240 DetectCureTDL3: IrpHandler (5) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (6) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (7) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (8) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (9) addr: F74C82E2
17:46:34:828 2240 DetectCureTDL3: IrpHandler (10) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (11) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (12) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (13) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (14) addr: F74C83BB
17:46:34:828 2240 DetectCureTDL3: IrpHandler (15) addr: F74CBF28
17:46:34:828 2240 DetectCureTDL3: IrpHandler (16) addr: F74C82E2
17:46:34:828 2240 DetectCureTDL3: IrpHandler (17) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (18) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (19) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (20) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (21) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (22) addr: F74C9C82
17:46:34:828 2240 DetectCureTDL3: IrpHandler (23) addr: F74CE99E
17:46:34:828 2240 DetectCureTDL3: IrpHandler (24) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (25) addr: 804F355A
17:46:34:828 2240 DetectCureTDL3: IrpHandler (26) addr: 804F355A
17:46:34:828 2240 TDL3_FileDetect: Processing driver: Disk
17:46:34:828 2240 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:46:34:828 2240 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:46:34:875 2240 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:46:34:875 2240
17:46:34:875 2240 DetectCureTDL3: DEVICE_OBJECT: 84E444D0
17:46:34:875 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84E444D0
17:46:34:875 2240 KLMD_ReadMem: Trying to ReadMemory 0x84E444D0[0x38]
17:46:34:875 2240 DetectCureTDL3: DRIVER_OBJECT: 8544AAE0
17:46:34:875 2240 KLMD_ReadMem: Trying to ReadMemory 0x8544AAE0[0xA8]
17:46:34:875 2240 KLMD_ReadMem: Trying to ReadMemory 0xE100ADE8[0x18]
17:46:34:875 2240 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:46:34:875 2240 DetectCureTDL3: IrpHandler (0) addr: F74CDBB0
17:46:34:875 2240 DetectCureTDL3: IrpHandler (1) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (2) addr: F74CDBB0
17:46:34:875 2240 DetectCureTDL3: IrpHandler (3) addr: F74C7D1F
17:46:34:875 2240 DetectCureTDL3: IrpHandler (4) addr: F74C7D1F
17:46:34:875 2240 DetectCureTDL3: IrpHandler (5) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (6) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (7) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (8) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (9) addr: F74C82E2
17:46:34:875 2240 DetectCureTDL3: IrpHandler (10) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (11) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (12) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (13) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (14) addr: F74C83BB
17:46:34:875 2240 DetectCureTDL3: IrpHandler (15) addr: F74CBF28
17:46:34:875 2240 DetectCureTDL3: IrpHandler (16) addr: F74C82E2
17:46:34:875 2240 DetectCureTDL3: IrpHandler (17) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (18) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (19) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (20) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (21) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (22) addr: F74C9C82
17:46:34:875 2240 DetectCureTDL3: IrpHandler (23) addr: F74CE99E
17:46:34:875 2240 DetectCureTDL3: IrpHandler (24) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (25) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (26) addr: 804F355A
17:46:34:875 2240 TDL3_FileDetect: Processing driver: Disk
17:46:34:875 2240 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:46:34:875 2240 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:46:34:875 2240 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:46:34:875 2240
17:46:34:875 2240 DetectCureTDL3: DEVICE_OBJECT: 84E403E0
17:46:34:875 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84E403E0
17:46:34:875 2240 KLMD_ReadMem: Trying to ReadMemory 0x84E403E0[0x38]
17:46:34:875 2240 DetectCureTDL3: DRIVER_OBJECT: 8544AAE0
17:46:34:875 2240 KLMD_ReadMem: Trying to ReadMemory 0x8544AAE0[0xA8]
17:46:34:875 2240 KLMD_ReadMem: Trying to ReadMemory 0xE100ADE8[0x18]
17:46:34:875 2240 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:46:34:875 2240 DetectCureTDL3: IrpHandler (0) addr: F74CDBB0
17:46:34:875 2240 DetectCureTDL3: IrpHandler (1) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (2) addr: F74CDBB0
17:46:34:875 2240 DetectCureTDL3: IrpHandler (3) addr: F74C7D1F
17:46:34:875 2240 DetectCureTDL3: IrpHandler (4) addr: F74C7D1F
17:46:34:875 2240 DetectCureTDL3: IrpHandler (5) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (6) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (7) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (8) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (9) addr: F74C82E2
17:46:34:875 2240 DetectCureTDL3: IrpHandler (10) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (11) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (12) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (13) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (14) addr: F74C83BB
17:46:34:875 2240 DetectCureTDL3: IrpHandler (15) addr: F74CBF28
17:46:34:875 2240 DetectCureTDL3: IrpHandler (16) addr: F74C82E2
17:46:34:875 2240 DetectCureTDL3: IrpHandler (17) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (18) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (19) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (20) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (21) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (22) addr: F74C9C82
17:46:34:875 2240 DetectCureTDL3: IrpHandler (23) addr: F74CE99E
17:46:34:875 2240 DetectCureTDL3: IrpHandler (24) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (25) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (26) addr: 804F355A
17:46:34:875 2240 TDL3_FileDetect: Processing driver: Disk
17:46:34:875 2240 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:46:34:875 2240 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:46:34:875 2240 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:46:34:875 2240
17:46:34:875 2240 DetectCureTDL3: DEVICE_OBJECT: 84E3E540
17:46:34:875 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84E3E540
17:46:34:875 2240 DetectCureTDL3: DEVICE_OBJECT: 84E7B4C0
17:46:34:875 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84E7B4C0
17:46:34:875 2240 KLMD_ReadMem: Trying to ReadMemory 0x84E7B4C0[0x38]
17:46:34:875 2240 DetectCureTDL3: DRIVER_OBJECT: 84FB6A18
17:46:34:875 2240 KLMD_ReadMem: Trying to ReadMemory 0x84FB6A18[0xA8]
17:46:34:875 2240 KLMD_ReadMem: Trying to ReadMemory 0xE1D1FB78[0x1E]
17:46:34:875 2240 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
17:46:34:875 2240 DetectCureTDL3: IrpHandler (0) addr: ED5DB218
17:46:34:875 2240 DetectCureTDL3: IrpHandler (1) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (2) addr: ED5DB218
17:46:34:875 2240 DetectCureTDL3: IrpHandler (3) addr: ED5DB23C
17:46:34:875 2240 DetectCureTDL3: IrpHandler (4) addr: ED5DB23C
17:46:34:875 2240 DetectCureTDL3: IrpHandler (5) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (6) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (7) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (8) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (9) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (10) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (11) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (12) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (13) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (14) addr: ED5DB180
17:46:34:875 2240 DetectCureTDL3: IrpHandler (15) addr: ED5D69E6
17:46:34:875 2240 DetectCureTDL3: IrpHandler (16) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (17) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (18) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (19) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (20) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (21) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (22) addr: ED5DA5F0
17:46:34:875 2240 DetectCureTDL3: IrpHandler (23) addr: ED5D8A6E
17:46:34:875 2240 DetectCureTDL3: IrpHandler (24) addr: 804F355A
17:46:34:875 2240 DetectCureTDL3: IrpHandler (25) addr: 804F355A
17:46:34:921 2240 DetectCureTDL3: IrpHandler (26) addr: 804F355A
17:46:34:921 2240 KLMD_ReadMem: Trying to ReadMemory 0xED5D7F26[0x400]
17:46:34:921 2240 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:46:34:921 2240 TDL3_FileDetect: Processing driver: USBSTOR
17:46:34:921 2240 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:46:34:921 2240 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:46:34:937 2240 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:46:34:937 2240
17:46:34:937 2240 DetectCureTDL3: DEVICE_OBJECT: 84E3EAB8
17:46:34:937 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84E3EAB8
17:46:34:937 2240 DetectCureTDL3: DEVICE_OBJECT: 84E56870
17:46:34:937 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84E56870
17:46:34:937 2240 KLMD_ReadMem: Trying to ReadMemory 0x84E56870[0x38]
17:46:34:937 2240 DetectCureTDL3: DRIVER_OBJECT: 84FB6A18
17:46:34:937 2240 KLMD_ReadMem: Trying to ReadMemory 0x84FB6A18[0xA8]
17:46:34:937 2240 KLMD_ReadMem: Trying to ReadMemory 0xE1D1FB78[0x1E]
17:46:34:937 2240 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
17:46:34:937 2240 DetectCureTDL3: IrpHandler (0) addr: ED5DB218
17:46:34:937 2240 DetectCureTDL3: IrpHandler (1) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (2) addr: ED5DB218
17:46:34:937 2240 DetectCureTDL3: IrpHandler (3) addr: ED5DB23C
17:46:34:937 2240 DetectCureTDL3: IrpHandler (4) addr: ED5DB23C
17:46:34:937 2240 DetectCureTDL3: IrpHandler (5) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (6) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (7) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (8) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (9) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (10) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (11) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (12) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (13) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (14) addr: ED5DB180
17:46:34:937 2240 DetectCureTDL3: IrpHandler (15) addr: ED5D69E6
17:46:34:937 2240 DetectCureTDL3: IrpHandler (16) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (17) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (18) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (19) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (20) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (21) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (22) addr: ED5DA5F0
17:46:34:937 2240 DetectCureTDL3: IrpHandler (23) addr: ED5D8A6E
17:46:34:937 2240 DetectCureTDL3: IrpHandler (24) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (25) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (26) addr: 804F355A
17:46:34:937 2240 KLMD_ReadMem: Trying to ReadMemory 0xED5D7F26[0x400]
17:46:34:937 2240 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:46:34:937 2240 TDL3_FileDetect: Processing driver: USBSTOR
17:46:34:937 2240 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:46:34:937 2240 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:46:34:937 2240 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:46:34:937 2240
17:46:34:937 2240 DetectCureTDL3: DEVICE_OBJECT: 84E3F540
17:46:34:937 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84E3F540
17:46:34:937 2240 DetectCureTDL3: DEVICE_OBJECT: 84FB6888
17:46:34:937 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84FB6888
17:46:34:937 2240 KLMD_ReadMem: Trying to ReadMemory 0x84FB6888[0x38]
17:46:34:937 2240 DetectCureTDL3: DRIVER_OBJECT: 84FB6A18
17:46:34:937 2240 KLMD_ReadMem: Trying to ReadMemory 0x84FB6A18[0xA8]
17:46:34:937 2240 KLMD_ReadMem: Trying to ReadMemory 0xE1D1FB78[0x1E]
17:46:34:937 2240 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
17:46:34:937 2240 DetectCureTDL3: IrpHandler (0) addr: ED5DB218
17:46:34:937 2240 DetectCureTDL3: IrpHandler (1) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (2) addr: ED5DB218
17:46:34:937 2240 DetectCureTDL3: IrpHandler (3) addr: ED5DB23C
17:46:34:937 2240 DetectCureTDL3: IrpHandler (4) addr: ED5DB23C
17:46:34:937 2240 DetectCureTDL3: IrpHandler (5) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (6) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (7) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (8) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (9) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (10) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (11) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (12) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (13) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (14) addr: ED5DB180
17:46:34:937 2240 DetectCureTDL3: IrpHandler (15) addr: ED5D69E6
17:46:34:937 2240 DetectCureTDL3: IrpHandler (16) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (17) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (18) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (19) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (20) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (21) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (22) addr: ED5DA5F0
17:46:34:937 2240 DetectCureTDL3: IrpHandler (23) addr: ED5D8A6E
17:46:34:937 2240 DetectCureTDL3: IrpHandler (24) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (25) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (26) addr: 804F355A
17:46:34:937 2240 KLMD_ReadMem: Trying to ReadMemory 0xED5D7F26[0x400]
17:46:34:937 2240 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:46:34:937 2240 TDL3_FileDetect: Processing driver: USBSTOR
17:46:34:937 2240 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:46:34:937 2240 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:46:34:937 2240 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:46:34:937 2240
17:46:34:937 2240 DetectCureTDL3: DEVICE_OBJECT: 84E3FAB8
17:46:34:937 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84E3FAB8
17:46:34:937 2240 DetectCureTDL3: DEVICE_OBJECT: 84E558F0
17:46:34:937 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84E558F0
17:46:34:937 2240 KLMD_ReadMem: Trying to ReadMemory 0x84E558F0[0x38]
17:46:34:937 2240 DetectCureTDL3: DRIVER_OBJECT: 84FB6A18
17:46:34:937 2240 KLMD_ReadMem: Trying to ReadMemory 0x84FB6A18[0xA8]
17:46:34:937 2240 KLMD_ReadMem: Trying to ReadMemory 0xE1D1FB78[0x1E]
17:46:34:937 2240 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
17:46:34:937 2240 DetectCureTDL3: IrpHandler (0) addr: ED5DB218
17:46:34:937 2240 DetectCureTDL3: IrpHandler (1) addr: 804F355A
17:46:34:937 2240 DetectCureTDL3: IrpHandler (2) addr: ED5DB218
17:46:34:953 2240 DetectCureTDL3: IrpHandler (3) addr: ED5DB23C
17:46:34:953 2240 DetectCureTDL3: IrpHandler (4) addr: ED5DB23C
17:46:34:953 2240 DetectCureTDL3: IrpHandler (5) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (6) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (7) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (8) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (9) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (10) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (11) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (12) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (13) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (14) addr: ED5DB180
17:46:34:953 2240 DetectCureTDL3: IrpHandler (15) addr: ED5D69E6
17:46:34:953 2240 DetectCureTDL3: IrpHandler (16) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (17) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (18) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (19) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (20) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (21) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (22) addr: ED5DA5F0
17:46:34:953 2240 DetectCureTDL3: IrpHandler (23) addr: ED5D8A6E
17:46:34:953 2240 DetectCureTDL3: IrpHandler (24) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (25) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (26) addr: 804F355A
17:46:34:953 2240 KLMD_ReadMem: Trying to ReadMemory 0xED5D7F26[0x400]
17:46:34:953 2240 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:46:34:953 2240 TDL3_FileDetect: Processing driver: USBSTOR
17:46:34:953 2240 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:46:34:953 2240 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:46:34:953 2240 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:46:34:953 2240
17:46:34:953 2240 DetectCureTDL3: DEVICE_OBJECT: 853D89F0
17:46:34:953 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 853D89F0
17:46:34:953 2240 KLMD_ReadMem: Trying to ReadMemory 0x853D89F0[0x38]
17:46:34:953 2240 DetectCureTDL3: DRIVER_OBJECT: 8544AAE0
17:46:34:953 2240 KLMD_ReadMem: Trying to ReadMemory 0x8544AAE0[0xA8]
17:46:34:953 2240 KLMD_ReadMem: Trying to ReadMemory 0xE100ADE8[0x18]
17:46:34:953 2240 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:46:34:953 2240 DetectCureTDL3: IrpHandler (0) addr: F74CDBB0
17:46:34:953 2240 DetectCureTDL3: IrpHandler (1) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (2) addr: F74CDBB0
17:46:34:953 2240 DetectCureTDL3: IrpHandler (3) addr: F74C7D1F
17:46:34:953 2240 DetectCureTDL3: IrpHandler (4) addr: F74C7D1F
17:46:34:953 2240 DetectCureTDL3: IrpHandler (5) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (6) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (7) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (8) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (9) addr: F74C82E2
17:46:34:953 2240 DetectCureTDL3: IrpHandler (10) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (11) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (12) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (13) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (14) addr: F74C83BB
17:46:34:953 2240 DetectCureTDL3: IrpHandler (15) addr: F74CBF28
17:46:34:953 2240 DetectCureTDL3: IrpHandler (16) addr: F74C82E2
17:46:34:953 2240 DetectCureTDL3: IrpHandler (17) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (18) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (19) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (20) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (21) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (22) addr: F74C9C82
17:46:34:953 2240 DetectCureTDL3: IrpHandler (23) addr: F74CE99E
17:46:34:953 2240 DetectCureTDL3: IrpHandler (24) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (25) addr: 804F355A
17:46:34:953 2240 DetectCureTDL3: IrpHandler (26) addr: 804F355A
17:46:34:953 2240 TDL3_FileDetect: Processing driver: Disk
17:46:34:953 2240 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:46:34:953 2240 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:46:34:953 2240 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:46:34:953 2240
17:46:34:953 2240 DetectCureTDL3: DEVICE_OBJECT: 8544A390
17:46:34:953 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8544A390
17:46:34:953 2240 DetectCureTDL3: DEVICE_OBJECT: 85437F18
17:46:34:953 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85437F18
17:46:34:953 2240 DetectCureTDL3: DEVICE_OBJECT: 85436030
17:46:34:953 2240 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85436030
17:46:34:953 2240 KLMD_ReadMem: Trying to ReadMemory 0x85436030[0x38]
17:46:34:953 2240 DetectCureTDL3: DRIVER_OBJECT: 85494F38
17:46:34:953 2240 KLMD_ReadMem: Trying to ReadMemory 0x85494F38[0xA8]
17:46:34:953 2240 KLMD_ReadMem: Trying to ReadMemory 0x85377030[0x38]
17:46:34:953 2240 KLMD_ReadMem: Trying to ReadMemory 0x854DB3D0[0xA8]
17:46:34:953 2240 KLMD_ReadMem: Trying to ReadMemory 0xE18230B0[0x1A]
17:46:34:953 2240 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvata, Driver Name: nvata
17:46:34:953 2240 DetectCureTDL3: IrpHandler (0) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (1) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (2) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (3) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (4) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (5) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (6) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (7) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (8) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (9) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (10) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (11) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (12) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (13) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (14) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (15) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (16) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (17) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (18) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (19) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (20) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (21) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (22) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (23) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (24) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (25) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: IrpHandler (26) addr: 8537D618
17:46:34:953 2240 DetectCureTDL3: All IRP handlers pointed to one addr: 8537D618
17:46:34:953 2240 KLMD_ReadMem: Trying to ReadMemory 0x8537D618[0x400]
17:46:34:953 2240 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
17:46:34:953 2240 Driver "nvata" Irp handler infected by TDSS rootkit ... 17:46:34:953 2240 KLMD_WriteMem: Trying to WriteMemory 0x8537D67D[0xD]
17:46:34:953 2240 cured
17:46:34:953 2240 KLMD_ReadMem: Trying to ReadMemory 0x8537D4BF[0x400]
17:46:34:953 2240 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
17:46:34:953 2240 Driver "nvata" StartIo handler infected by TDSS rootkit ... 17:46:34:953 2240 TDL3_StartIoHookCure: Number of patches 1
17:46:34:953 2240 KLMD_WriteMem: Trying to WriteMemory 0x8537D5B6[0x6]
17:46:34:953 2240 cured
17:46:34:953 2240 TDL3_FileDetect: Processing driver: nvata
17:46:34:953 2240 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\nvata.sys
17:46:34:953 2240 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\nvata.sys
17:46:34:984 2240 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: Infected
17:46:34:984 2240 File C:\WINDOWS\system32\DRIVERS\nvata.sys infected by TDSS rootkit ... 17:46:34:984 2240 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\nvata.sys
17:46:34:984 2240 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
17:46:35:000 2240 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
17:46:35:062 2240 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
17:46:35:093 2240 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
17:46:35:125 2240 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
17:46:35:500 2240 TDL3_FileCure: Backup copy not found, trying to cure infected file..
17:46:35:500 2240 TDL3_FileCure: Cure success, using it..
17:46:35:500 2240 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk9.tmp
17:46:35:515 2240 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk9.tmp, system32\drivers\nvata.sys)
17:46:35:515 2240 TDL3_FileCure: KLMD jobs schedule success
17:46:35:515 2240 will be cured on next reboot
17:46:35:515 2240 UtilityBootReinit: Reboot required for cure complete..
17:46:35:515 2240 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
17:46:35:515 2240 UtilityBootReinit: KLMD drop success
17:46:35:515 2240 KLMD_ApplyPendList: Pending buffer(40B0_3AD5, 600) dropped successfully
17:46:35:515 2240 UtilityBootReinit: Cure on reboot scheduled successfully
17:46:35:515 2240
17:46:35:515 2240 Completed
17:46:35:515 2240
17:46:35:515 2240 Results:
17:46:35:515 2240 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
17:46:35:515 2240 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:46:35:515 2240 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:46:35:515 2240
17:46:35:515 2240 UnloadDriverW: NtUnloadDriver error 1
17:46:35:515 2240 KLMD_Unload: UnloadDriverW(klmd21) error 1
17:46:35:515 2240 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:46:35:515 2240 UtilityDeinit: KLMD(ARK) unloaded successfully

#7 RPMcMurphy

Group: Malware Removal
Posts: 930
Joined: 08-January 10

Posted 15 January 2010 - 01:10 PM

mulla10,

Good, it looks like we are making some progress. Are you still having problems with your computer, or receiving warning windows?

Run OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:File
c:\documents and settings\All Users\Application Data\part dead amok eggs

:Commands
[purity]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Run GMER again for me and post the log.

In your next post please include:
OTL Log
GMER Log
Let me know how your computer is running

#8 mulla10

Group: Member
Posts: 7
Joined: 11-January 10

Posted 16 January 2010 - 03:02 PM

rp,

computer running much much better,warning messages gone.

here are the logs.

mulla10.................................................

All processes killed
Error: Unable to interpret <:File> in the current context!
Error: Unable to interpret <c:\documents and settings\All Users\Application Data\part dead amok eggs> in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: user1
->Temp folder emptied: 437905 bytes
->Temporary Internet Files folder emptied: 55218 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 38511573 bytes
->Google Chrome cache emptied: 7412192 bytes
->Apple Safari cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 44.00 mb

OTL by OldTimer - Version 3.1.24.0 log created on 01162010_191904

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

gmer...

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-16 21:01:10
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\user1\LOCALS~1\Temp\pfryikoc.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

#9 mulla10

Group: Member
Posts: 7
Joined: 11-January 10

Posted 16 January 2010 - 03:37 PM

rp,

got another threat warning just now.
Win32/cryptor.

mulla10............................

#10 RPMcMurphy

Group: Malware Removal
Posts: 930
Joined: 08-January 10

Posted 16 January 2010 - 05:21 PM

mulla10,

Can you provide any more details about the warning you recieved?

I need you to re-run OTL, (sorry, there was an error in my script) then do two online scans for me. The Kaspersky scan could take a few hours, so you may want to let it run overnight:

Run OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
```
:Files
c:\documents and settings\All Users\Application Data\part dead amok eggs
```
Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Run OTL again and press "scan" to get me a fresh log ( don't check the boxes beside LOP Check or Purity this time )

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View report... at the bottom.
Click the Save report... button.
Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

In your next post please include:
OTL Log
MBAM Log
Kaspersky Log
Details from the warning message you received (if available)
Let me know how your computer is running

#11 mulla10

Group: Member
Posts: 7
Joined: 11-January 10

Posted 18 January 2010 - 04:45 PM

rp,

the warning i got was,virus identified win32/cryptor ,
c:\system volume information\_restore.
avg put it in the vault ,computer running fine since, no warnings since.
and as you will see the kaspersky scan found nothing.

mulla10.............................................

OTL logfile created on: 17/01/2010 23:04:32 - Run 2
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\user1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

894.00 Mb Total Physical Memory | 492.00 Mb Available Physical Memory | 55.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 149.50 Gb Free Space | 50.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-CA5DAA9914
Current User Name: user1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/12 18:48:50 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user1\Desktop\OTL.exe
PRC - [2010/01/03 10:49:53 | 02,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/01/03 10:43:00 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/01/03 10:43:00 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/01/03 10:43:00 | 00,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/01/03 10:42:59 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/01/03 10:42:55 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/06/10 07:28:50 | 00,168,004 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/01/20 20:49:52 | 00,185,872 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/10/14 19:03:22 | 00,270,128 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2008/05/02 02:44:08 | 00,805,392 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2008/05/02 02:40:56 | 00,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2008/04/14 00:12:35 | 00,073,796 | ---- | M] (Smart Link) -- C:\WINDOWS\system32\slserv.exe
PRC - [2008/04/14 00:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/05 20:24:20 | 00,405,504 | ---- | M] (IDT, Inc.) -- C:\WINDOWS\sttray.exe
PRC - [2007/04/19 12:35:46 | 00,075,304 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2007/01/31 14:55:42 | 00,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/07/27 14:19:00 | 00,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006/06/12 14:32:26 | 00,700,416 | ---- | M] () -- C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
PRC - [2003/04/06 00:06:58 | 00,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [1999/12/12 17:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE

========== Modules (SafeList) ==========

MOD - [2010/01/12 18:48:50 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user1\Desktop\OTL.exe
MOD - [2009/07/12 01:12:06 | 00,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2008/05/02 02:42:50 | 00,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
SRV - [2010/01/03 10:42:55 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/11/02 12:36:40 | 00,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/10/27 09:26:36 | 00,657,408 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/06/10 07:28:50 | 00,168,004 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/05/02 02:42:06 | 00,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2008/04/14 00:12:35 | 00,073,796 | ---- | M] (Smart Link) [Auto | Running] -- C:\WINDOWS\System32\slserv.exe -- (SLService)
SRV - [2007/04/19 12:35:46 | 00,075,304 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2007/01/31 14:55:42 | 00,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2007/01/04 01:40:21 | 00,136,120 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/03/09 20:31:02 | 00,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [1999/12/12 17:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access)

========== Driver Services (SafeList) ==========

DRV - [2010/01/14 17:47:48 | 00,105,472 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvata.sys -- (nvata)
DRV - [2010/01/03 10:43:28 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/01/03 10:43:22 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/01/03 10:43:21 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/12/14 13:47:59 | 00,021,361 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2009/10/19 16:04:00 | 00,110,984 | ---- | M] (BitDefender LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bdfndisf.sys -- (Bdfndisf)
DRV - [2009/06/10 17:33:00 | 08,087,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/06/05 10:42:38 | 00,039,424 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/05/18 14:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/04/13 15:30:58 | 00,047,360 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)
DRV - [2008/11/20 19:19:06 | 00,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/08/26 09:26:12 | 00,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/04/13 18:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 16:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/29 03:13:24 | 00,036,880 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/02/29 03:13:16 | 00,035,344 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/01/15 21:50:52 | 00,459,520 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2007/11/13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/04/03 12:57:54 | 00,099,080 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116unic.sys -- (s116unic) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM)
DRV - [2007/04/03 12:57:52 | 00,098,696 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116obex.sys -- (s116obex)
DRV - [2007/04/03 12:57:52 | 00,023,176 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116nd5.sys -- (s116nd5) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS)
DRV - [2007/04/03 12:57:50 | 00,100,488 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mgmt.sys -- (s116mgmt) Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/03 12:57:48 | 00,108,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mdm.sys -- (s116mdm)
DRV - [2007/04/03 12:57:48 | 00,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116mdfl.sys -- (s116mdfl)
DRV - [2007/04/03 12:57:42 | 00,083,336 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s116bus.sys -- (s116bus) Sony Ericsson Device 116 driver (WDM)
DRV - [2006/11/21 03:25:44 | 00,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/10/18 21:31:38 | 00,105,472 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NvAtaBus.sys -- (nvatabus)
DRV - [2006/07/27 14:24:28 | 01,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2004/12/13 21:14:00 | 00,039,904 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\cercsr6.sys -- (cercsr6)
DRV - [2004/08/04 10:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 21:41:56 | 00,011,868 | ---- | M] (Conexant) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2004/08/03 21:41:46 | 00,095,424 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slnthal.sys -- (SlNtHal)
DRV - [2004/08/03 21:41:46 | 00,013,240 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slwdmsup.sys -- (SlWdmSup)
DRV - [2004/08/03 21:41:44 | 00,404,990 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slntamr.sys -- (Slntamr)
DRV - [2004/08/03 21:41:40 | 00,180,360 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ntmtlfax.sys -- (NtMtlFax)
DRV - [2004/08/03 21:41:40 | 00,126,686 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlmnt5.sys -- (Mtlmnt5)
DRV - [2004/08/03 21:41:40 | 00,013,776 | ---- | M] (Smart Link) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\RecAgent.sys -- (RecAgent)
DRV - [2004/08/03 21:41:38 | 01,309,184 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlstrm.sys -- (Mtlstrm)
DRV - [2003/03/09 20:31:02 | 00,021,456 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2003/03/09 20:31:02 | 00,016,080 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2003/03/09 20:31:00 | 00,051,024 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2002/07/17 08:05:10 | 00,016,512 | ---- | M] (Adaptec) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI)
DRV - [2001/08/17 12:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: ""

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/01/20 20:50:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/01/03 10:42:55 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/01/03 10:43:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/09 22:39:10 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/09 22:39:10 | 00,000,000 | ---D | M]

[2008/08/31 10:39:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\Mozilla\Extensions
[2010/01/03 10:53:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\dqrym7pa.default\extensions
[2009/11/11 23:23:03 | 00,002,252 | ---- | M] () -- C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\dqrym7pa.default\searchplugins\askcom.xml
[2010/01/03 10:53:22 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/10/03 18:59:07 | 00,024,683 | ---- | M] (Ask.com) -- C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
[2008/11/11 07:38:54 | 00,663,552 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
[2006/03/22 02:27:56 | 00,098,304 | ---- | M] (Zylom) -- C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [IDTSysTrayApp] C:\WINDOWS\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SmartWizard-DPW-939] File not found
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [CTSyncU.exe] C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe ()
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\user1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1210847457312 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 89.101.160.4 89.101.160.5
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\user1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/09 10:34:45 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/16 19:19:04 | 00,000,000 | ---D | C] -- C:\_OTL
[2010/01/16 15:38:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PhotoStitch
[2010/01/16 15:29:34 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2010/01/13 19:19:18 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2010/01/13 19:17:33 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/13 19:17:33 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/13 19:17:33 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/13 19:17:33 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/13 19:16:49 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/12 18:48:49 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user1\Desktop\OTL.exe
[2010/01/11 22:53:47 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/11 22:52:23 | 05,115,840 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\user1\Desktop\mbam-setup.exe
[2010/01/11 22:51:12 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/11 22:50:38 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/11 22:48:15 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\user1\Desktop\erunt_setup.exe
[2010/01/11 22:42:32 | 00,439,808 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user1\Desktop\TFC.exe
[2010/01/11 22:14:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nokia
[2010/01/11 22:14:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2010/01/11 22:14:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\MagicDVDRipper
[2010/01/11 22:14:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\MagicDVDCopier
[2010/01/10 17:26:34 | 00,361,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tcpip.copy
[2010/01/05 18:09:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user1\Application Data\TeamViewer
[2010/01/05 18:09:03 | 00,000,000 | ---D | C] -- C:\Program Files\TeamViewer
[2010/01/05 18:06:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user1\temp
[2010/01/04 16:27:50 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/04 16:27:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/04 16:27:47 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/04 13:35:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2010/01/03 17:41:53 | 00,000,000 | ---D | C] -- C:\Program Files\Eusing Free Registry Cleaner
[2010/01/03 12:47:25 | 00,000,000 | ---D | C] -- C:\Program Files\Nokia
[2010/01/03 11:52:56 | 00,000,000 | ---D | C] -- C:\Program Files\Uninstall Plus v4.1
[2010/01/03 10:53:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user1\Local Settings\Application Data\AVG Security Toolbar
[2010/01/03 10:43:28 | 00,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/01/03 10:43:28 | 00,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/01/03 10:43:22 | 00,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/01/03 10:43:21 | 00,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/01/03 10:43:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/01/03 10:43:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/01/03 10:42:17 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/01/03 10:42:17 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/01/03 10:42:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/03 10:42:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/12/30 20:58:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user1\Application Data\Malwarebytes
[2009/12/29 11:59:46 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/12/28 00:25:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user1\Application Data\BitDefender
[2009/12/28 00:25:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\BitDefender
[2009/12/28 00:25:32 | 00,000,000 | ---D | C] -- C:\Program Files\BitDefender
[2009/12/27 23:04:34 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\BitDefender
[2009/12/27 18:20:47 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Softwin
[2009/12/27 17:32:06 | 00,000,000 | ---D | C] -- C:\Program Files\trend micro
[2009/12/27 17:31:57 | 00,000,000 | ---D | C] -- C:\rsit
[2009/12/22 13:14:52 | 00,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2009/12/22 13:09:56 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/12/22 13:09:40 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/12/22 13:09:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/12/19 19:16:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user1\Application Data\CameraWindowDC
[2009/12/19 19:16:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user1\Application Data\CANON INC
[2009/12/19 19:12:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user1\Application Data\ZoomBrowser EX
[2009/12/19 18:56:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
[2009/12/19 18:55:08 | 00,000,000 | ---D | C] -- C:\Program Files\Canon
[2009/12/19 18:53:44 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Canon
[2009/11/02 12:41:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/11/02 12:37:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/03/02 20:38:43 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\user1\Application Data\pcouffin.sys
[2008/08/19 11:55:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple

========== Files - Modified Within 30 Days ==========

[2010/01/17 22:56:00 | 00,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-764733703-725345543-1003UA.job
[2010/01/17 22:52:52 | 00,525,082 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/17 22:52:52 | 00,443,894 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/17 22:52:52 | 00,071,664 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/17 22:49:03 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/17 22:48:42 | 00,081,558 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/17 22:48:38 | 00,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/17 22:48:36 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/01/17 22:48:32 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/17 22:48:20 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/17 22:47:35 | 12,058,624 | ---- | M] () -- C:\Documents and Settings\user1\ntuser.dat
[2010/01/17 22:47:35 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\user1\ntuser.ini
[2010/01/17 22:46:00 | 00,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/17 10:27:31 | 47,963,382 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/01/17 10:27:13 | 00,141,759 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/01/16 21:33:39 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\user1\Local Settings\Application Data\prvlcl.dat
[2010/01/16 15:48:59 | 00,223,232 | ---- | M] () -- C:\Documents and Settings\user1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/15 18:31:48 | 00,000,818 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/15 18:31:48 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2010/01/15 18:31:48 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/14 17:47:48 | 00,105,472 | ---- | M] () -- C:\WINDOWS\System32\drivers\nvata.sys
[2010/01/14 17:45:38 | 00,152,401 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\tdsskiller.zip
[2010/01/13 19:33:50 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/13 19:11:29 | 00,000,210 | ---- | M] () -- C:\Boot.bak
[2010/01/13 18:57:06 | 03,823,462 | R--- | M] () -- C:\Documents and Settings\user1\Desktop\ComboFix.exe
[2010/01/12 18:48:50 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user1\Desktop\OTL.exe
[2010/01/12 17:30:40 | 00,284,915 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\gmer.zip
[2010/01/12 17:29:10 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\NTREGOPT.lnk
[2010/01/12 17:29:09 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\ERUNT.lnk
[2010/01/11 22:53:52 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/11 22:53:10 | 05,115,840 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\user1\Desktop\mbam-setup.exe
[2010/01/11 22:48:20 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\user1\Desktop\erunt_setup.exe
[2010/01/11 22:42:37 | 00,439,808 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user1\Desktop\TFC.exe
[2010/01/11 16:56:00 | 00,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-764733703-725345543-1003Core.job
[2010/01/10 09:32:12 | 00,000,671 | ---- | M] () -- C:\Documents and Settings\user1\Application Data\vso_ts_preview.xml
[2010/01/10 04:58:01 | 00,000,456 | ---- | M] () -- C:\WINDOWS\tasks\Driver Robot.job
[2010/01/07 22:08:37 | 00,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 21:02:03 | 00,000,738 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\Outlook Express.lnk
[2010/01/03 17:41:55 | 00,000,740 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\Eusing Free Registry Cleaner.lnk
[2010/01/03 11:52:57 | 00,000,692 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\Uninstall Plus v4.1.lnk
[2010/01/03 10:43:28 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/01/03 10:43:28 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/01/03 10:43:28 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/01/03 10:43:22 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/01/03 10:43:21 | 00,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/01/03 10:43:21 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/01/03 10:43:14 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2010/01/03 10:43:14 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2010/01/03 10:36:54 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/30 20:45:51 | 00,000,522 | ---- | M] () -- C:\hpfr3420.xml
[2009/12/30 12:09:26 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/12/27 18:45:44 | 00,081,984 | ---- | M] () -- C:\WINDOWS\System32\bdod.bin

========== Files Created - No Company Name ==========

[2010/01/14 17:45:25 | 00,152,401 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\tdsskiller.zip
[2010/01/13 19:19:30 | 00,000,210 | ---- | C] () -- C:\Boot.bak
[2010/01/13 19:19:21 | 00,260,272 | ---- | C] () -- C:\cmldr
[2010/01/13 19:17:33 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/13 19:17:33 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/13 19:17:33 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/13 19:17:33 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/13 19:17:33 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/13 18:56:46 | 03,823,462 | R--- | C] () -- C:\Documents and Settings\user1\Desktop\ComboFix.exe
[2010/01/11 23:04:47 | 00,284,915 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\gmer.zip
[2010/01/11 22:53:52 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/11 22:50:42 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\NTREGOPT.lnk
[2010/01/11 22:50:41 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\ERUNT.lnk
[2010/01/10 01:49:40 | 12,058,624 | ---- | C] () -- C:\Documents and Settings\user1\ntuser.dat
[2010/01/06 21:02:03 | 00,000,738 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\Outlook Express.lnk
[2010/01/03 17:41:55 | 00,000,740 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\Eusing Free Registry Cleaner.lnk
[2010/01/03 11:52:57 | 00,000,692 | ---- | C] () -- C:\Documents and Settings\user1\Desktop\Uninstall Plus v4.1.lnk
[2010/01/03 10:43:28 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/01/03 10:43:21 | 00,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/01/03 10:43:14 | 47,963,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/01/03 10:43:14 | 00,492,629 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2010/01/03 10:43:14 | 00,141,759 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/01/03 10:43:13 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/12/27 18:33:55 | 00,081,984 | ---- | C] () -- C:\WINDOWS\System32\bdod.bin
[2009/12/22 13:14:58 | 00,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/12/19 18:51:48 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\user1\Local Settings\Application Data\prvlcl.dat
[2009/12/17 21:30:58 | 00,000,760 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\setup_ldm.iss
[2009/11/08 23:54:16 | 00,114,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/11/05 18:48:39 | 00,011,394 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\NMM-MetaData.db
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/07 20:55:06 | 00,000,225 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\burnaware.ini
[2009/06/10 07:29:34 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/06/10 07:29:34 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/06/10 07:29:34 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/06/10 07:29:32 | 01,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/03/02 20:39:45 | 00,000,671 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\vso_ts_preview.xml
[2009/03/02 20:38:56 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\pcouffin.log
[2009/03/02 20:38:43 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\pcouffin.cat
[2009/03/02 20:38:43 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\pcouffin.inf
[2009/02/14 16:14:40 | 00,000,667 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/02/10 21:10:30 | 00,000,327 | ---- | C] () -- C:\WINDOWS\AudStu.INI
[2009/02/10 21:04:05 | 00,000,028 | ---- | C] () -- C:\WINDOWS\Robota.INI
[2009/02/10 20:37:35 | 00,000,060 | ---- | C] () -- C:\WINDOWS\magix.ini
[2009/02/10 20:37:34 | 00,000,730 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2008/11/08 16:43:06 | 00,000,771 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/08/17 21:26:42 | 00,000,038 | ---- | C] () -- C:\WINDOWS\System32\net32gdilib.dll
[2008/07/19 09:45:24 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008/06/07 22:29:25 | 00,001,012 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/06/07 22:20:58 | 00,431,104 | R--- | C] () -- C:\WINDOWS\System32\VFCodec.dll
[2008/06/07 11:56:15 | 00,223,232 | ---- | C] () -- C:\Documents and Settings\user1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/29 18:51:21 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/05/15 10:07:23 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/09 11:02:17 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2008/05/09 11:02:17 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/18 22:31:38 | 00,105,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvata.sys
[2003/03/09 20:31:04 | 00,561,152 | R--- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B63300D1
< End of report >

Malwarebytes' Anti-Malware 1.44
Database version: 3585
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

18/01/2010 00:02:43
mbam-log-2010-01-18 (00-02-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 203675
Time elapsed: 42 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{4D341215-94A9-4D9B-A2D7-7D1F159468A3}\RP585\A0117738.sys (Malware.Trace) -> Quarantined and deleted successfully.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, January 18, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, January 18, 2010 17:43:01
Records in database: 3329393
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 88743
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 04:03:23

No threats found. Scanned area is clean.

Selected area has been scanned.

#12 RPMcMurphy

Group: Malware Removal
Posts: 930
Joined: 08-January 10

Posted 18 January 2010 - 08:10 PM

mulla10,

Good work! Your logs look clean. The infection AVG found was in your system restore, that will get reset when we uninstall Combofix.

Now we have some important cleanup and housekeeping to tend to:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 18. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked[list]
  Applications and AppletsTrace and Log Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

Uninstall ComboFix

Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens:
Combofix /Uninstall

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

Download TFC to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

Restart any anti-malware programs that we disabled while we were cleaning your machine.
Keep your antivirus application current and updated. Also, hang on to MBAM. Scan with them at least weekly.
Avoid using P2P programs! Refer back to my earlier post for more information.
Consider running in a limited user account. See this post for more information.
Please carefully review the information in our Security - Best Practices and Prevention forum located HERE

Please post once more so I know you are all set and I can close this thread. Good luck and stay safe!

#13 mulla10

Group: Member
Posts: 7
Joined: 11-January 10

Posted 19 January 2010 - 12:23 PM

rp,

happy days,done all those bits ,everything running fine.will take on board all suggestions.
many many thanks for the time and effort you have given to my problem.

love,light and happiness,

mulla10..................................

#14 RPMcMurphy

Group: Malware Removal
Posts: 930
Joined: 08-January 10

Posted 19 January 2010 - 12:46 PM

You're very welcome. Thanks for your patience.

#15 CatByte

Group: GeekU Moderator
Posts: 2,412
Joined: 08-November 08

Posted 19 January 2010 - 12:59 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

trojan clicker.aeio; c:\windows\temp\thcx.tmp\svch - Geeks to Go Forums