[WyffGoaL]

Hi there,

I come across this website from Google search, hopefully some of you guys could help me solve my problems.

I have Kaspersky Internet Security 9 installed on my PC and I'm using XP. I can't get access to all of the Anti-Virus related website like www.eset.com, www.kaspersky.com, etc. Besides, I can't get Kaspersky updated either as I cannot connect to www.kaspersky.com.

I really do not have any ideas what's going on with my PC. Could it be possibly due to spyware or my PC is being hijacked?

Hopefully someone could shed me some light.

Thank you in advance.

[Advertisements]

Hello WyffGoaL !

Welcome to the site! My nickname is heir and I'll be helping clean up your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

• To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Virus, Spyware and Trojan Removal..
• Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
• When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
• Make sure you reply to this thread using the Add Reply button:

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.

Step 1.
Please read before starting a new topic:

Please follow the Malware and Spyware Cleaning Guide
If a step in that guide can't be performed then let us know what happened and continue with the next one and.

Step 2.
Things I would like to see in your reply:

• The content of the log from MBAM
• The content of the log from GMER
• The content of the logs from OTL( OTL.txt and Extras.txt )

[heir]

Hello WyffGoaL !

Welcome to the site! My nickname is heir and I'll be helping clean up your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

• To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Virus, Spyware and Trojan Removal..
• Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
• When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
• Make sure you reply to this thread using the Add Reply button:

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.

Step 1.
Please read before starting a new topic:

Please follow the Malware and Spyware Cleaning Guide
If a step in that guide can't be performed then let us know what happened and continue with the next one and.

Step 2.
Things I would like to see in your reply:

• The content of the log from MBAM
• The content of the log from GMER
• The content of the logs from OTL( OTL.txt and Extras.txt )

[WyffGoaL]

Thank you so much heir! I really do appreciate that =)

My problem is solved after I read the guide you mention in step one.

So do you still want to look at my logs? I'm able to get access to all the anti-virus websites and also get my Kaspersky updated to the latest database.

Thanks a million!

[heir]

That guide isn't a magic wand that fixes everything malware related.

But it's up to you.
If you post the logs I'll analyze them and get back to you if something is found to address.

[WyffGoaL]

Hi heir, thanks once again

I decided to post my logs here as I wanna make sure my PC is free from threats.


MBAM Log

Malwarebytes' Anti-Malware 1.44
Database version: 3862
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/13/2010 2:52:47 PM
mbam-log-2010-03-13 (14-52-47).txt

Scan type: Quick Scan
Objects scanned: 115518
Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-13 15:44:07
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fxriqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF3FB858C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xF3FB8E0C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xF3FB9922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xF3FB9E94]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xF3FB90EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xF3FB7436]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xF3FB9D6C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xF3FB8192]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xF3FB9C28]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xF3FB834E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xF3FB9FC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF3FBBC08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xF3FB8AAA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xF3FB9CCA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xF3FBB5FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xF3FB79FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xF3FB7D88]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xF3FB9576]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xF3FBC5CA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xF3FB7ECA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xF3FB7F74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xF3FB9382]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xF3FBB68C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xF3FB7412]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xF3FB7424]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xF3FBBCBC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xF3FB80C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xF3FB9F36]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xF3FB8E8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xF3FB75DC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xF3FB9E04]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xF3FB8792]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xF3FBBC32]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xF3FBA068]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xF3FB86B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xF3FB801E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xF3FB7C46]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xF3FBBFD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xF3FB7896]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xF3FBB922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xF3FB7B0E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xF3FB72B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xF3FBA3F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xF3FBA2B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xF3FBB39A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xF3FBEE2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xF3FBC4AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xF3FB7248]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xF3FB965C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xF3FB8CC8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xF3FBAC4A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xF3FBB786]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xF3FBC114]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xF3FB771E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xF3FBC1F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xF3FBC320]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xF3FBB526]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xF3FB890A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xF3FB8860]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xF3FBBE8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xF3FB89EA]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] mywghdua <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\mywghdua@DisplayName Time Manager
Reg HKLM\SYSTEM\CurrentControlSet\Services\mywghdua@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\mywghdua@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\mywghdua@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\mywghdua@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\mywghdua@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\mywghdua@Description Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\mywghdua\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\mywghdua\Parameters@ServiceDll C:\WINDOWS\system32\allougw.dll
Reg HKLM\SYSTEM\ControlSet002\Services\mywghdua@DisplayName Time Manager
Reg HKLM\SYSTEM\ControlSet002\Services\mywghdua@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\mywghdua@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\mywghdua@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\mywghdua@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\mywghdua@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\mywghdua@Description Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\mywghdua\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\mywghdua\Parameters@ServiceDll C:\WINDOWS\system32\allougw.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1

---- EOF - GMER 1.0.15 ----


OTL Log

OTL logfile created on: 3/13/2010 3:49:25 PM - Run 1
OTL by OldTimer - Version 3.1.37.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 675.00 Mb Available Physical Memory | 66.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 62.01 Gb Total Space | 47.17 Gb Free Space | 76.07% Space Free | Partition Type: NTFS
Drive D: | 12.54 Gb Total Space | 1.62 Gb Free Space | 12.89% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WYFFGOAL
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/13 14:43:13 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/02/09 15:35:13 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/02/06 02:36:00 | 000,527,344 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/10/20 19:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
PRC - [2009/07/22 16:14:20 | 000,210,312 | ---- | M] (PPStream Inc) -- C:\Program Files\PPStream\PPSAP.exe
PRC - [2008/07/03 22:38:24 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 23:00:00 | 000,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\savedump.exe


========== Modules (SafeList) ==========

MOD - [2010/03/13 14:43:13 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/02/09 15:36:40 | 000,102,400 | ---- | M] (RealPlayer) -- C:\Program Files\Real\RealPlayer\browserrecord\chrome\hook\rpchromebrowserrecordhelper.dll
MOD - [2010/02/09 15:35:19 | 000,499,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp71.dll
MOD - [2010/02/09 15:35:19 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll
MOD - [2009/08/13 21:55:04 | 001,748,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
MOD - [2008/11/05 17:21:57 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/20 19:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe -- (AVP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://malaysia.msn.com/iat/us_my.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A0 86 1E 56 1C A9 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:9.0.0.736
FF - prefs.js..extensions.enabledItems: {35379F86-8CCB-4724-AE33-4278DE266C70}:1.0.4
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.47

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/13 08:20:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/13 08:26:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\THBExt [2010/02/09 08:57:16 | 000,000,000 | ---D | M]

[2010/02/09 08:46:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/03/13 08:57:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ea9uddt2.default\extensions
[2010/02/11 12:11:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ea9uddt2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/11 03:15:30 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ea9uddt2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/02/15 18:36:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ea9uddt2.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2010/03/13 08:57:09 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/09 08:57:49 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]

O1 HOSTS File: ([2008/04/14 23:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [PPS Accelerator] C:\Program Files\PPStream\PPSAP.exe (PPStream Inc)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm ()
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O13 - gopher Prefix: missing
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.co...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\kloehk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/09 07:51:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{99cdccfe-29e0-11df-a914-00304f3e8ba6}\Shell - "" = AutoRun
O33 - MountPoints2\{99cdccfe-29e0-11df-a914-00304f3e8ba6}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/02/09 07:50:35 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 14 Days ==========

[2010/03/13 14:58:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/03/13 14:43:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/13 14:43:18 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/03/13 14:42:25 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/03/13 14:40:24 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/03/13 14:03:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/03/13 14:03:32 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/13 14:03:30 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/13 14:03:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/13 14:03:29 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/13 13:42:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\HTML Essential Training
[2010/03/13 13:28:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\skypePM
[2010/03/13 09:25:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/03/13 08:53:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Temp
[2010/03/13 08:34:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Skype
[2010/03/13 08:34:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/03/13 08:34:12 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/03/13 08:34:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/03/13 08:30:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Apple Computer
[2010/03/13 08:19:22 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/03/13 08:19:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/03/13 08:19:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/03/13 08:18:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple
[2010/03/13 08:18:46 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/03/13 08:18:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2010/03/13 08:18:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
[2010/03/13 07:35:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Office Genuine Advantage
[2010/03/11 03:15:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/03/05 20:00:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
[2010/03/04 23:47:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\TeamViewer
[2010/03/04 23:46:55 | 000,000,000 | ---D | C] -- C:\Program Files\TeamViewer
[2010/02/09 08:44:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/02/09 07:54:23 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/02/09 07:51:19 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/09 07:51:19 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/03/13 15:49:22 | 000,001,920 | ---- | M] () -- C:\WINDOWS\psnetwork.ini
[2010/03/13 15:48:52 | 000,000,094 | ---- | M] () -- C:\WINDOWS\PCDNSetting.ini
[2010/03/13 15:47:46 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/13 15:47:42 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/03/13 15:47:28 | 000,271,490 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/03/13 15:47:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/13 15:21:33 | 002,097,152 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/03/13 14:43:57 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/03/13 14:43:19 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2010/03/13 14:43:19 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2010/03/13 14:43:13 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/03/13 14:41:16 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/03/13 14:03:35 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/13 13:28:55 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/13 13:26:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/13 12:58:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1770027372-1177238915-500UA.job
[2010/03/13 12:24:25 | 000,001,097 | ---- | M] () -- C:\WINDOWS\powerplayer.ini
[2010/03/13 11:43:35 | 1073,741,824 | ---- | M] () -- C:\ppsds.pgf
[2010/03/13 11:18:31 | 000,000,140 | ---- | M] () -- C:\WINDOWS\powerlist.ini
[2010/03/13 11:13:46 | 000,000,060 | ---- | M] () -- C:\WINDOWS\MediaList.ini
[2010/03/13 08:58:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1770027372-1177238915-500Core.job
[2010/03/13 08:34:13 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/13 08:19:33 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/13 08:18:54 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/12 19:20:35 | 001,576,122 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/03/11 09:29:14 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/03/11 03:21:16 | 000,000,726 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Orbit.lnk
[2010/03/06 21:35:44 | 000,523,404 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/06 21:35:44 | 000,444,164 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/06 21:35:44 | 000,072,040 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/04 23:47:02 | 000,000,879 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TeamViewer 5.lnk

========== Files Created - No Company Name ==========

[2010/03/13 14:55:08 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.exe
[2010/03/13 14:43:19 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2010/03/13 14:43:19 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2010/03/13 14:42:26 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/03/13 14:03:35 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/13 13:28:55 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/13 08:34:13 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/13 08:19:33 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/13 08:18:54 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/04 23:47:02 | 000,000,879 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TeamViewer 5.lnk
[2010/02/09 11:27:39 | 000,000,094 | ---- | C] () -- C:\WINDOWS\PCDNSetting.ini
[2010/02/09 11:13:56 | 000,000,140 | ---- | C] () -- C:\WINDOWS\powerlist.ini
[2010/02/09 11:13:56 | 000,000,060 | ---- | C] () -- C:\WINDOWS\MediaList.ini
[2010/02/09 11:13:43 | 000,001,920 | ---- | C] () -- C:\WINDOWS\psnetwork.ini
[2010/02/09 11:13:41 | 000,001,097 | ---- | C] () -- C:\WINDOWS\powerplayer.ini
[2010/02/09 07:54:27 | 000,075,288 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/02/09 07:45:56 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2010/02/09 07:45:56 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2010/02/09 07:45:56 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

========== LOP Check ==========

[2010/02/09 11:20:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GrabPro
[2010/03/13 14:42:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Orbit
[2010/03/11 20:24:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PPStream
[2010/03/04 23:55:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TeamViewer
[2010/02/09 08:03:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2010/02/16 00:01:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Search
[2010/02/15 17:47:27 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2008/04/14 08:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 23:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 23:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2009/04/19 07:52:05 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\WINDOWS\NLDRV\001\iastor.sys

< MD5 for: NETLOGON.DLL >
[2009/02/07 02:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e\SP2QFE\netlogon.dll
[2009/02/07 02:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\SP2QFE\netlogon.dll
[2009/02/07 05:37:59 | 000,407,552 | ---- | M] (Microsoft Corporation) MD5=DAB13813B25B3D009B2AC1194CF5D0A2 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2009/02/07 05:37:59 | 000,407,552 | ---- | M] (Microsoft Corporation) MD5=DAB13813B25B3D009B2AC1194CF5D0A2 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 23:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 23:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/14 23:00:00 | 001,384,479 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/02/09 06:30:36 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/02/09 06:30:36 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/02/09 06:30:36 | 000,921,600 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >


OTL Extras logfile created on: 3/13/2010 3:49:25 PM - Run 1
OTL by OldTimer - Version 3.1.37.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 675.00 Mb Available Physical Memory | 66.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 62.01 Gb Total Space | 47.17 Gb Free Space | 76.07% Space Free | Partition Type: NTFS
Drive D: | 12.54 Gb Total Space | 1.62 Gb Free Space | 12.89% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WYFFGOAL
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3399:TCP" = 3399:TCP:*:Enabled:hxhsmy

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Orbitdownloader\orbitdm.exe" = C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\PPStream\PPStream.exe" = C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPSí???μ?êó -- (PPStream Inc.)
"C:\Program Files\PPStream\PPSAP.exe" = C:\Program Files\PPStream\PPSAP.exe:*:Enabled:PPS í????ó?ù?÷ -- (PPStream Inc)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\TeamViewer\Version5\TeamViewer.exe" = C:\Program Files\TeamViewer\Version5\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B7917E0-AF55-4E8A-9473-017F0AA03AC8}" = QuickTime
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 Service Pack 1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"Google Updater" = Google Updater
"InstallWIX_{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Silverlight" = Microsoft Silverlight
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Orbit_is1" = Orbit Downloader
"PPStream" = PPStream V2.6.86.8999 Final
"RealPlayer 12.0" = RealPlayer
"SystemRequirementsLab" = System Requirements Lab
"TeamViewer 5" = TeamViewer 5
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/13/2010 2:45:04 AM | Computer Name = WYFFGOAL | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 3/13/2010 2:58:58 AM | Computer Name = WYFFGOAL | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070422 from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 3/13/2010 2:59:01 AM | Computer Name = WYFFGOAL | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070422 from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 3/13/2010 2:59:01 AM | Computer Name = WYFFGOAL | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 3/13/2010 3:22:27 AM | Computer Name = WYFFGOAL | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070422 from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 3/13/2010 3:22:28 AM | Computer Name = WYFFGOAL | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070422 from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 3/13/2010 3:22:28 AM | Computer Name = WYFFGOAL | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 3/13/2010 3:47:30 AM | Computer Name = WYFFGOAL | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070422 from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 3/13/2010 3:47:33 AM | Computer Name = WYFFGOAL | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070422 from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 3/13/2010 3:47:33 AM | Computer Name = WYFFGOAL | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

[ System Events ]
Error - 3/13/2010 2:59:14 AM | Computer Name = WYFFGOAL | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/13/2010 3:00:23 AM | Computer Name = WYFFGOAL | Source = Service Control Manager | ID = 7023
Description = The Time Manager service terminated with the following error: %%126

Error - 3/13/2010 3:22:27 AM | Computer Name = WYFFGOAL | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/13/2010 3:22:28 AM | Computer Name = WYFFGOAL | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/13/2010 3:22:42 AM | Computer Name = WYFFGOAL | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/13/2010 3:23:50 AM | Computer Name = WYFFGOAL | Source = Service Control Manager | ID = 7023
Description = The Time Manager service terminated with the following error: %%126

Error - 3/13/2010 3:47:30 AM | Computer Name = WYFFGOAL | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/13/2010 3:47:33 AM | Computer Name = WYFFGOAL | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/13/2010 3:47:45 AM | Computer Name = WYFFGOAL | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/13/2010 3:48:53 AM | Computer Name = WYFFGOAL | Source = Service Control Manager | ID = 7023
Description = The Time Manager service terminated with the following error: %%126


< End of report >



Thanks in advance!

[heir]

Wise decision as it seems like you've a Rootkit infection

Step 1.
Combofix:

Download ComboFix from one of these locations:

Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. Here is a howto for some of the applications.
  They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[WyffGoaL]

Here you go heir, thanks a lot!

ComboFix 10-03-12.04 - Administrator 3/2010 Sat 20:43:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.1022.366 [GMT 8:00]
Ö´ÐÐλÖÃ: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( 2010-02-13 ÖÁ 2010-03-13 µÄеĵµ°¸ )))))))))))))))))))))))))))))))
.

2010-03-13 06:43 . 2010-03-13 06:43 -------- d-----w- c:\program files\ERUNT
2010-03-13 06:03 . 2010-03-13 06:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-13 06:03 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 06:03 . 2010-03-13 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-13 06:03 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 06:03 . 2010-03-13 06:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 05:28 . 2010-03-13 05:28 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-13 05:28 . 2010-03-13 05:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-03-13 00:53 . 2010-03-13 00:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-13 00:34 . 2010-03-13 05:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-03-13 00:34 . 2010-03-13 00:34 -------- d-----w- c:\program files\Common Files\Skype
2010-03-13 00:34 . 2010-03-13 00:34 -------- d-----r- c:\program files\Skype
2010-03-13 00:34 . 2010-03-13 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-13 00:30 . 2010-03-13 00:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-13 00:19 . 2010-03-13 00:20 -------- d-----w- c:\program files\QuickTime
2010-03-13 00:19 . 2010-03-13 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-13 00:19 . 2010-03-13 00:19 -------- d-----w- c:\program files\Common Files\Apple
2010-03-13 00:18 . 2010-03-13 00:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2010-03-13 00:18 . 2010-03-13 00:18 -------- d-----w- c:\program files\Apple Software Update
2010-03-13 00:18 . 2010-03-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-13 00:18 . 2010-03-13 00:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-03-12 23:35 . 2010-03-12 23:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage
2010-03-10 19:15 . 2009-12-16 08:05 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ea9uddt2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-10 19:15 . 2009-12-16 08:05 471040 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ea9uddt2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2010-03-10 19:15 . 2009-12-16 08:05 347136 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ea9uddt2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-10 19:15 . 2009-12-16 08:05 340992 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ea9uddt2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-10 19:15 . 2009-12-16 08:05 1452032 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ea9uddt2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-05 12:00 . 2010-03-05 12:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-03-04 15:47 . 2010-03-04 15:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\TeamViewer
2010-03-04 15:46 . 2010-03-04 15:46 -------- d-----w- c:\program files\TeamViewer
2010-02-26 09:01 . 2010-02-26 09:01 75416 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-15 16:04 . 2010-02-15 16:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2010-02-15 16:01 . 2010-02-15 16:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-02-15 13:45 . 2010-02-15 13:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-15 10:28 . 2010-02-15 10:28 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( ÔÚÈý¸öÔÂÄÚ±»Ð޸ĵĵµ°¸ ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-13 12:50 . 2010-02-09 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-13 12:34 . 2010-02-09 01:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Orbit
2010-03-13 10:05 . 2010-02-09 03:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\PPStream
2010-03-10 20:14 . 2010-02-09 03:13 -------- d-----w- c:\program files\PPStream
2010-03-10 19:21 . 2010-02-09 01:29 -------- d-----w- c:\program files\Orbitdownloader
2010-02-12 12:31 . 2010-02-08 23:50 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-10 05:37 . 2010-02-09 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-09 11:10 . 2010-02-09 00:49 -------- d-----w- c:\program files\Microsoft Works
2010-02-09 10:03 . 2010-02-08 23:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-09 10:03 . 2010-02-08 23:45 -------- d-----w- c:\program files\Windows Desktop Search
2010-02-09 09:02 . 2010-02-09 09:02 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-09 07:36 . 2010-02-09 07:35 -------- d-----w- c:\program files\Common Files\Real
2010-02-09 07:36 . 2010-02-09 07:36 -------- d-----w- c:\program files\Common Files\xing shared
2010-02-09 07:35 . 2010-02-09 07:35 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-02-09 07:35 . 2010-02-09 07:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-09 07:35 . 2010-02-09 07:35 -------- d-----w- c:\program files\Real
2010-02-09 07:30 . 2010-02-09 07:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-09 07:18 . 2010-02-09 07:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-09 07:18 . 2010-02-09 07:17 -------- d-----w- c:\program files\Google
2010-02-09 03:52 . 2010-02-09 03:52 -------- d-----w- c:\program files\Microsoft
2010-02-09 03:51 . 2010-02-09 03:51 -------- d-----w- c:\program files\Windows Live
2010-02-09 03:51 . 2010-02-09 03:51 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-09 03:29 . 2010-02-09 03:29 -------- d-----w- c:\program files\Common Files\Windows Live
2010-02-09 03:20 . 2010-02-09 03:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\GrabPro
2010-02-09 01:34 . 2010-02-09 01:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-09 01:34 . 2010-02-09 01:34 -------- d-----w- c:\program files\Realtek
2010-02-09 01:23 . 2010-02-09 01:23 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-02-09 01:23 . 2010-02-09 01:23 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-02-09 01:23 . 2010-02-09 01:23 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-02-09 01:23 . 2010-02-09 01:23 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-02-09 01:23 . 2010-02-09 01:23 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-02-09 01:23 . 2010-02-09 01:23 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-02-09 01:22 . 2010-02-09 01:22 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-02-09 00:57 . 2010-02-09 00:57 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-02-09 00:57 . 2010-02-09 00:57 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-02-09 00:56 . 2010-02-09 00:56 -------- d-----w- c:\program files\Kaspersky Lab
2010-02-09 00:55 . 2010-02-09 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-02-09 00:49 . 2010-02-08 23:54 -------- d-----w- c:\program files\MSBuild
2010-02-09 00:48 . 2010-02-09 00:48 -------- d-----w- c:\program files\Microsoft.NET
2010-02-09 00:46 . 2010-02-09 00:46 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-02-09 00:45 . 2010-02-09 00:45 0 ----a-w- c:\windows\nsreg.dat
2010-02-09 00:21 . 2010-02-09 00:21 -------- d-----w- c:\program files\Intel
2010-02-09 00:20 . 2010-02-09 00:20 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-09 00:14 . 2010-02-09 00:14 -------- d-----w- c:\program files\SystemRequirementsLab
2010-02-09 00:08 . 2010-02-09 00:08 -------- d-----w- c:\program files\NVIDIA Corporation
2010-02-09 00:08 . 2010-02-09 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-02-09 00:03 . 2010-02-09 00:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-02-08 23:57 . 2010-02-08 23:57 -------- d-----w- c:\program files\microsoft frontpage
2010-02-08 23:57 . 2010-02-08 23:57 410984 ----a-w- c:\windows\system32\deploytk.dll
2010-02-08 23:57 . 2010-02-08 23:57 -------- d-----w- c:\program files\Java
2010-02-08 23:54 . 2010-02-08 23:54 75288 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-08 23:54 . 2010-02-08 23:54 -------- d-----w- c:\program files\Reference Assemblies
2010-02-08 23:49 . 2010-02-08 23:49 -------- d-----w- c:\program files\Windows Media Connect 2
2010-02-08 23:46 . 2010-02-08 23:46 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-08 23:45 . 2010-02-08 23:45 -------- d-----w- c:\program files\MSXML 4.0
2010-01-19 10:46 . 2010-02-09 01:35 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2010-01-19 10:46 . 2010-02-09 01:35 358944 ----a-w- c:\windows\vncutil.exe
2010-01-19 10:46 . 2010-02-09 01:35 1833504 ----a-w- c:\windows\SkyTel.exe
2010-01-19 10:46 . 2010-02-09 01:35 9721888 ----a-w- c:\windows\RTLCPL.EXE
2010-01-19 10:46 . 2010-02-09 01:35 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-01-19 10:46 . 2010-02-09 01:35 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-01-19 10:46 . 2010-02-09 01:35 18790432 ----a-w- c:\windows\RTHDCPL.EXE
2010-01-19 10:46 . 2010-02-09 01:35 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-01-19 10:46 . 2010-02-09 01:34 2177568 ----a-w- c:\windows\MicCal.exe
2010-01-19 10:46 . 2010-02-09 01:34 2815520 ----a-w- c:\windows\ALCWZRD.EXE
2010-01-19 10:46 . 2010-02-09 01:34 64032 ----a-w- c:\windows\ALCMTR.EXE
2010-01-19 10:36 . 2010-02-09 01:35 5818400 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-01-13 05:17 . 2010-02-09 01:34 1247776 ----a-w- c:\windows\RtlExUpd.dll
2010-01-12 04:03 . 2010-02-09 00:07 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 04:03 . 2010-02-09 00:07 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03 . 2010-02-09 00:07 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03 . 2010-02-09 00:07 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03 . 2010-02-09 00:07 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-01-12 04:03 . 2010-02-09 00:07 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03 . 2010-02-09 00:07 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03 . 2010-02-09 00:07 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 04:03 . 2010-02-09 00:07 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 04:03 . 2010-02-09 00:07 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 04:03 . 2010-02-09 00:07 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03 . 2010-02-09 00:07 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-11 14:17 . 2010-01-11 14:17 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-11 14:17 . 2010-01-11 14:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-11 14:17 . 2010-01-11 14:17 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-11 14:17 . 2010-01-11 14:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-11 14:17 . 2010-01-11 14:17 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-11 14:17 . 2010-01-11 14:17 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-01-01 07:58 . 2008-12-11 15:33 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2009-03-08 06:34 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2010-02-08 23:44 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-14 15:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 04:33 . 2010-02-09 00:21 53248 ----a-w- c:\windows\system32\CSVer.dll
.

------- Sigcheck -------

[-] 2009-04-18 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-04-18 . C951DB3D9B6EF3CF4B82454D30A8BF59 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( ÖØÒªµÇÈëµã ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*×¢Òâ* ¿Õ°×ÓëºÏ·¨È±Ê¡µÇ¼½«²»»á±»ÏÔʾ
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPS Accelerator"="c:\program files\PPStream\ppsap.exe" [2009-07-22 210312]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-09 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-09 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 07:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-21 17:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 15:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-02-09 00:48 135664 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 03:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 15:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 08:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-01-11 14:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-11 14:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 15:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 15:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPS Accelerator]
2009-07-22 08:14 210312 ----a-w- c:\program files\PPStream\PPSAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-01-19 10:46 18790432 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-02-09 07:18 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-02-09 07:35 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3399:TCP"= 3399:TCP:hxhsmy

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
S2 mywghdua;Time Manager;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 11:00 PM 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/9/2010 9:34 AM 1691480]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
mywghdua
.
¡®¼Æ»®ÈÎÎñ¡¯ Îļþ¼Ð ÀïµÄÄÚÈÝ

2010-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-03-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-02-09 07:17]

2010-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1770027372-1177238915-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-09 00:48]

2010-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1770027372-1177238915-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-09 00:48]

2010-02-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 07:07]
.
.
------- ¶øÍâµÄɨÃè -------
.
uStart Page = hxxp://www.google.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {765557F0-5954-471A-9900-846FDB479D6B} = 202.188.0.133,202.188.1.5
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ea9uddt2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ea9uddt2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ea9uddt2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\KavLinkFilter.dll
FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- »ðºüÅäÖÃÎļþ ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-nwiz - nwiz.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-13 20:50
Windows 5.1.2600 Service Pack 3 NTFS

ɨÃè±»Òþ²ØµÄ½ø³Ì ¡£¡£¡£

ɨÃè±»Òþ²ØµÄÆô¶¯×é ¡£¡£¡£

ɨÃè±»Òþ²ØµÄÎļþ ¡£¡£¡£

ɨÃèÍê³É
±»Òþ²ØµÄµµ°¸: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1770027372-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3c,71,e8,b9,6a,5a,40,49,b1,e0,74,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3c,71,e8,b9,6a,5a,40,49,b1,e0,74,\
.
--------------------- ÔËÐнø³ÌϵĶ¯Ì¬Á´½Ó¿â ---------------------

- - - - - - - > 'explorer.exe'(2712)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ ÆäËûÔËÐнø³Ì ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\conime.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\PCHealth\HelpCtr\Binaries\HelpSvc.exe
.
**************************************************************************
.
Íê³Éʱ¼ä: 2010-03-13 20:54:59 - µçÄÔÒÑÖØÐÂÆô¶¯
ComboFix-quarantined-files.txt 2010-03-13 12:54

Pre-Run: 52,589,363,200 bytes free
Post-Run: 53,442,695,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C4A43755A058EB7895EDAA86EE796C5F


 ComboFix.txt   28.25KB   155 downloads

Edited by heir, 13 March 2010 - 07:39 AM.
pasted log

[heir]

Please don't attach logs if I don't specifically ask you to. I edited your post.

What Language are you using on that computer?

Edited by heir, 13 March 2010 - 01:23 PM.
removed filescan

[WyffGoaL]

Sorry my bad, that's Chinese ( PRC )

[heir]

OK Let's take care of some stuff then.


Step 1.
Filescans:

• Using Internet Explorer please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
  
  
  • c:\windows\system32\drivers\tcpip.sys
• Click on the Upload button
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Do the same with this one:c:\windows\system32\sfcfiles.dll

Step 2.
Avenger:

1. Please download The Avenger by Swandog46 to your Desktop.
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Drivers to delete:
mywghdua

Files to delete:
C:\WINDOWS\system32\allougw.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Nowstart The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

Step 3.
Submit a file:

Goto this page and Follow the instructions to upload this file

C:\Avenger\backup.zip

Step 4.
Things I would like to see in your reply:

• The results from the filescans in step 1.
• The content of C:\avenger.txt from step 2.
• Confirmation that you've uploaded the file in step 3.

[WyffGoaL]

c:\windows\system32\drivers\tcpip.sys - REPORT


VirSCAN.org Scanned Report :
Scanned time : 2009/10/29 05:46:47 (CST)
Scanner results: Scanners did not find malware!
File Name : tcpip.sys
File Size : 361600 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 25a740d70e8007814a48d3fa1b34fa34
SHA1 : 7e05d733276f866b38147a4aad0a4c363a0db6ab
Online report : http://virscan.org/r...d64f1a51a5.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091029023454 2009-10-29 4.17 -
AhnLab V3 2009.10.29.00 2009.10.29 2009-10-29 0.97 -
AntiVir 8.2.1.50 7.1.6.162 2009-10-28 0.18 -
Antiy 2.0.18 20091028.3102810 2009-10-28 0.12 -
Arcavir 2009 200910281552 2009-10-28 0.28 -
Authentium 5.1.1 200910281538 2009-10-28 2.16 -
AVAST! 4.7.4 091028-0 2009-10-28 0.03 -
AVG 8.5.288 270.14.37/2466 2009-10-29 0.34 -
BitDefender 7.81008.4468099 7.28623 2009-10-29 3.86 -
CA (VET) 35.1.0 7087 2009-10-27 10.26 -
ClamAV 0.95.2 9956 2009-10-29 0.08 -
Comodo 3.12 2760 2009-10-28 0.81 -
CP Secure 1.3.0.5 2009.10.29 2009-10-29 0.09 -
Dr.Web 4.44.0.9170 2009.10.28 2009-10-28 6.28 -
F-Prot 4.4.4.56 20091028 2009-10-28 2.09 -
F-Secure 7.02.73807 2009.10.28.19 2009-10-28 0.11 -
Fortinet 2.81-3.120 10.997 2009-10-28 0.20 -
GData 19.8622/19.526 20091028 2009-10-28 6.06 -
ViRobot 20091028 2009.10.28 2009-10-28 0.46 -
Ikarus T3.1.01.72 2009.10.28.74308 2009-10-28 4.28 -
JiangMin 11.0.800 2009.10.26 2009-10-26 4.70 -
Kaspersky 5.5.10 2009.10.28 2009-10-28 0.06 -
KingSoft 2009.2.5.15 2009.10.28.21 2009-10-28 0.61 -
McAfee 5.3.00 5785 2009-10-28 3.42 -
Microsoft 1.5202 2009.10.28 2009-10-28 6.40 -
Norman 6.01.09 6.01.00 2009-10-27 4.01 -
Panda 9.05.01 2009.10.28 2009-10-28 2.79 -
Trend Micro 8.700-1004 6.583.00 2009-10-28 0.04 -
Quick Heal 10.00 2009.10.28 2009-10-28 1.44 -
Rising 20.0 21.53.24.00 2009-10-28 0.88 -
Sophos 3.00.1 4.46 2009-10-29 2.75 -
Sunbelt 5472 5472 2009-10-27 1.65 -
Symantec 1.3.0.24 20091028.006 2009-10-28 0.18 -
nProtect 20091028.01 6034135 2009-10-28 7.99 -
The Hacker 6.5.0.2 v00056 2009-10-28 0.74 -
VBA32 3.12.10.11 20091027.1255 2009-10-27 2.02 -
VirusBuster 4.5.11.10 10.112.82/2011851 2009-10-28 2.58 -




c:\windows\system32\sfcfiles.dll - REPORT



VirSCAN.org Scanned Report :
Scanned time : 2010/03/14 06:36:32 (CST)
Scanner results: Scanners did not find malware!
File Name : sfcfiles.dll
File Size : 1614848 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : c951db3d9b6ef3cf4b82454d30a8bf59
SHA1 : 7c873f4451b54f2bca7318e262ea203c64315314
Online report : http://virscan.org/r...5ad37d3d46.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100313214034 2010-03-13 4.56 -
AhnLab V3 2010.03.13.00 2010.03.13 2010-03-13 1.03 -
AntiVir 8.2.1.180 7.10.5.66 2010-03-12 0.30 -
Antiy 2.0.18 20100312.3993126 2010-03-12 0.12 -
Arcavir 2009 201003131058 2010-03-13 0.06 -
Authentium 5.1.1 201003131727 2010-03-13 1.28 -
AVAST! 4.7.4 100313-1 2010-03-13 0.08 -
AVG 8.5.720 271.1.1/2743 2010-03-13 0.24 -
BitDefender 7.81008.5445131 7.30757 2010-03-14 5.45 -
ClamAV 0.95.3 10571 2010-03-13 0.21 -
Comodo 3.13.579 4253 2010-03-13 0.99 -
CP Secure 1.3.0.5 2010.03.14 2010-03-14 0.43 -
Dr.Web 5.0.1.12222 2010.03.14 2010-03-14 5.85 -
F-Prot 4.4.4.56 20100313 2010-03-13 1.27 -
F-Secure 7.02.73807 2010.03.13.08 2010-03-13 0.14 -
Fortinet 4.0.14 11.574 2010-03-12 0.21 -
GData 19.10788/19.816 20100313 2010-03-13 6.35 -
ViRobot 20100313 2010.03.13 2010-03-13 0.41 -
Ikarus T3.1.01.80 2010.03.13.75393 2010-03-13 5.16 -
JiangMin 13.0.900 2010.03.13 2010-03-13 5.42 -
Kaspersky 5.5.10 2010.03.13 2010-03-13 0.07 -
KingSoft 2009.2.5.15 2010.3.13.18 2010-03-13 0.60 -
McAfee 5.3.00 5919 2010-03-13 3.62 -
Microsoft 1.5502 2010.03.13 2010-03-13 6.60 -
Norman 6.01.09 6.01.00 2010-02-10 4.01 -
Panda 9.05.01 2010.03.13 2010-03-13 1.89 -
Trend Micro 9.120-1004 6.916.09 2010-03-13 0.09 -
Quick Heal 10.00 2010.03.13 2010-03-13 2.06 -
Rising 20.0 22.38.04.03 2010-03-12 1.04 -
Sophos 3.05.4 4.51 2010-03-14 3.48 -
Sunbelt 3.9.2410.2 5863 2010-03-13 3.43 -
Symantec 1.3.0.24 20100311.002 2010-03-11 0.00 -
nProtect 20100312.01 7727364 2010-03-12 4.51 -
The Hacker 6.5.2.0 v00233 2010-03-13 0.43 -
VBA32 3.12.12.2 20100311.2253 2010-03-11 2.75 -
VirusBuster 4.5.11.10 10.121.19/2037735 2010-03-13 2.43 -




Avenger Log


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "mywghdua" deleted successfully.

Error: file "C:\WINDOWS\system32\allougw.dll" not found!
Deletion of file "C:\WINDOWS\system32\allougw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



The Avenger backup.zip has been submitted to Bleeping Computer successfully.


Thanks once again heir!

[heir]

Let's do an online scan as well


Step 1.
OTL-fix:


Run OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Reg
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
  "3399:TCP"=-
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post the OTL fixlog

Step 2.
Online Scan:

Please do an online scan with Kaspersky Online Scanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Upgrading Java:

• Download the latest version of JDK 6 Update 18 (JDK or JRE).
• Click the "Download JRE" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u18-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u18-windows-i586.exe and select "Run as an Administrator.")

Step 3.
Things I would like to see in your reply:

• The content of the fixlog from OTL in step 1.
• The content of the report from Kaspersky Online Scan in step 2.
• Information on how your computer is running.

[WyffGoaL]

Hi heir, it says my computer has kaspersky 9 installed so that the kaspersky online scanner could not be runned.

So do I need to uninstall my kaspersky now? Perhaps there are other alternatives?

Thanks in advance.

[heir]

Let's use another scanner.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

[WyffGoaL]

Here you go heir,


OTL Log


All processes killed
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\3399:TCP not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 9537145 bytes
->Temporary Internet Files folder emptied: 5152505 bytes
->Java cache emptied: 127535 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 41907105 bytes
->Flash cache emptied: 707 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 54.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.1.37.0 log created on 03142010_170210

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



Eset Online Scanner Log


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=acd004f5f8d4e945a08f6009755fa518
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-14 08:56:44
# local_time=2010-03-14 04:56:44 (+0800, Malay Peninsula Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777191 100 0 2043621 2043621 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=34465
# found=0
# cleaned=0
# scan_time=1179