Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unidentified Problem-Possibly Malware


  • Please log in to reply

#1
andrea22

andrea22

    Member

  • Member
  • PipPipPip
  • 139 posts
Hi. My computer has slowed down very badly. Almost everything still works normally but it's too painfully slow to use. As an example, editing 20 photos would normally take me about 20 minutes, now it takes over 3 hours. The only thing that's not working properly is the DVD player-the picture changes frames every couple of minutes or so but the audio sounds like a CD that's jammed.
I've tried to do the stuff in the malware cleaning guide but wasn't totally successful- I've done the cleaning temp files thing, done the ERUNT, run an AVG scan (which took 4 days and nights!), the I tried to download the Malwarebytes prog., and kept getting the message that the file is corrupted. I then went to their homepage and tried to download it from there, but was redirected to CNet and kept getting the message that I'd already downloaded it. Maybe I'm doing something wrong here?
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,147 posts
  • MVP
See if you can get an OTL log (step 5) of the Malware Removal Guide. Copy and paste it here.

Ron
  • 0

#3
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/13 22:20:22 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
PRC - [2010/04/10 11:19:22 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/03 08:54:39 | 002,064,224 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/04/03 08:51:44 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/04/03 08:50:26 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/04/03 08:50:13 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/18 08:47:37 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/03/18 08:47:34 | 000,617,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/03/18 08:45:06 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2008/11/17 18:50:14 | 000,827,904 | ---- | M] () -- C:\Program Files\dvd43\DVD43_Tray.exe
PRC - [2008/04/14 10:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/07/17 15:21:56 | 000,184,320 | ---- | M] () -- C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
PRC - [2006/02/07 16:10:14 | 000,106,496 | ---- | M] ( ) -- C:\Program Files\Maxtor\Utils\SyncServices.exe
PRC - [2005/01/19 16:34:16 | 000,128,000 | ---- | M] ( ) -- C:\Program Files\CursorXP\CursorXP.exe


========== Modules (SafeList) ==========

MOD - [2010/04/13 22:20:22 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
MOD - [2005/01/19 16:34:24 | 000,014,848 | ---- | M] ( ) -- C:\Program Files\CursorXP\CurXP0.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
SRV - [2010/04/03 08:51:44 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/03/18 08:45:06 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2006/07/17 15:21:56 | 000,184,320 | ---- | M] () [Auto | Running] -- C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe -- (MaxBackServiceInt)
SRV - [2006/02/07 16:10:14 | 000,106,496 | ---- | M] ( ) [Auto | Running] -- C:\Program Files\Maxtor\Utils\SyncServices.exe -- (NTService1)
SRV - [2005/08/02 14:18:50 | 000,086,016 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.783
FF - prefs.js..extensions.enabledItems: {fce36c1e-58d8-498a-b2a5-66ad1cedebbb}:0.76
FF - prefs.js..extensions.enabledItems: [email protected]:3.8.2Lite
FF - prefs.js..extensions.enabledItems: {0b457cAA-602d-484a-8fe7-c1d894a011ba}:0.80
FF - prefs.js..extensions.enabledItems: [email protected]:2.0.3
FF - prefs.js..extensions.enabledItems: {2458abc0-f443-11dd-87af-0800200c9a66}:0.9
FF - prefs.js..extensions.enabledItems: [email protected]:0.6.20091031
FF - prefs.js..extensions.enabledItems: [email protected]:3.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/03/18 13:04:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/10 11:20:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/10 11:20:10 | 000,000,000 | ---D | M]

[2009/12/07 17:58:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/04/03 15:18:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\extensions
[2009/12/09 23:25:14 | 000,000,000 | ---D | M] (FireShot) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
[2009/12/08 20:58:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/09 23:00:17 | 000,000,000 | ---D | M] (Bloody Red) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\extensions\{2458abc0-f443-11dd-87af-0800200c9a66}
[2009/12/09 23:25:10 | 000,000,000 | ---D | M] (CustomizeGoogle) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\extensions\{fce36c1e-58d8-498a-b2a5-66ad1cedebbb}
[2009/12/09 22:41:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\extensions\[email protected]
[2009/12/09 23:17:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\extensions\[email protected]
[2009/12/09 23:25:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\extensions\[email protected]
[2009/12/09 23:19:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\extensions\[email protected]
[2009/12/07 17:56:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/03 11:42:02 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/11/03 11:42:02 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/11/03 11:42:02 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/11/03 11:42:02 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2004/08/04 22:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {AFC482CE-DC40-497A-AE10-681C072F6F6A} - No CLSID value found.
O3 - HKLM\..\Toolbar: (FireShot) - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\FSAddin-0.80.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {F1273B21-0B77-4481-BFB9-0A3C399BE3FE} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [dvd43] C:\Program Files\dvd43\DVD43_Tray.exe ()
O4 - HKCU..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe ( )
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [TuneUp MemOptimizer] C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2008/07/11 00:49:03 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\AutorunsDisabled [2008/03/17 19:08:14 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108355
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayItemsDisplay = [binary data]
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm ()
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm ()
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_09)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\PROGRA~1\SUPERA~1\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AutorunsDisabled: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/02 15:16:48 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1c2af080-ca3b-11dc-b9ea-00022d36625d}\Shell\Auto\command - "" = auto.exe
O33 - MountPoints2\{1c2af080-ca3b-11dc-b9ea-00022d36625d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5aa75321-d140-11dc-b9f6-00179a300101}\Shell - "" = AutoRun
O33 - MountPoints2\{5aa75321-d140-11dc-b9f6-00179a300101}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5aa75321-d140-11dc-b9f6-00179a300101}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{6a1566ac-06ec-11dd-ba7d-00022d36625d}\Shell - "" = AutoRun
O33 - MountPoints2\{6a1566ac-06ec-11dd-ba7d-00022d36625d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6a1566ac-06ec-11dd-ba7d-00022d36625d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{6b38b740-0dae-11dd-ba8d-00022d36625d}\Shell\AutoRun\command - "" = F:\HPSecure\Windows\HPSecure30.exe -- File not found
O33 - MountPoints2\{907c9640-a6ec-11dc-b9b1-00022d36625d}\Shell\play\Command - "" = C:\Program Files\Windows Media Player\wmplayer.exe -- [2006/10/18 21:46:20 | 000,064,000 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{9d10fc55-42ab-11dd-bab6-00022d36625d}\Shell\AutoRun\command - "" = E:\setupSNK.exe -- File not found
O33 - MountPoints2\{a87d5011-0e40-11dc-8add-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{a87d5011-0e40-11dc-8add-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a87d5011-0e40-11dc-8add-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe -- File not found
O33 - MountPoints2\{e1bef371-f23f-11da-919d-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{e1bef371-f23f-11da-919d-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e1bef371-f23f-11da-919d-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe -- File not found
O33 - MountPoints2\{e31af20d-0376-11de-ae11-00022d36625d}\Shell\AutoRun\command - "" = E:\setupSNK.exe -- File not found
O33 - MountPoints2\{f0ceee00-a4a2-11dc-b9a6-00022d36625d}\Shell\AutoRun\command - "" = F:\setupSNK.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk /r \??\F:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/06/02 15:15:37 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/09 22:12:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/12/09 22:12:33 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/12/09 22:12:33 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/03/26 21:47:49 | 000,568,576 | ---- | C] ( ) -- C:\Program Files\DVD43_4-4-0_Setup.exe
[2009/03/26 20:52:04 | 023,224,464 | ---- | C] (Online Media Technologies Ltd. ) -- C:\Program Files\AVSDVDCopy.exe
[2009/03/26 18:42:49 | 004,329,014 | ---- | C] (Burn4Free) -- C:\Program Files\burn4free_setup.exe
[2008/10/19 13:47:42 | 002,934,168 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup212.exe
[2008/10/03 06:58:40 | 023,510,720 | ---- | C] (Microsoft Corporation) -- C:\Program Files\dotnetfx.exe
[2008/09/29 21:33:44 | 002,318,504 | ---- | C] (Piriform Ltd) -- C:\Program Files\rcsetup119.exe
[2008/09/27 21:33:02 | 027,288,880 | ---- | C] (Apple Inc.) -- C:\Program Files\QuickTimeInstaller.exe
[2008/08/03 21:09:46 | 002,922,072 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup210.exe
[2008/06/25 21:29:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/05/26 23:44:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2008/04/28 11:20:00 | 004,830,552 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WINZIP32.EXE
[2008/04/28 11:20:00 | 000,898,400 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZEAY32.DLL
[2008/04/28 11:20:00 | 000,877,920 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZ32.DLL
[2008/04/28 11:20:00 | 000,656,736 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZIMGV32.DLL
[2008/04/28 11:20:00 | 000,480,608 | R--- | C] (Sky Software) -- C:\Program Files\WZFILVW.OCX
[2008/04/28 11:20:00 | 000,439,648 | R--- | C] (Sky Software) -- C:\Program Files\WZFLDVW.OCX
[2008/04/28 11:20:00 | 000,427,360 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZSEPE32.EXE
[2008/04/28 11:20:00 | 000,415,072 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZQKPICK.EXE
[2008/04/28 11:20:00 | 000,329,056 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZZPMAIL.DLL
[2008/04/28 11:20:00 | 000,312,672 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZSESS32.EXE
[2008/04/28 11:20:00 | 000,288,096 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZSRVR32.EXE
[2008/04/28 11:20:00 | 000,284,000 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZCKTREE.DLL
[2008/04/28 11:20:00 | 000,167,264 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZVINFO.DLL
[2008/04/28 11:20:00 | 000,165,216 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZSMTP.DLL
[2008/04/28 11:20:00 | 000,165,216 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZGDIP32.DLL
[2008/04/28 11:20:00 | 000,140,640 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZSHLEX1.DLL
[2008/04/28 11:20:00 | 000,113,504 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZMSG.EXE
[2008/04/28 11:20:00 | 000,099,680 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZCAB3.DLL
[2008/04/28 11:20:00 | 000,071,008 | R--- | C] (Microsoft Corporation) -- C:\Program Files\WZCAB.DLL
[2008/04/28 11:20:00 | 000,011,104 | R--- | C] (WinZip Computing, S.L.) -- C:\Program Files\WZSHLSTB.DLL
[2008/03/19 21:10:13 | 000,947,270 | ---- | C] (FileSubmit) -- C:\Program Files\flybu.exe
[2008/02/09 11:59:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2003/06/25 16:05:08 | 000,266,360 | R--- | C] (Microsoft Corporation) -- C:\Program Files\TweakUI.exe

========== Files - Modified Within 14 Days ==========

[2010/04/14 00:00:05 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[2010/04/13 16:11:53 | 058,842,979 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/04/13 16:02:38 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/04/13 16:02:09 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/13 16:01:11 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/13 16:01:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/12 19:58:35 | 005,505,024 | ---- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/04/12 19:58:35 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/04/10 11:11:23 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/09 12:35:57 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{5567DDCB-736C-4A8F-BC44-CD62B00B83AD}.job
[2010/04/08 05:12:43 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\Disk Cleanup.job
[2010/04/07 04:54:30 | 000,000,252 | ---- | M] () -- C:\WINDOWS\tasks\NTREGOPT.job

========== Files Created - No Company Name ==========

[2009/12/07 14:51:38 | 000,005,632 | -HS- | C] () -- C:\Program Files\Thumbs.db
[2009/03/30 18:56:02 | 002,863,832 | ---- | C] () -- C:\Program Files\DeepBurner1.exe
[2008/10/25 00:44:50 | 000,515,626 | ---- | C] () -- C:\Program Files\buttonbook.htm
[2008/10/03 06:27:08 | 009,584,128 | ---- | C] () -- C:\Program Files\EL2_02_setup.msi
[2008/07/08 22:28:09 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.INI
[2008/04/28 11:20:00 | 000,489,215 | R--- | C] () -- C:\Program Files\WINZIP.CHM
[2008/04/28 11:20:00 | 000,242,959 | R--- | C] () -- C:\Program Files\WZINST.CHM
[2008/04/28 11:20:00 | 000,185,696 | R--- | C] () -- C:\Program Files\UNRAR.DLL
[2008/04/28 11:20:00 | 000,130,912 | R--- | C] () -- C:\Program Files\LHA.DLL
[2008/04/28 11:20:00 | 000,089,671 | R--- | C] () -- C:\Program Files\WZWIZARD.CHM
[2008/04/28 11:20:00 | 000,002,415 | R--- | C] () -- C:\Program Files\WZ.COM
[2008/04/28 11:20:00 | 000,001,753 | ---- | C] () -- C:\Program Files\EXAMPLE.ZIP
[2008/04/28 11:20:00 | 000,001,157 | R--- | C] () -- C:\Program Files\WZ.PIF
[2008/04/28 11:20:00 | 000,000,450 | ---- | C] () -- C:\Program Files\USRCOMBO.WJF
[2008/04/28 11:20:00 | 000,000,406 | ---- | C] () -- C:\Program Files\MYDOCS.WJF
[2008/04/28 11:20:00 | 000,000,378 | ---- | C] () -- C:\Program Files\MYDSKTOP.WJF
[2008/04/28 11:20:00 | 000,000,332 | ---- | C] () -- C:\Program Files\MYFAVS.WJF
[2008/04/28 11:20:00 | 000,000,329 | ---- | C] () -- C:\Program Files\MYE-MAIL.WJF
[2008/04/13 20:25:04 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\NTUSER.DAT_TU_96555.LOG
[2008/04/10 22:02:46 | 000,000,036 | -H-- | C] () -- C:\WINDOWS\System32\swk.ini
[2008/04/10 00:44:51 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/04/10 00:44:44 | 000,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/04/10 00:44:43 | 000,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/04/10 00:44:42 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/04/10 00:44:38 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/04/10 00:44:38 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/03/18 12:32:55 | 000,041,083 | ---- | C] () -- C:\Program Files\mozillahistoryview1.zip
[2008/03/07 11:36:25 | 000,000,765 | ---- | C] () -- C:\WINDOWS\ONFORMAT.INI
[2008/03/07 11:36:24 | 000,000,341 | ---- | C] () -- C:\WINDOWS\RECMGRUN.INI
[2008/03/07 11:35:51 | 000,003,455 | ---- | C] () -- C:\WINDOWS\RECVCALL.INI
[2008/02/17 21:59:44 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\NTUSER.tmp.LOG
[2008/02/15 13:44:06 | 000,000,082 | ---- | C] () -- C:\Documents and Settings\Owner\Owner_notes.dat
[2008/02/15 10:35:52 | 000,000,120 | ---- | C] () -- C:\WINDOWS\jascreg.ini
[2008/02/15 10:34:50 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll
[2008/02/14 16:11:36 | 000,199,273 | ---- | C] () -- C:\Documents and Settings\Owner\.fonts.cache-1
[2008/02/07 23:56:21 | 000,000,048 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2007/12/27 22:38:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2007/12/25 00:03:54 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS4d.DLL
[2007/12/13 05:36:24 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2007/12/11 10:39:10 | 000,019,427 | ---- | C] () -- C:\WINDOWS\wwdslcfg.ini
[2007/12/08 03:38:15 | 000,000,078 | ---- | C] () -- C:\Documents and Settings\Owner\default.pls
[2007/12/08 02:00:02 | 000,046,592 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/07 21:19:19 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/12/05 22:39:07 | 000,000,052 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/05/30 10:11:03 | 006,291,456 | ---- | C] () -- C:\Documents and Settings\Owner\NTUSER.DAT_BAK_96555
[2007/05/30 10:11:03 | 005,505,024 | ---- | C] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2007/05/30 10:11:03 | 005,242,880 | ---- | C] () -- C:\Documents and Settings\Owner\NTUSER.bak
[2007/05/30 10:11:03 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Owner\ntuser.dat.LOG
[2007/05/30 10:11:03 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Owner\ntuser.ini
[2007/01/03 11:24:36 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/01/03 11:22:46 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/01/03 11:22:14 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/06/05 08:29:28 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2006/06/05 08:29:28 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2006/06/02 17:01:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/06/02 16:40:15 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\TOSMgmt.dll
[2006/06/02 16:40:15 | 000,002,496 | ---- | C] () -- C:\WINDOWS\System32\drivers\readmem.sys
[2006/06/02 16:12:19 | 000,121,905 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2006/06/02 16:12:19 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2006/06/02 16:12:19 | 000,008,831 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2006/06/02 16:12:19 | 000,006,793 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006/06/02 16:07:28 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\TVCtrl.dll
[2006/06/02 16:07:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\Multview.dll
[2006/06/02 16:07:27 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\ColorCtr.dll
[2006/06/02 16:07:27 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\GenCtrl.dll
[2006/06/02 16:07:27 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\LCDCtrl.dll
[2006/06/02 16:07:27 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\CRTCtrl.dll
[2005/12/22 14:49:48 | 000,609,959 | ---- | C] () -- C:\Program Files\setup.exe
[2005/08/02 14:24:02 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll

========== LOP Check ==========

[2009/12/09 22:15:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/12/19 19:38:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2008/06/25 21:34:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2007/12/12 01:20:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2008/02/12 15:03:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2008/06/25 05:35:32 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\System Restore
[2009/12/07 17:47:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/04/13 18:38:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2008/03/18 23:57:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/12/19 19:38:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Canneverbe_Limited
[2007/12/08 05:00:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DataLayer
[2009/03/30 19:02:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DeepBurner
[2008/03/16 17:37:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Ethereal
[2008/12/01 12:00:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FireShot
[2008/03/30 22:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\IcoFX
[2008/02/15 00:53:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Inkscape
[2008/02/13 05:42:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LG Electronics
[2007/12/08 05:00:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Nokia
[2007/12/08 04:36:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PC Suite
[2008/03/14 05:21:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sereniti
[2008/04/13 18:39:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\TuneUp Software
[2008/05/18 09:08:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\WebStripper
[2008/05/26 23:42:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Desktop Search
[2010/04/14 00:00:05 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\1-Click Maintenance.job
[2010/04/08 05:12:43 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\Disk Cleanup.job
[2010/04/07 04:54:30 | 000,000,252 | ---- | M] () -- C:\WINDOWS\Tasks\NTREGOPT.job
[2010/03/23 04:55:19 | 000,000,264 | ---- | M] () -- C:\WINDOWS\Tasks\SUPERAntiSpyware Free Edition.job
[2010/04/09 12:35:57 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{5567DDCB-736C-4A8F-BC44-CD62B00B83AD}.job
[2010/04/13 16:02:38 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2004/08/04 22:00:00 | 000,388,608 | ---- | M] (Microsoft Corporation) -- C:\kmd.exe


< MD5 for: AGP440.SYS >
[2004/08/04 22:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/30 17:43:42 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/08/30 17:43:42 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/14 04:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/14 04:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 22:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/30 17:43:42 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/08/30 17:43:42 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/14 04:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/14 04:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 22:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 10:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 10:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 22:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 10:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 10:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 22:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 22:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 10:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 10:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*./mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/06/03 00:41:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/06/03 00:41:48 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/06/03 00:41:47 | 000,880,640 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/03/18 08:45:04 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys
[2010/03/18 08:47:35 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys
[2010/03/18 08:47:42 | 000,242,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Owner\My Documents\DVD Shrink 3.2.exe:SummaryInformation
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0F8F5844
< End of report >
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,147 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c
***************************************************************************************************
:OTL
SRV - [2005/08/02 14:18:50 | 000,086,016 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
O2 - BHO: (no name) - {AFC482CE-DC40-497A-AE10-681C072F6F6A} - No CLSID value found.
O3 - HKLM\..\Toolbar: (FireShot) - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\FSAddin-0.80.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {F1273B21-0B77-4481-BFB9-0A3C399BE3FE} - No CLSID value found.
O4 - HKCU..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe ( )
O4 - HKCU..\Run: [TuneUp MemOptimizer] C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2008/07/11 00:49:03 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\AutorunsDisabled [2008/03/17 19:08:14 | 000,000,000 | -H-D | M]
O20 - Winlogon\Notify\AutorunsDisabled: DllName - Reg Error: Value error. - Reg Error: Value error. File not found

:Files
C:\Program Files\WinPcap
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Disk Cleanup.job
C:\Program Files\TuneUp Utilities 2008
C:\WINDOWS\tasks\NTREGOPT.job
C:\WINDOWS\System32\TOSMgmt.dll
C:\WINDOWS\System32\drivers\readmem.sys
C:\WINDOWS\System32\CNMVS4d.DLL
C:\kmd.exe

:Commands
[purity]
[emptytemp]
[Reboot]

*******************************************************************

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.

* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Reboot now, please :!:

Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:

OTL Log
MBAM log
Combofix log

Also report any new problems or improvements. Did you get an Extras log when you ran OTL the first time? I'd like to see it if you did.


Ron
  • 0

#5
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
All processes killed
========== OTL ==========
Error: No service named rpcapd) Remote Packet Capture Protocol v.0 (experimental was found to stop!
Service\Driver key rpcapd) Remote Packet Capture Protocol v.0 (experimental not found.
File C:\Program Files\WinPcap\rpcapd.exe not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFC482CE-DC40-497A-AE10-681C072F6F6A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFC482CE-DC40-497A-AE10-681C072F6F6A}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68}\ not found.
File 602d-484a-8fe7-c1d894a011ba}\library\FSAddin-0.80.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F1273B21-0B77-4481-BFB9-0A3C399BE3FE} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F1273B21-0B77-4481-BFB9-0A3C399BE3FE}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\CursorXP not found.
File C:\Program Files\CursorXP\CursorXP.exe not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\TuneUp MemOptimizer not found.
File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled not found.
File C:\Documents and Settings\Owner\Start Menu\Programs\Startup\AutorunsDisabled not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AutorunsDisabled\ not found.
========== FILES ==========
File\Folder C:\Program Files\WinPcap not found.
File\Folder C:\WINDOWS\tasks\1-Click Maintenance.job not found.
File\Folder C:\WINDOWS\tasks\Disk Cleanup.job not found.
File\Folder C:\Program Files\TuneUp Utilities 2008 not found.
File\Folder C:\WINDOWS\tasks\NTREGOPT.job not found.
File\Folder C:\WINDOWS\System32\TOSMgmt.dll not found.
File\Folder C:\WINDOWS\System32\drivers\readmem.sys not found.
File\Folder C:\WINDOWS\System32\CNMVS4d.DLL not found.
File\Folder C:\kmd.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner
->Temp folder emptied: 158960 bytes
->Temporary Internet Files folder emptied: 206085 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 36835730 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 607 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 36.00 mb


OTL by OldTimer - Version 3.2.1.1 log created on 04212010_164737

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...













have only done this one so far, have had major probs with system crashing when I go to click on 'reboot' after doing the scan, so had to do it several times. Will get on to the 'malwarebytes' part now
  • 0

#6
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4014

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

22/04/2010 11:48:25 AM
mbam-log-2010-04-22 (11-48-25).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 186361
Time elapsed: 14 hour(s), 34 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
  • 0

#7
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
I'm now having trouble with the combofix thing! I've downloaded it, then couldn't disable AVG so I opened process explorer, killed a few but not all processes, then I got a 'process explorere not responding' message, so I opened task manager, and now the whole machine is 'frozen'. So I've pulled the power cord out. Is that bad? What will happen now??
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,147 posts
  • MVP
It should restart OK. Prcoess Explorer doesn't remove files just stops them from running. I have no experience with avg. Several people have just uninstalled it and installed avast for that same reason. Avast is better and easier to pause.
http://www.avast.com...ivirus-download
Also free tho you do have to register.

Ron
  • 0

#9
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
I've tried to uninstall AVG and it won't work. I keep getting the message that there's a registry key error so there's an AVG file that can't be removed.
  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,147 posts
  • MVP
Try:

http://www.avg.com/g.../download-tools

Ron
  • 0

#11
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Thanks for that. I've now removed AVG. I'm wondering if it would be better to run combofix before installing Avast?
  • 0

#12
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,147 posts
  • MVP
Go ahead and run Combofix before you install Avast. Just don't do any surfing until you have avast running.

Ron
  • 0

#13
andrea22

andrea22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))
.

2010-04-21 09:34 . 2010-04-21 09:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-21 09:29 . 2010-03-29 14:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-21 09:28 . 2010-04-21 09:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-21 09:28 . 2010-03-29 14:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 09:28 . 2010-04-21 09:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-19 23:36 . 2010-04-20 00:16 -------- d-----w- C:\dda2b810a10e0b8b2fe3fdb40e0f
2010-04-19 08:34 . 2010-04-19 08:34 -------- d-----w- C:\_OTL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 09:32 . 2009-12-09 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-19 08:37 . 2008-02-14 18:10 -------- d-----r- c:\program files\CursorXP
2010-03-24 10:59 . 2007-12-04 02:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-16 06:28 . 2009-12-07 04:51 5632 --sha-w- c:\program files\Thumbs.db
2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-10 23:37 . 2008-02-02 03:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 23:10 . 2004-08-04 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-03-30 08:55 . 2009-03-30 08:56 2863832 ----a-w- c:\program files\DeepBurner1.exe
2009-03-26 11:47 . 2009-03-26 11:47 568576 ----a-w- c:\program files\DVD43_4-4-0_Setup.exe
2009-03-26 11:10 . 2009-03-26 10:52 23224464 ----a-w- c:\program files\AVSDVDCopy.exe
2009-03-26 08:42 . 2009-03-26 08:42 4329014 ----a-w- c:\program files\burn4free_setup.exe
2008-10-24 14:44 . 2008-10-24 14:44 515626 ----a-w- c:\program files\buttonbook.htm
2008-10-19 03:48 . 2008-10-19 03:47 2934168 ----a-w- c:\program files\ccsetup212.exe
2008-10-02 21:12 . 2008-10-02 20:58 23510720 ----a-w- c:\program files\dotnetfx.exe
2008-10-02 20:32 . 2008-10-02 20:27 9584128 ----a-w- c:\program files\EL2_02_setup.msi
2008-09-29 11:35 . 2008-09-29 11:33 2318504 ----a-w- c:\program files\rcsetup119.exe
2008-09-27 11:49 . 2008-09-27 11:33 27288880 ----a-w- c:\program files\QuickTimeInstaller.exe
2008-08-03 11:09 . 2008-08-03 11:09 2922072 ----a-w- c:\program files\ccsetup210.exe
2008-03-19 11:10 . 2008-03-19 11:10 947270 ----a-w- c:\program files\flybu.exe
2008-03-18 02:32 . 2008-03-18 02:32 41083 ----a-w- c:\program files\mozillahistoryview1.zip
2003-06-25 06:05 . 2003-06-25 06:05 266360 ----a-r- c:\program files\TweakUI.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"
[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]
2008-03-07 15:09 73728 ----a-w- c:\windows\system32\VirtualExpander\VEShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-11-17 827904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Owner\Start Menu\Programs\Startup\AutorunsDisabled
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\progra~1\SUPERA~1\SASSEH.DLL" [2008-09-01 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-01 19:01 352256 ----a-w- c:\progra~1\SUPERA~1\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\F:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\CodecInstaller\\codecinstaller.exe"=
"c:\\Program Files\\TOSHIBA\\TOSHIBA Management Console\\TOSMgmt.exe"=
"c:\\Program Files\\D-Link\\DSL-200\\dslstat.exe"=
"c:\\Program Files\\TOSHIBA\\TOSHIBA Management Console\\TOSExport.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TOSHIBA\\NetDevSw\\netdevsw.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

S1 SASDIFSV;SASDIFSV;c:\progra~1\SUPERA~1\SASDIFSV.SYS [2008-09-01 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-01 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 tridxp;tridxp;c:\windows\system32\DRIVERS\tridxpm.sys [2002-01-29 226560]

.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

2010-04-19 c:\windows\Tasks\User_Feed_Synchronization-{5567DDCB-736C-4A8F-BC44-CD62B00B83AD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:36]

2010-04-26 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 12:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Similar pages - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gsimilar.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open in &new window - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.htm
IE: Search with &Google - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.htm
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kebix9fj.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll
AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 11:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1133866369-3020269276-266760441-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\progra~1\SUPERA~1\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(932)
c:\windows\system32\WININET.dll
c:\windows\system32\VirtualExpander\VEShellExt.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Maxtor\Utils\SyncServices.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\SUPERA~1\SUPERA~1.EXE
c:\docume~1\Owner\LOCALS~1\Temp\SSUPDATE.EXE
.
**************************************************************************
.
Completion time: 2010-04-26 12:21:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-26 02:21

Pre-Run: 11,544,412,160 bytes free
Post-Run: 11,499,225,088 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

- - End Of File - - 13960677A34A2E0A9AA23C41AD3406DA
  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,147 posts
  • MVP
Could you submit this program

c:\program files\flybu.exe

to http://virustotal.com

Let's see what they say about it.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP