Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Rootkit.Agent infection [Solved]

Started by echet , May 26 2010 12:10 AM

  • This topic is locked This topic is locked

#1
echet
Posted 26 May 2010 - 12:10 AM

echet

    Member

  • Member
  • PipPip
  • 75 posts
Hi
A while back I had a problem with Virtumonde and you guys helped me out. Here's a link to that thread: http://www.geekstogo...ed-t273493.html

While I don't have any recurrence of that one, my PC started acting up again shortly after I cleaned it. I chaulked it up to Windows being Windows, but lots of crazy stuff happening recently (BSODs, foreign programs wanting Internet access) led me to think I was either still or re-infected. A Malwarebytes scan hit 3 files, all associated with Rootkit.Agent. AVG Antivirus's rootkit scanner found nothing, But GMER did report rootkit-like activity.

System specs:
Dell Dimension 9100
Windows XP Pro, SP3

I ran the prerequisite programs TFC, ERUNT, MBAM, GMER and OTL. All ran fine except: the first time I ran GMER, part way into the scan I got a BSOD; the file RNDISMP.SYS caused a STOP error. I have the entire error message written out, including memory addresses, if needed. I had to boot into safe mode for it to run to completion. Hope that didn't affect the scan. Also, when I ran OTL, I only got one log file. There is no extras.txt. I remember this happening last time so I'm wondering if it was done away with or if my malware is interfering with it.

Here are the logs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4143

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/25/2010 7:42:06 PM
mbam-log-2010-05-25 (19-42-06).txt

Scan type: Quick scan
Objects scanned: 141282
Time elapsed: 17 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Eric\Local Settings\temp\70.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eric\Local Settings\temp\qoox.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\MSM92GYQ\yH321d989bV0100f080006R7b25c934102T669674f0201l0409317P000000070[1] (Rootkit.Agent) -> Quarantined and deleted successfully.

---------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-25 21:03:16
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Eric\LOCALS~1\Temp\ffdoapob.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF745D514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF744C282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF744C474]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF745DD00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF745DFB8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF745C3FA]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF745E422]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF745D7D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF744BF32]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdePort0 8AD6DEC0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 8AD6DEC0
Device \Driver\atapi \Device\Ide\IdePort1 8AD6DEC0
Device \Driver\atapi \Device\Ide\IdePort2 8AD6DEC0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 8AD6DEC0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 8AD6DEC0
Device \Driver\USB_RNDIS \Device\{62F78C4A-D970-4A38-B300-774A3180A88C} RNDISMP.SYS (Remote NDIS Miniport/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\AvgLdx86@RenameOnShutdown ?????p??avgrkx86.sys????????????????????Provides launch functionality for DCOM services.????%SystemRoot%\system32\svchost.exe -k netsvcs?c???????????:?????e?????:?=?=??0403?????????????p??????t???Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.????????,?????????????????????????????? ??????????????p???????????????????????????Brother RemovableDisk(U)????C:\WINDOWS\system32\dlbtcoms.exe -service???Filter????????????????????????????8???????????h??????7?7?7???????????????.???????????????????e???%?%0.??%SystemRoot%\system32\svchost.exe -k netsvcs?i???????????????????????????????e?????????????g????????????????ca???%?%0???????????????????????AVG WatchDog????SCSI miniport????????????????F??tM??COM+ System Application?????100??K??primary_ide_channel??????????????6???????e??? (???????????????????,??????S?????
Reg HKLM\SYSTEM\CurrentControlSet\Services\AvgLdx86@RenameOnShutdown ???;?-??LegacyDriver? ??? ???;?????????????????7???7???7???;????? ???????7???????????7?O?????????????????????????????n?????sr????????-??? ^??<???O??????sD???????????????????.??????????Lo??????0???0????<?<?<?<?;????N??;???0??d4??{7b47881d-4d79-4369-adf5-d1293852d36b}?????????<????? ???????<?????????????P???????? ??? ????????,??? ???????,?????,?,??? ??;???,?????,?,??ndis5,ndis5_ip6??,?????;?????????8???????T?????????????????s?>??? ?????????????????????P???????????????????sin??x86 Family 15 Model 4 Stepping 3, GenuineIntel????????N??>???d?????sLe??enum?????<???;?????????????g????scheduler?loadbalance?avgfilter?failover????2?3?4????Q???;??? ??????????????l??????<?????????;???????????????????????????????????????????????<??Network Adapters????1?2?3?????????h??v?????????eTO???;?;?;?;?;?;????? ???<???????????????????????l???????P??IPv6 Helper Service????????????????G?????????<???M??? ???1???9?????e?:??? ???????S??????????? (??@???P?????nsc??????????????2???????????????????? ???????????????????<?P???????????????????
Reg HKLM\SYSTEM\ControlSet005\Services\AvgLdx86@RenameOnShutdown ?????????????????????5?????e????AVG Firewall?<??? ???????.??????????LocalSystem?S\??????????????????????????????????????????????t??????????????????????????????????g??????T???????????h?????\SystemRoot\System32\Drivers\avgldx86.sys?????4????????????e????AVG AVI Loader Driver x86????????????3??ms??????????????p????????????a??????????????????????????????????????????????????t\??AVG??????????????t??????ET???????????\?g\W??PNP_TDI?\A????T??????e????hsht??\SystemRoot\System32\Drivers\avgmfx86.sys?????X??????S?????em3??AVG On-access Scanner Minifilter Driver x86?????????????????????????????????p???????????????????????????????t?????????????????????????????????????????????????????????<???????????h?????System32\Drivers\avgrkx86.sys??????????????????e????avgrkx86.sys????????????????????????????????t?????????????????????????R???????????h?????\SystemRoot\System32\Drivers\avgtdix.sys????Base??????????0????????????e????AVG8 Network Redirector??????????????o??pm??????????????????????V????e?g?r???????????????????????? ????????

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

OTL logfile created on: 5/26/2010 1:38:26 AM - Run 3
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Eric\Desktop\HelpApps
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 81.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 461.55 Gb Total Space | 283.11 Gb Free Space | 61.34% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D7C2Q581
Current User Name: Eric
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/20 02:25:06 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/04/06 23:35:01 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric\Desktop\HelpApps\OTL.exe
PRC - [2010/03/29 13:33:28 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/05 15:22:53 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/03/05 15:22:48 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/05 15:21:29 | 002,325,816 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgfws9.exe
PRC - [2010/03/05 15:21:23 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/03/05 15:21:23 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/03/05 15:21:20 | 000,836,888 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe
PRC - [2010/02/02 00:10:14 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2010/02/02 00:10:10 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2010/01/07 14:09:38 | 000,105,632 | ---- | M] (Corel) -- C:\Program Files\Common Files\Corel\Standby\Standby.exe
PRC - [2009/12/30 19:47:38 | 000,523,408 | ---- | M] (Corel, Inc.) -- C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
PRC - [2009/10/04 00:39:11 | 000,160,592 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/04 14:37:59 | 000,088,584 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Gaming Software\LWEMon.exe
PRC - [2007/07/24 12:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2005/04/25 09:50:08 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2005/04/25 09:49:52 | 000,086,142 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
PRC - [2005/03/23 00:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2005/01/27 02:02:00 | 000,086,016 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
PRC - [2004/08/14 02:11:16 | 001,533,952 | ---- | M] (Cisco Linksys Corporation) -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe
PRC - [2004/07/27 17:50:18 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/03/10 21:57:06 | 000,045,056 | ---- | M] () -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
PRC - [2004/02/06 23:56:14 | 000,041,025 | ---- | M] (GEMTEKS) -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
PRC - [2003/10/29 03:06:00 | 000,024,576 | R--- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2003/09/17 11:43:36 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
PRC - [2003/06/18 02:00:00 | 000,045,056 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe


========== Modules (SafeList) ==========

MOD - [2010/04/06 23:35:01 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric\Desktop\HelpApps\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Running] -- -- (WUSB54GSSVC)
SRV - [2010/03/05 15:22:48 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/03/05 15:21:29 | 002,325,816 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgfws9.exe -- (avgfws9)
SRV - [2010/03/05 15:21:23 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/02/19 20:30:16 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/07/24 12:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2005/04/25 09:49:52 | 000,086,142 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe -- (IAANTMon) Intel®
SRV - [2004/10/25 22:01:52 | 000,421,888 | ---- | M] (Dell) [On_Demand | Stopped] -- C:\WINDOWS\System32\dlbtcoms.exe -- (dlbt_device)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1A 4A 9A DF 86 B5 CA 01 [binary data]
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://www.comcast.net"
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.97
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.812
FF - prefs.js..extensions.enabledItems: avg@igeared:4.002.023.004
FF - prefs.js..extensions.enabledItems: [email protected]:1.2
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6
FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe41}:1.0.9
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.0.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {35106bca-6c78-48c7-ac28-56df30b51d2a}:1.3.8
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: [email protected]:2.0
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315
FF - prefs.js..keyword.URL: "http://us.yhs.search...?...tb-web_us="


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/04/22 21:36:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2009/08/18 15:01:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/03/27 15:39:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/08 14:24:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/13 22:55:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/02/17 18:29:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/02/09 05:08:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Mozilla\Extensions
[2010/02/09 05:08:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eric\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/05/25 18:30:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\gqhqshtr.default\extensions
[2010/04/05 23:08:13 | 000,000,000 | ---D | M] (Screengrab) -- C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\gqhqshtr.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
[2010/05/14 23:15:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\gqhqshtr.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
[2010/05/14 23:15:14 | 000,000,000 | ---D | M] (Flagfox) -- C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\gqhqshtr.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2010/01/09 02:26:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\gqhqshtr.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe41}
[2010/05/03 15:07:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\gqhqshtr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/13 23:40:22 | 000,000,000 | ---D | M] (Linkification) -- C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\gqhqshtr.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
[2010/03/13 23:40:24 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\gqhqshtr.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/09/23 12:45:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\gqhqshtr.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2009/10/02 15:44:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\gqhqshtr.default\extensions\[email protected]
[2009/09/30 01:20:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\gqhqshtr.default\extensions\[email protected]
[2010/05/25 18:30:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/13 22:55:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/05/13 22:54:49 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/09/15 22:27:59 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
[2009/08/17 16:39:27 | 000,693,048 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npybrowserplus_2.4.17.dll
[2010/02/17 17:37:01 | 000,122,856 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\np_IEGetPlugin.dll

O1 HOSTS File: ([2010/04/08 16:10:15 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DLBTCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.DLL ()
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] c:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [Lexmark X73 Button Manager] C:\Program Files\LexmarkX73\AcBtnMgr_X73.exe (Jetsoft Development Company)
O4 - HKLM..\Run: [Lexmark X73 Button Monitor] C:\Program Files\LexmarkX73\ACMonitor_X73.exe (Silitek Corp.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [Standby] c:\Program Files\Common Files\Corel\Standby\Standby.exe (Corel)
O4 - HKLM..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe (Logitech Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe File not found
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [WUSB54GS] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe ()
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [Corel Photo Downloader] C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe (Corel, Inc.)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Eric\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.sy...eqlabdetect.cab (Reg Error: Key error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/11 18:02:12 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.dvacm - c:\Program Files\Common Files\Ulead Systems\VIO\DVACM.acm (Corel TW Corp.)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.MPEGacm - c:\Program Files\Common Files\Ulead Systems\MPEG\MPEGACM.acm (Ulead Systems, Inc.)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.ulmp3acm - c:\Program Files\Common Files\Ulead Systems\MPEG\ulmp3acm.acm (Ulead systems)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 14 Days ==========

[2100/02/08 16:03:54 | 000,053,248 | ---- | C] (Silitek Corp.) -- C:\Program Files\ACMonitor_X73.exe
[2010/05/25 17:40:29 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/05/25 17:26:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric\Application Data\Windows Desktop Search
[2010/05/25 17:26:17 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Desktop Search
[2010/05/25 17:26:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/05/22 13:09:24 | 016,555,584 | ---- | C] (Xceed Software Inc. 1-450-442-2626 [email protected] www.xceedsoft.com) -- C:\Documents and Settings\Eric\Desktop\R130119.EXE
[2009/11/22 05:47:33 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/11/22 05:47:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/11/22 05:47:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/08/18 14:23:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
[2005/08/16 23:10:20 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2001/05/30 20:57:08 | 000,018,024 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\Lxarscan.sys

========== Files - Modified Within 14 Days ==========

[2010/05/26 01:30:36 | 000,000,047 | ---- | M] () -- C:\WINDOWS\ACMonitor_X73.ini
[2010/05/26 01:29:23 | 000,007,275 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/26 01:29:21 | 000,000,266 | ---- | M] () -- C:\WINDOWS\X73_DS.ini
[2010/05/26 01:29:13 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/26 01:28:59 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/05/26 01:28:50 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/26 01:28:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/26 01:28:43 | 3219,296,256 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/26 01:27:30 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\Eric\NTUSER.DAT
[2010/05/26 01:27:29 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.rfx
[2010/05/26 01:27:29 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000004-00001102-00000004-20061102}.rfx
[2010/05/26 01:27:29 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000005-00000000-00000004-00001102-00000004-20061102}.rfx
[2010/05/26 01:27:29 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000005-00000000-00000004-00001102-00000004-20061102}.rfx
[2010/05/26 01:27:29 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/05/26 01:27:29 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/05/26 01:27:29 | 000,000,384 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
[2010/05/26 01:27:29 | 000,000,384 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
[2010/05/26 01:27:07 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Eric\ntuser.ini
[2010/05/25 18:14:09 | 003,711,780 | -H-- | M] () -- C:\Documents and Settings\Eric\Local Settings\Application Data\IconCache.db
[2010/05/25 17:34:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Eric\Local Settings\Application Data\prvlcl.dat
[2010/05/25 17:27:05 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/25 17:26:26 | 000,001,787 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2010/05/25 17:26:23 | 000,549,368 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/25 17:26:23 | 000,466,414 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/25 17:26:23 | 000,079,630 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/25 13:36:15 | 060,360,981 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/05/24 23:36:05 | 000,000,726 | ---- | M] () -- C:\WINDOWS\dellstat.ini
[2010/05/24 23:25:28 | 004,932,819 | ---- | M] () -- C:\WINDOWS\{00000005-00000000-00000004-00001102-00000004-20061102}.CDF
[2010/05/22 13:09:24 | 016,555,584 | ---- | M] (Xceed Software Inc. 1-450-442-2626 [email protected] www.xceedsoft.com) -- C:\Documents and Settings\Eric\Desktop\R130119.EXE
[2010/05/22 03:27:06 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/22 03:27:05 | 000,047,104 | ---- | M] () -- C:\Documents and Settings\Eric\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/21 22:44:47 | 000,590,284 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavifw.avm
[2010/05/21 01:02:33 | 000,012,171 | ---- | M] () -- C:\Documents and Settings\Eric\My Documents\2010tips.ods
[2010/05/18 03:19:27 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Eric\Local Settings\Application Data\PUTTY.RND
[2010/05/17 00:04:12 | 000,000,036 | -H-- | M] () -- C:\WINDOWS\System32\f9t.dat

========== Files Created - No Company Name ==========

[2100/02/08 15:53:34 | 000,001,437 | ---- | C] () -- C:\WINDOWS\GtX73.ini
[2100/02/08 15:53:34 | 000,001,437 | ---- | C] () -- C:\Program Files\gtx73.ini
[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\yutimuwi
[2010/05/26 01:17:12 | 3219,296,256 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/25 17:26:26 | 000,001,787 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2010/04/06 14:45:06 | 000,002,692 | ---- | C] () -- C:\Documents and Settings\Eric\avgrep.txt
[2010/02/28 15:46:06 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/02/17 19:07:12 | 000,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\3DD9423E2F.sys
[2010/02/17 19:07:10 | 000,002,828 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/02/01 21:43:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Eric\Local Settings\Application Data\prvlcl.dat
[2010/01/13 19:50:42 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Eric\Local Settings\Application Data\PUTTY.RND
[2009/12/25 22:25:56 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2009/11/28 22:26:46 | 000,016,456 | ---- | C] () -- C:\WINDOWS\System32\pwdrvio.sys
[2009/11/28 22:26:46 | 000,011,088 | ---- | C] () -- C:\WINDOWS\System32\pwdspio.sys
[2009/11/28 21:04:52 | 000,014,976 | ---- | C] () -- C:\WINDOWS\System32\drivers\SBKUPNT.SYS
[2009/11/28 21:04:52 | 000,000,543 | ---- | C] () -- C:\WINDOWS\SWISV3.INI
[2009/11/28 21:04:51 | 000,000,287 | ---- | C] () -- C:\WINDOWS\SKNIFE.INI
[2009/11/28 21:04:19 | 000,002,799 | ---- | C] () -- C:\WINDOWS\SKLANG.INI
[2009/10/03 23:27:11 | 000,047,104 | ---- | C] () -- C:\Documents and Settings\Eric\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/15 23:09:41 | 000,000,045 | ---- | C] () -- C:\Documents and Settings\Eric\jagex_runescape_preferences2.dat
[2009/09/15 23:08:33 | 000,000,037 | ---- | C] () -- C:\Documents and Settings\Eric\jagex_runescape_preferences.dat
[2009/08/26 11:33:57 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Eric\default.pls
[2009/08/26 11:33:42 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/18 14:34:23 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2009/08/18 14:34:23 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2009/08/18 14:34:23 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2009/08/18 14:34:04 | 000,001,733 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2009/08/18 14:26:36 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2009/08/18 14:23:26 | 000,000,726 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2009/08/18 14:22:43 | 000,000,310 | ---- | C] () -- C:\Documents and Settings\Eric\convert.log
[2009/08/18 14:22:38 | 008,912,896 | -H-- | C] () -- C:\Documents and Settings\Eric\NTUSER.DAT
[2009/08/18 14:22:38 | 000,020,480 | -H-- | C] () -- C:\Documents and Settings\Eric\ntuser.dat.LOG
[2009/08/18 14:22:38 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Eric\ntuser.ini
[2009/08/18 14:22:02 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2009/08/18 14:22:02 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2005/08/16 23:23:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/16 23:18:46 | 000,000,450 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/08/16 23:12:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/16 23:10:42 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2005/08/16 23:10:22 | 000,014,424 | ---- | C] () -- C:\WINDOWS\System32\Aud2_Del.ini
[2005/08/16 23:10:22 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2005/08/16 23:10:20 | 000,000,194 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2005/08/16 23:10:00 | 000,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2005/08/16 22:44:58 | 000,000,430 | ---- | C] () -- C:\WINDOWS\System32\dlbtplc.ini
[2005/08/16 22:44:12 | 000,000,375 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/01/28 09:08:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/11/09 19:11:08 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\dlbtcur.dll
[2004/11/09 19:10:28 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\dlbtjswr.dll
[2004/11/09 19:05:58 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\dlbtcu.dll
[2004/11/09 18:59:26 | 000,405,504 | ---- | C] () -- C:\WINDOWS\System32\dlbtutil.dll
[2004/08/23 15:42:30 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\dlbtsnls.dll
[2004/08/23 15:40:14 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\dlbtcoin.dll
[2004/08/11 18:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 18:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/10/08 15:09:46 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbtvs.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/20 10:48:06 | 000,008,116 | ---- | C] () -- C:\Program Files\OSLO3071b2.USB
[2001/06/27 11:29:20 | 000,001,094 | ---- | C] () -- C:\WINDOWS\Lexmark_ICM.ini
[2000/12/05 15:56:34 | 000,114,688 | ---- | C] () -- C:\WINDOWS\lxarscan.dll
[2000/12/05 15:56:34 | 000,114,688 | ---- | C] () -- C:\Program Files\lxarscan.dll
[2000/10/24 09:08:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2000/10/24 09:08:33 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2000/01/11 12:50:48 | 000,000,047 | ---- | C] () -- C:\WINDOWS\ACMonitor_X73.ini
[2000/01/11 12:50:48 | 000,000,047 | ---- | C] () -- C:\Program Files\ACMonitor_X73.ini
[2000/01/11 12:42:22 | 000,000,266 | ---- | C] () -- C:\WINDOWS\X73_DS.ini
[1964/01/18 08:07:18 | 000,000,768 | ---- | C] () -- C:\Program Files\x73_lut.dat

========== LOP Check ==========

[2009/11/22 14:06:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/11/22 05:49:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/09/23 12:46:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2010/02/17 18:27:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo
[2009/09/17 03:29:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Last.fm
[2009/09/15 22:30:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2009/08/18 15:01:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2009/09/22 01:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Soulseek
[2010/02/13 19:35:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/17 18:27:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/08/22 14:25:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{92D9D9C1-B27F-45B5-BC1E-C7896D0B2FAA}
[2010/04/08 17:11:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\AVG9
[2010/01/13 21:31:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Azureus
[2010/02/14 01:59:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\CoffeeCup Software
[2009/08/25 04:56:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Leadertech
[2010/04/07 03:09:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\OpenOffice.org
[2009/08/27 23:18:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Opera
[2009/08/24 22:45:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Stamps.com Internet Postage
[2010/04/09 00:00:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\SystemRequirementsLab
[2010/02/09 05:08:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Thunderbird
[2010/02/17 18:30:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Ulead Systems
[2010/05/25 17:26:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Windows Desktop Search
[2010/05/26 01:28:59 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2004/08/11 18:15:00 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/09/20 14:34:58 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/04/08 15:59:05 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/04/10 13:27:21 | 000,865,784 | ---- | M] () -- C:\ComboFix.txt
[2004/08/11 18:15:00 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2005/08/16 22:56:06 | 000,006,569 | RH-- | M] () -- C:\dell.sdr
[2009/08/18 14:23:06 | 000,000,100 | ---- | M] () -- C:\dlbt.log
[2010/05/26 01:28:43 | 3219,296,256 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/24 03:47:23 | 011,225,082 | ---- | M] () -- C:\immudebug.log
[2009/08/18 15:19:00 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2004/08/11 18:15:00 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2005/08/16 23:17:32 | 000,000,838 | -H-- | M] () -- C:\IPH.PH
[2009/09/15 13:50:49 | 000,000,065 | ---- | M] () -- C:\jetscan.log
[2010/05/25 17:01:17 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2009/09/20 00:24:34 | 000,000,016 | --S- | M] () -- C:\mnt
[2004/08/11 18:15:00 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/01/18 17:06:17 | 000,250,048 | ---- | M] () -- C:\ntldr
[2010/05/26 01:28:42 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2005/08/16 23:17:38 | 000,000,087 | ---- | M] () -- C:\SystemInfo.ini
[2010/04/06 20:27:07 | 000,000,408 | ---- | M] () -- C:\VundoFix.txt

< %systemroot%*./mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

Invalid Environment Variable:

< %systemroot%\System32\config\*.sav >
[2004/08/11 18:06:14 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/11 18:06:14 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/11 18:06:14 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /180 >
[2010/03/05 15:21:23 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys
[2010/03/05 15:22:53 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys
[2010/03/05 15:21:20 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgrkx86.sys
[2010/04/20 02:25:06 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/10 16:41:08 | 000,015,648 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\drivers\mdc8021x.sys
[2010/02/24 09:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2009/12/31 12:50:03 | 000,353,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\srv.sys
[2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
  • 0

Advertisements

#2
Thunderbird1988
Posted 30 May 2010 - 01:48 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
  • 0

#3
echet
Posted 30 May 2010 - 11:47 AM

echet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Thank you for replying. Here is the ComboFix log:

ComboFix 10-05-29.05 - Eric 05/30/2010 13:27:07.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2561 [GMT -4:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
AV: AVG Anti-Virus plus Firewall *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2100-02-08 20:03 . 2001-05-11 15:39 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2010-05-26 18:19 . 2010-05-26 18:16 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-05-26 18:15 . 2010-05-26 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-05-26 18:15 . 2010-05-26 18:15 233472 ---ha-w- C:\SZKGFS.dat
2010-05-26 18:14 . 2010-05-30 16:55 -------- d-----w- c:\program files\STOPzilla!
2010-05-26 18:14 . 2010-05-30 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-05-26 18:14 . 2010-05-26 18:14 -------- d-----w- c:\program files\Common Files\iS3
2010-05-26 00:59 . 2010-05-26 00:59 546240 ----a-r- c:\windows\system32\SZComp5.dll
2010-05-26 00:59 . 2010-05-26 00:59 22976 ----a-r- c:\windows\system32\SZIO5.dll
2010-05-26 00:59 . 2010-05-26 00:59 132544 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-05-26 00:59 . 2010-05-26 00:59 99776 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-05-26 00:59 . 2010-05-26 00:59 67008 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-05-26 00:59 . 2010-05-26 00:59 447936 ----a-r- c:\windows\system32\SZBase5.dll
2010-05-26 00:59 . 2010-05-26 00:59 398784 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-05-26 00:59 . 2010-05-26 00:59 28608 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-05-26 00:59 . 2010-05-26 00:59 99776 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-05-26 00:59 . 2010-05-26 00:59 738752 ----a-r- c:\windows\system32\IS3Base5.dll
2010-05-26 00:59 . 2010-05-26 00:59 390592 ----a-r- c:\windows\system32\IS3UI5.dll
2010-05-26 00:59 . 2010-05-26 00:59 230848 ----a-r- c:\windows\system32\IS3Win325.dll
2010-05-25 21:26 . 2010-05-25 21:26 -------- d-----w- c:\documents and settings\Eric\Application Data\Windows Desktop Search
2010-05-25 21:26 . 2010-05-26 17:38 -------- d-----w- c:\program files\Windows Desktop Search
2010-05-25 21:26 . 2010-05-25 21:26 -------- d-----w- c:\windows\system32\GroupPolicy
2010-05-25 21:25 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2010-05-25 21:25 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2010-05-25 21:25 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2010-05-25 21:25 . 2010-04-16 11:43 41984 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-05-14 02:55 . 2010-05-14 02:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-12 22:01 . 2010-05-12 22:01 59280 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2010-05-04 22:51 . 2010-04-13 07:02 922400 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\JRERunOnce.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 17:24 . 2005-08-17 03:10 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2010-05-30 17:24 . 2005-08-17 03:10 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2010-05-30 02:35 . 2010-02-02 01:43 0 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\prvlcl.dat
2010-05-26 07:07 . 2009-09-28 05:46 -------- d-----w- c:\documents and settings\Eric\Application Data\vlc
2010-05-25 21:01 . 2009-09-18 20:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 03:36 . 2009-08-18 18:23 -------- d-----w- c:\program files\Dl_cats
2010-05-20 22:03 . 2010-04-07 07:09 1 ----a-w- c:\documents and settings\Eric\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-18 04:17 . 2010-03-10 02:17 -------- d-----w- c:\documents and settings\Eric\Application Data\dvdcss
2010-05-17 04:04 . 2009-08-22 18:25 36 ---ha-w- c:\windows\system32\f9t.dat
2010-05-14 02:54 . 2005-08-17 03:06 -------- d-----w- c:\program files\Java
2010-05-04 22:51 . 2005-08-17 03:06 -------- d-----w- c:\program files\Common Files\Java
2010-05-03 08:18 . 2009-08-28 03:18 -------- d-----w- c:\program files\Opera
2010-04-29 19:39 . 2010-04-07 04:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-04-07 04:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 18:43 . 2010-04-24 18:43 -------- d-----w- c:\program files\Charonware
2010-04-20 06:25 . 2009-08-18 19:19 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-12 08:22 . 2010-04-12 08:10 -------- d-----w- c:\program files\SpywareBlaster
2010-04-10 17:14 . 2010-01-24 02:53 -------- d-----w- c:\program files\Aqua Data Studio 8.0 - 32bit
2010-04-09 04:00 . 2009-11-09 18:42 -------- d-----w- c:\program files\SystemRequirementsLab
2010-04-09 04:00 . 2010-04-09 04:00 85504 ----a-w- c:\documents and settings\Eric\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-04-09 04:00 . 2010-04-09 04:00 -------- d-----w- c:\documents and settings\Eric\Application Data\SystemRequirementsLab
2010-04-08 21:11 . 2010-04-08 21:11 -------- d-----w- c:\documents and settings\Eric\Application Data\AVG9
2010-04-08 20:09 . 2009-09-17 20:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-08 19:52 . 2009-09-17 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 18:46 . 2009-08-20 04:13 54984 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 07:09 . 2010-04-07 07:09 -------- d-----w- c:\documents and settings\Eric\Application Data\OpenOffice.org
2010-04-07 04:20 . 2010-04-07 04:18 -------- d-----w- c:\program files\ERUNT
2010-04-07 02:14 . 2010-04-07 02:14 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-536f52f5-n\decora-sse.dll
2010-04-07 02:14 . 2010-04-07 02:14 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2a891397-n\msvcp71.dll
2010-04-07 02:14 . 2010-04-07 02:14 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2a891397-n\jmc.dll
2010-04-07 02:14 . 2010-04-07 02:14 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2a891397-n\msvcr71.dll
2010-04-07 02:14 . 2010-04-07 02:14 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-536f52f5-n\decora-d3d.dll
2010-04-06 06:29 . 2010-04-06 06:29 -------- d-----w- c:\program files\JRE
2010-04-06 06:29 . 2010-04-06 05:23 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-06 05:22 . 2009-08-18 19:26 -------- d-----w- c:\program files\OpenOffice.org 2.2
2010-03-16 07:55 . 2010-02-17 23:07 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-03-16 07:55 . 2010-02-17 23:07 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-03-16 07:54 . 2010-02-17 23:07 88 --sh--r- c:\documents and settings\All Users\Application Data\3DD9423E2F.sys
2010-03-16 07:54 . 2010-02-17 23:07 88 --sh--r- c:\documents and settings\All Users\Application Data\3DD9423E2F.sys
2010-03-12 09:25 . 2010-03-12 09:25 11100320 ----a-w- c:\documents and settings\All Users\Application Data\Corel\Downloads\540243425_610032\1268251660525\PSPPX3_Patch1.exe
2010-03-10 06:15 . 2004-08-11 22:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 19:22 . 2010-03-05 19:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-05 19:22 . 2009-08-18 19:19 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-05 19:21 . 2009-08-18 19:19 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-05 19:21 . 2009-08-18 19:19 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2001-07-26 20:58 . 2000-01-11 16:50 47 ----a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 16:46 . 2001-07-20 14:48 8116 ----a-w- c:\program files\OSLO3071b2.USB
2001-05-08 20:36 . 2000-12-05 19:56 114688 ----a-w- c:\program files\lxarscan.dll
2001-04-23 18:22 . 2100-02-08 19:53 1437 ----a-w- c:\program files\gtx73.ini
2001-02-22 13:54 . 1964-01-18 12:07 768 ----a-w- c:\program files\x73_lut.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-10-04 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-11 290816]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"WUSB54GS"="c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-12 4583424]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-10-04 160592]

c:\documents and settings\Eric\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-16 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 19:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2009-12-30 23:47 523408 ----a-w- c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Manager]
2001-07-11 16:08 53248 ----a-w- c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Monitor]
2001-10-08 20:21 53248 ----a-w- c:\progra~1\LEXMAR~1\ACMonitor_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-08-17 03:17 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-03-07 20:43 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"szserver"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Torrentprivacy\\Torrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgchsvx.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Torrentprivacy\\SSHTunel.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56580:TCP"= 56580:TCP:Pando Media Booster
"56580:UDP"= 56580:UDP:Pando Media Booster

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/18/2009 3:19 PM 52872]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/18/2009 4:00 PM 130936]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [5/12/2010 6:01 PM 59280]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/18/2009 3:19 PM 216200]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/18/2009 3:19 PM 242896]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 3:21 PM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 3:22 PM 308064]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [3/5/2010 3:21 PM 2325816]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [11/28/2009 9:04 PM 14976]
R2 WUSB54GSSVC;WUSB54GSSVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [2/10/2010 4:41 PM 41025]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [8/18/2009 3:18 PM 30104]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [8/18/2009 3:18 PM 30104]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [11/28/2009 10:26 PM 16456]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [11/28/2009 10:26 PM 11088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = <local>
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\gqhqshtr.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\Eric\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Eric\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np_IEGetPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Opera\program\plugins\np_IEGetPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 13:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,81,d9,4d,75,ae,74,43,86,61,b8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,81,d9,4d,75,ae,74,43,86,61,b8,\
.
Completion time: 2010-05-30 13:40:44
ComboFix-quarantined-files.txt 2010-05-30 17:40
ComboFix2.txt 2010-04-10 17:27

Pre-Run: 303,316,541,440 bytes free
Post-Run: 303,275,732,992 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 4EF54A72FFCAD2F72AF08086EB33E438
  • 0

#4
echet
Posted 01 June 2010 - 12:56 PM

echet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Just an update on the PC's condition: GMER no longer initially reports rootkit activity but I'm still getting BSODs.
  • 0

#5
Thunderbird1988
Posted 02 June 2010 - 01:15 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

  • 0

#6
echet
Posted 02 June 2010 - 02:15 PM

echet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Here you go:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=4764a21df16a0e44adef4c93bfc933ad
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-02 08:07:34
# local_time=2010-06-02 04:07:34 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1029 16777173 100 100 0 15697721 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 21060298 21060298 0 0
# scanned=146667
# found=4
# cleaned=4
# scan_time=10146
C:\Documents and Settings\Eric\Desktop\Nero-7.8.5.0_eng_trial.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Eric\Desktop\HelpApps\RegistryEasy.exe a variant of Win32/Adware.RegistryEasy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP43\A0022691.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP43\A0022692.exe a variant of Win32/Adware.RegistryEasy application (deleted - quarantined) 00000000000000000000000000000000 C

Edited by echet, 02 June 2010 - 02:17 PM.

  • 0

#7
Thunderbird1988
Posted 04 June 2010 - 06:11 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Download avz4.zip from HERE
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again


  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.
    Posted Image
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.

When restarted

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
    Posted Image
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#8
echet
Posted 04 June 2010 - 12:02 PM

echet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Okay, I'm having a problem updating the AVZ program. I click the update icon but when I click START, I get a message that says "Automatic update error - Error loading control file avzupd.zip from http://www.z-oleg/secur/avz_up [21, 00002EFD]"

When I changed the source to http://avz.virusinfo.info/avz_up/ I get the same message except with that address as well. Those are the only two options for source. I've tried using different options under settingd, but I get the same result.

Is there another way, or should I just run the un-updated program?
  • 0

#9
Thunderbird1988
Posted 05 June 2010 - 02:04 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
I have checked, and at the moment I am writing this message, I am able to update, can you please try it one more time? If that doesn't work, please run it unupdated.
  • 0

#10
echet
Posted 05 June 2010 - 10:01 AM

echet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
It still wouldn't update when I tried it this morning. I've attached the logs for the un-updated scans.

Attached Files


  • 0

Advertisements

#11
Thunderbird1988
Posted 05 June 2010 - 10:24 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
your AVZ log tells me that you have two virusscanners installed. Two scanners will interfere with each other causing BSOD's, a less stable system and less protection.

Please uninstall AVG9 or IS3 Antivirus. After that, please let me know if the BSODs still persits
  • 0

#12
echet
Posted 05 June 2010 - 11:13 AM

echet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Sorry about that. AVG is my anti-virus program. I installed the second one just prior to making this topic to get a second opinion and my computer was too far infected to let me uninstall it before I ran a couple programs you suggested. I had deleted the main .exe file for it to prevent it from running. I just uninstalled it now.


As for BSODs....The computer has been behaving better since I ran ComboFix and greatly improved after running ESET. Though I haven't done some of the things I was doing when they first appeared since I didn't want to risk exposing my passwords to this virus any further, I can now have the computer on for long periods of time without issue.
  • 0

#13
Thunderbird1988
Posted 06 June 2010 - 02:28 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Ok, can I consider this case solved?
  • 0

#14
echet
Posted 07 June 2010 - 12:25 PM

echet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
I was able to update the AVZ database. I think my firewall was blocking it before. Would you like me to run a scan with the updated version or was the old one good enough?


I haven't had any issues for a few days so if the scans look clean, I'd say problem solved.


One quick question before you close this. I'm looking for an anti-malware program to have as a resident scanner. I had Spybot Search and Destroy, but that apparently doesn't do as much as it used to any more. I'm thinking about buying Malwarebytes, but I'm not sure if I'm better off using that as a free scanner and buying something else. What would you recommend?
  • 0

#15
Thunderbird1988
Posted 07 June 2010 - 01:22 PM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Well, your logs are clean, and I don't think an updated AVZ log will make any difference as you report no more problems.

You can buy the real time protection of MBAM, but if you don't wish to spend money on protection, I would recommand Spyware Guard

You can read more about the security recommandations of Geekstogo here

Do you have any other questions?

Thunderbird1988
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP