Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virtumonde.dll, VBS/Psyme, and other trojans

Started by vincec15 , Jun 27 2010 10:07 PM

  • Please log in to reply

#1
vincec15
Posted 27 June 2010 - 10:07 PM

vincec15

    Member

  • Member
  • PipPip
  • 11 posts
Hi there. Lately, I've noticed that my computer is running really slowly. When I'm on firefox, sometimes I get a popup that takes me to google.com. McAfee alerted me that I had the trojan VBS/Psyme but it was not able to remove it. When I did a scan on McAfee, it found nothing. I was very confused and ran a scan on SpyBot Search and Destroy. It found two trojans but it was not able to delete them. It said that they were in use. I noticed when Spybot was scanning it came across the files Virtumonde.dll and Virtumonde.sci. I think theyre the problem but I'm struggling to delete them.

I ran Malwarebytes but like McAfee, it didn't detect anything after the scan was over. I also used Super Anti Spyware and it found a lot of bad infected files and trojans and I removed them. All these scans were done in safe mode. But when I restarted, nothing seemed fix. Computer is still really slow and I still get the popups on Firefox.

I would really appreciate it if someone could help me remove these tricky trojans. I have no idea what to do next. Here is my log from Hijackthis.

Thank you

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:54:46 PM, on 27/06/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.c...h...DTP&M=T5212
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...DTP&M=T5212
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...DTP&M=T5212
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...DTP&M=T5212
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...DTP&M=T5212
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Print Spooler Service (appoyqcbiu3) - Unknown owner - C:\WINDOWS\system32\jokrvvogukq.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 10324 bytes
  • 0

Advertisements

#2
RKinner
Posted 28 June 2010 - 12:30 AM

RKinner

    Malware Expert

  • Expert
  • 24,446 posts
  • MVP
Do as much of

http://www.geekstogo...uide-t2852.html

as you can. If a step won't work, skip to the next one. Copy and paste your gmer, mbam, otl, & extras logs into a reply. Do not attach them.

If you lose internet access after running MBAM or if you are not able to get to the downloads:

In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.

In FireFox, Tools, Options, Advanced, Settings, check No Proxy then OK. Close Firefox and restart Firefox.

In Chrome, Wrench, Options, Under the Hood, Change Proxy Settings, uncheck all boxes, OK.

Ron
  • 0

#3
vincec15
Posted 28 June 2010 - 04:24 PM

vincec15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Ron. Thank you for the reply. I really appreciate it.

I followed each of the steps in that removal guide.

Here is my Malwarebytes log:
  • 0

#4
vincec15
Posted 28 June 2010 - 04:25 PM

vincec15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4248

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

28/06/2010 3:23:34 AM
mbam-log-2010-06-28 (03-23-34).txt

Scan type: Quick scan
Objects scanned: 139284
Time elapsed: 14 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)
  • 0

#5
vincec15
Posted 28 June 2010 - 04:26 PM

vincec15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
  • 0

#6
vincec15
Posted 28 June 2010 - 04:30 PM

vincec15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I'm struggling to make any post.I keep losing connection. I will try to post the rest as soon as possible. I'm really sorry
  • 0

#7
vincec15
Posted 28 June 2010 - 04:43 PM

vincec15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.

For the second step, I removed McAfee as the guide mentioned that it could conflict with other anti-virus programs because I went ahead and installed Microsoft Security Essentials. This is where I begin to endure a lot of troubles. The program detects threats and when I click "clean computer", it goes ahead and cleans and tells me to restart. When I go ahead and restart, it still keeps detecting the threats. It tells me to do a full scan, which I do. However, while running the scan for no reason the program closed on its own. When I opened up windows task manager, it took it a really long time to open up and when it did, it was closing random processes on its own.

Here is a screenshot of the history:

Posted Image

My computer at this point is really slow and I still get random popups directing me to google.com when I'm on the browser. I try to run the GMER. Things get worse here because around half an hour into the scan, the computer restarts on its own. I try it again, and again it restarts on its own. At this point I let the scan run for a bit and saved before the computer could restart again. I figured its better to have something than nothing at all. Here is the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-28 09:11:06
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kfdyrfog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xED3F4670]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xED3F4720]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xED3F47C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xED3F4860]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\DRIVERS\netbt.sys entry point in ".rsrc" section [0xED75CA14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E000A
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007D000C
.text C:\WINDOWS\System32\svchost.exe[1132] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00FA000A
.text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A
.text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AF000A
.text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device -> \Driver\atapi \Device\Harddisk0\DR0

I don't know if thats any help, but I couldn't run this program fully. Sorry =/

Here are my OTL Logs:

OTL logfile created on: 28/06/2010 5:15:42 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

894.00 Mb Total Physical Memory | 352.00 Mb Available Physical Memory | 39.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 181.01 Gb Total Space | 129.03 Gb Free Space | 71.29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 5.28 Gb Total Space | 3.40 Gb Free Space | 64.36% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: HAIB-2CA16646B7
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/28 17:14:23 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
PRC - [2010/06/26 23:31:06 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/06/26 23:30:37 | 005,888,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/06/26 04:41:08 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/21 05:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/12/09 18:02:36 | 000,202,776 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/17 15:13:47 | 000,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2004/12/08 20:57:36 | 000,550,912 | ---- | M] () -- C:\WINDOWS\zHotkey.exe


========== Modules (SafeList) ==========

MOD - [2010/06/28 17:14:23 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/10 15:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (appoyqcbiu3)
SRV - [2010/06/26 23:31:06 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/06/26 23:30:37 | 005,888,008 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/11/11 10:38:06 | 000,620,544 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2006/11/03 20:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2010/06/26 23:31:11 | 000,025,096 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\AVGIDSxx.sys -- (AVGIDSErHrxpx)
DRV - [2010/06/26 23:30:42 | 000,122,376 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys -- (AVGIDSDriverxpx)
DRV - [2010/06/26 23:30:41 | 000,030,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys -- (AVGIDSFilterxpx)
DRV - [2010/06/26 23:30:41 | 000,026,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys -- (AVGIDSShimxpx)
DRV - [2009/12/02 15:23:40 | 000,149,040 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2008/08/26 10:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/06/02 18:10:18 | 004,752,384 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/23 17:25:32 | 000,027,136 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tapvpn.sys -- (tapvpn)
DRV - [2006/09/30 06:35:52 | 000,027,936 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pstrip.sys -- (PStrip)
DRV - [2006/01/18 06:41:00 | 000,080,512 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2006/01/15 02:48:08 | 001,477,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/03/16 20:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/16 20:50:36 | 000,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/03/16 20:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/01/07 20:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/11/10 20:30:18 | 000,024,832 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2004/11/10 20:27:34 | 000,044,288 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2004/08/04 09:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 09:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/04 01:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/18 00:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 00:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 00:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 00:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 00:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 23:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 23:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 23:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 23:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 23:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 23:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 23:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 23:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 23:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 23:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...DTP&M=T5212
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...DTP&M=T5212
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...DTP&M=T5212

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...DTP&M=T5212
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://money.ca.msn.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..network.proxy.backup.ftp: "204.85.191.10"
FF - prefs.js..network.proxy.backup.ftp_port: 3128
FF - prefs.js..network.proxy.backup.gopher: "204.85.191.10"
FF - prefs.js..network.proxy.backup.gopher_port: 3128
FF - prefs.js..network.proxy.backup.socks: "204.85.191.10"
FF - prefs.js..network.proxy.backup.socks_port: 3128
FF - prefs.js..network.proxy.backup.ssl: "204.85.191.10"
FF - prefs.js..network.proxy.backup.ssl_port: 3128
FF - prefs.js..network.proxy.ftp: "proxy.changeipaddress.org"
FF - prefs.js..network.proxy.ftp_port: 8231
FF - prefs.js..network.proxy.gopher: "proxy.changeipaddress.org"
FF - prefs.js..network.proxy.gopher_port: 8231
FF - prefs.js..network.proxy.http: "proxy.changeipaddress.org"
FF - prefs.js..network.proxy.http_port: 8231
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "proxy.changeipaddress.org"
FF - prefs.js..network.proxy.socks_port: 8231
FF - prefs.js..network.proxy.ssl: "proxy.changeipaddress.org"
FF - prefs.js..network.proxy.ssl_port: 8231
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/06/26 23:30:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/27 05:52:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/27 04:48:19 | 000,000,000 | ---D | M]

[2008/09/01 17:56:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/06/27 23:12:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4es6pf8.default\extensions
[2010/06/03 05:40:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4es6pf8.default\extensions\[email protected](2).com
[2007/07/31 14:35:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4es6pf8.default\extensions\[email protected]
[2007/07/31 14:35:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4es6pf8.default\extensions\[email protected]
[2009/09/02 21:40:36 | 000,000,945 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4es6pf8.default\searchplugins\youtube-video-search.xml
[2010/06/27 23:12:53 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/03 04:48:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/05/22 12:24:03 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2009/05/02 18:35:09 | 000,000,730 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)
O2 - BHO: (FlashFXP Helper for Internet Explorer) - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Program Files\FlashFXP\IEFlash.dll (IniCom Networks, Inc.)
O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx ()
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C95A4E8E-816D-4655-8C79-D736DA1ADB6D} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [CHotkey] C:\WINDOWS\zHotkey.exe ()
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zon...kr.cab56986.cab (Checkers Class)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zon...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zon...er.cab56986.cab (Minesweeper Flags Class)
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} https://secure.gopet...v/GoPetsWeb.cab (GoPetsWeb Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\system32\msdxm.ocx ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/17 05:41:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - H:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{dd6dd551-2f55-11db-b3c1-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{dd6dd551-2f55-11db-b3c1-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/06/17 05:40:27 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: aux - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.clmp3enc - C:\Program Files\CyberLink\Power2Go\CLMP3Enc.ACM (CyberLink Corp.)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\System32\l3codecx.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lhacm - C:\WINDOWS\System32\lhacm.acm (Microsoft Corporation)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co....hors/VA012897/)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.ffds - C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.WMV3 - C:\Program Files\Combined Community Codec Pack\Filters\wmv9vcm.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 90 Days ==========

[2010/06/28 04:11:16 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/06/28 03:06:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/28 03:05:28 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/27 23:53:43 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/06/27 09:41:57 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/06/27 04:34:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2010/06/26 23:31:11 | 000,025,096 | ---- | C] (AVG Technologies CZ, s.r.o. ) -- C:\WINDOWS\System32\drivers\AVGIDSxx.sys
[2010/06/26 23:26:32 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/06/26 23:25:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/06/25 21:21:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/06/25 21:20:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2010/06/20 04:40:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\taprognlc
[2010/06/10 18:49:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/06/10 18:49:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/06/05 15:14:05 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/06/05 15:14:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/06/03 09:13:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\qqknglntn
[2010/06/03 05:42:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\piqvomsxq
[2010/06/03 05:42:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2010/06/03 05:40:13 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2010/05/29 21:01:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/22 12:24:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/22 12:21:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Downloads
[2010/04/21 15:03:57 | 000,000,000 | ---D | C] -- C:\Program Files\PartyGaming
[6 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/06/28 17:19:42 | 000,000,374 | -H-- | M] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2010/06/28 17:17:21 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/06/28 17:10:43 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/28 17:10:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/28 17:10:16 | 937,046,016 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/28 04:19:03 | 008,634,368 | ---- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/06/28 04:19:03 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/06/28 04:11:18 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/28 04:06:32 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/28 03:07:13 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/06/28 03:05:29 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk
[2010/06/28 03:05:29 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2010/06/28 02:29:41 | 001,575,798 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/06/27 23:54:28 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/06/27 09:39:48 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[2010/06/27 09:39:47 | 000,000,976 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/27 09:39:45 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/26 23:55:16 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/06/26 23:55:16 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/06/26 23:31:11 | 000,025,096 | ---- | M] (AVG Technologies CZ, s.r.o. ) -- C:\WINDOWS\System32\drivers\AVGIDSxx.sys
[2010/06/26 04:24:22 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/23 18:10:00 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/06/22 23:36:04 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\coverletter-hs.doc
[2010/06/22 23:35:58 | 000,035,932 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\resume.tif
[2010/06/22 23:35:50 | 000,043,008 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\resume.doc
[2010/06/22 23:35:37 | 000,053,517 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\4766_103628842889_503482889_2615097_3326266_n.jpg
[2010/06/22 23:35:31 | 000,028,516 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\10047-477-017f.jpg
[2010/06/21 22:47:13 | 003,888,054 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\fallschedule.bmp
[2010/06/21 01:50:54 | 000,002,622 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2010/06/12 15:21:00 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/06/05 16:28:48 | 000,004,442 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/06/05 15:14:19 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/06/05 15:14:19 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/06/03 05:14:40 | 000,444,836 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/03 05:14:40 | 000,072,268 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/16 01:53:10 | 000,526,970 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[6 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/28 04:16:39 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/06/28 04:16:38 | 000,000,374 | -H-- | C] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2010/06/28 04:11:18 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/28 03:05:29 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk
[2010/06/28 03:05:29 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2010/06/27 23:53:43 | 000,002,447 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/06/27 09:34:43 | 937,046,016 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/22 23:36:04 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\coverletter-hs.doc
[2010/06/22 23:36:00 | 000,035,932 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\resume.tif
[2010/06/22 23:35:51 | 000,043,008 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\resume.doc
[2010/06/22 23:35:37 | 000,053,517 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\4766_103628842889_503482889_2615097_3326266_n.jpg
[2010/06/22 23:35:33 | 000,028,516 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\10047-477-017f.jpg
[2010/06/21 22:47:13 | 003,888,054 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\fallschedule.bmp
[2010/06/05 15:14:19 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/06/05 15:14:19 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/06/01 07:19:16 | 000,001,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2010/06/01 07:19:16 | 000,000,986 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
[2010/06/01 06:57:33 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/10/21 21:33:19 | 000,138,280 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2008/05/30 23:32:28 | 000,000,465 | ---- | C] () -- C:\WINDOWS\AudioConverter.INI
[2007/08/16 18:37:03 | 000,000,355 | ---- | C] () -- C:\WINDOWS\Sonic3K.INI
[2007/03/29 23:00:40 | 000,203,264 | ---- | C] () -- C:\WINDOWS\System32\CddbCdda.dll
[2007/03/19 20:35:06 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007/01/30 19:31:46 | 000,002,368 | ---- | C] () -- C:\WINDOWS\EaseAudioConverter.ini
[2007/01/06 12:59:39 | 000,004,442 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/01/05 23:41:10 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/09/30 06:35:52 | 000,027,936 | ---- | C] () -- C:\WINDOWS\System32\drivers\pstrip.sys
[2006/08/19 04:02:27 | 000,532,544 | ---- | C] () -- C:\WINDOWS\PIC.dll
[2006/08/19 04:02:27 | 000,024,576 | ---- | C] () -- C:\WINDOWS\HKNTDLL.dll
[2006/08/19 04:02:27 | 000,011,776 | ---- | C] () -- C:\WINDOWS\HIDMNT.dll
[2006/08/19 03:54:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/21 05:48:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/06/17 05:24:58 | 000,001,442 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/06/17 05:24:57 | 000,000,493 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2006/06/17 05:23:22 | 001,288,192 | ---- | C] () -- C:\WINDOWS\System32\quartz(3).dll
[2006/06/17 05:23:22 | 001,287,680 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2006/04/14 10:37:26 | 000,000,031 | ---- | C] () -- C:\WINDOWS\aceg.ini
[2005/08/30 01:00:00 | 000,781,312 | ---- | C] () -- C:\WINDOWS\System32\RGSS102J.dll
[2005/08/30 01:00:00 | 000,778,752 | ---- | C] () -- C:\WINDOWS\System32\RGSS102E.dll
[2005/08/30 01:00:00 | 000,771,584 | ---- | C] () -- C:\WINDOWS\System32\RGSS100J.dll
[2005/08/06 00:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/06/26 23:26:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/01/14 19:02:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Graboid Inc
[2008/12/31 21:07:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2007/06/28 00:27:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin Games
[2007/01/05 23:38:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2007/10/28 16:19:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/08/05 22:40:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2008/09/27 21:21:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/06/28 03:42:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/08/19 04:04:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/01/05 23:39:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2008/10/03 18:50:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2007/01/07 17:02:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\.BitTornado
[2007/07/10 15:51:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\acccore
[2009/01/21 18:55:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Dev-Cpp
[2007/01/06 00:49:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FlashFXP
[2009/10/17 17:54:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LG Electronics
[2007/03/30 20:22:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LuckaSoft
[2008/03/07 21:13:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MSNInstaller
[2007/10/28 16:19:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
[2008/12/31 21:09:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Nokia
[2008/12/31 21:09:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PC Suite
[2007/10/28 16:19:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Recordpad
[2006/08/19 04:13:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2008/01/23 18:05:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2010/03/26 23:54:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2010/06/23 18:10:00 | 000,000,408 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010/06/12 15:21:00 | 000,000,408 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2010/06/28 17:17:21 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/06/28 17:19:42 | 000,000,374 | -H-- | M] () -- C:\WINDOWS\Tasks\MpIdleTask.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2007/04/20 20:02:54 | 000,000,000 | ---- | M] () -- C:\asoutput.log
[2006/08/19 03:51:40 | 000,000,002 | ---- | M] () -- C:\AUDIT_INSTALL_IN_PROGRESS
[2006/06/17 05:41:16 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/06/27 09:39:48 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[2007/01/18 21:48:25 | 000,017,546 | ---- | M] () -- C:\ChromeGraphicsTestLog.txt
[2006/06/17 05:41:16 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/03/05 17:08:13 | 000,000,081 | ---- | M] () -- C:\CTX.DAT
[2007/04/14 21:39:30 | 000,002,435 | ---- | M] () -- C:\DV.txt
[2008/06/11 18:45:53 | 000,000,344 | ---- | M] () -- C:\FILE.TXT
[2010/06/28 17:10:16 | 937,046,016 | -HS- | M] () -- C:\hiberfil.sys
[2006/06/17 05:41:16 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/10/02 18:04:40 | 000,002,936 | -H-- | M] () -- C:\IPH.PH
[2007/08/30 21:50:22 | 000,000,050 | -H-- | M] () -- C:\lp_TrickleCurrCache_CosmicRift_Main Distribution.xml
[2007/09/06 16:03:20 | 000,000,050 | -H-- | M] () -- C:\lp_TrickleCurrCache_Infantry_Main Distribution.xml
[2007/01/05 23:02:09 | 000,000,004 | RHS- | M] () -- C:\MSDOS.BIN
[2006/06/17 05:41:16 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/06/12 21:05:33 | 000,001,155 | ---- | M] () -- C:\nhl.txt
[2004/08/10 15:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/10 15:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/06/28 17:10:09 | 1409,286,144 | -HS- | M] () -- C:\pagefile.sys
[2006/08/19 03:52:56 | 000,000,090 | ---- | M] () -- C:\powerdvd.log
[2007/03/10 14:56:26 | 000,000,000 | ---- | M] () -- C:\report.txt
[2006/08/19 04:01:25 | 000,000,499 | ---- | M] () -- C:\RHDSetup.log
[2007/09/11 08:16:37 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2007/09/12 08:13:23 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2007/11/22 09:29:12 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2007/11/22 17:24:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2008/02/06 00:25:19 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2008/02/26 16:58:04 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2008/04/23 19:59:17 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2008/06/05 16:15:11 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2008/07/31 21:05:18 | 000,000,232 | -H-- | M] () -- C:\sqmdata08.sqm
[2008/09/14 15:46:23 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2008/11/10 18:54:49 | 000,000,232 | -H-- | M] () -- C:\sqmdata10.sqm
[2008/11/11 19:49:08 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2008/12/24 15:57:49 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/01/07 17:28:17 | 000,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/01/07 19:14:58 | 000,000,232 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/01/22 19:09:28 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/05/02 21:01:33 | 000,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/05/02 22:49:19 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/05/31 15:09:20 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2009/06/28 20:21:53 | 000,000,232 | -H-- | M] () -- C:\sqmdata19.sqm
[2009/05/02 22:49:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/05/31 15:09:20 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/06/28 20:21:53 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2007/09/11 08:16:37 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2007/09/12 08:13:23 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2007/11/22 09:29:12 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2007/11/22 17:24:47 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2008/02/06 00:25:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2008/02/26 16:58:04 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2008/04/23 19:59:17 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2008/06/05 16:15:11 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2008/07/31 21:05:18 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2008/09/14 15:46:22 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2008/11/10 18:54:49 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2008/11/11 19:49:08 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2008/12/24 15:57:49 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/01/07 17:28:17 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/01/07 19:14:58 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/01/22 19:09:27 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009/05/02 21:01:33 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2010/06/27 09:41:57 | 000,000,104 | ---- | M] () -- C:\VundoFix.txt
[2007/09/06 19:33:38 | 000,000,004 | RHS- | M] () -- C:\WINOS.SYS
[2008/06/20 18:43:40 | 000,000,008 | ---- | M] () -- C:\ye.txt

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2007/03/22 20:24:58 | 000,028,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2007/02/09 15:33:58 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2007/02/09 15:33:58 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2007/02/09 15:33:58 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2007/02/09 15:33:58 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont

< %systemroot%\system32\spool\prtprocs\w32x86\*.tmp >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2005/07/26 07:39:44 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/06/16 22:30:11 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/06/16 22:30:11 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/06/16 22:30:11 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\user32.dll /md5 >
[2010/06/28 04:18:50 | 000,577,536 | ---- | M] (Microsoft Corporation) MD5=B409909F6E2E8A7067076ED748ABF1E7 -- C:\WINDOWS\system32\USER32.dll

< %systemroot%\system32\ws2_32.dll /md5 >
[2004/08/10 15:00:00 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=2ED0B7F12A60F90092081C50FA0EC2B2 -- C:\WINDOWS\system32\ws2_32.dll

< %systemroot%\system32\ws2help.dll /md5 >
[2004/08/10 15:00:00 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=9BEACB911CA61E5881102188AB7FB431 -- C:\WINDOWS\system32\ws2help.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2009-07-29 07:01:38

========== Alternate Data Streams ==========

@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

The second one:

OTL Extras logfile created on: 28/06/2010 5:15:43 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

894.00 Mb Total Physical Memory | 352.00 Mb Available Physical Memory | 39.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 181.01 Gb Total Space | 129.03 Gb Free Space | 71.29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 5.28 Gb Total Space | 3.40 Gb Free Space | 64.36% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: HAIB-2CA16646B7
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\FlashFXP\FlashFXP.exe" = C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3 -- (IniCom Networks, Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon -- File not found
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed -- File not found
"C:\Program Files\Common Files\AOL\1155974661\EE\AOLServiceHost.exe" = C:\Program Files\Common Files\AOL\1155974661\EE\AOLServiceHost.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe" = C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL -- File not found
"C:\Program Files\FlashFXP\FlashFXP.exe" = C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3 -- (IniCom Networks, Inc.)
"C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe" = C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe:*:Enabled:LaunchPad -- ()
"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Program Files\BitTornado\btdownloadgui.exe" = C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui -- ()
"C:\Program Files\TVUPlayer\TVUPlayer.exe" = C:\Program Files\TVUPlayer\TVUPlayer.exe:*:Enabled:TVU Player Component -- (TVU networks)
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- (www.sopcast.com)
"C:\Documents and Settings\Owner\Application Data\SopCast\adv\SopAdver.exe" = C:\Documents and Settings\Owner\Application Data\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- (www.sopcast.com)
"C:\Documents and Settings\Owner\Desktop\winbd1.0.3beta4\TVUBroadcast.exe" = C:\Documents and Settings\Owner\Desktop\winbd1.0.3beta4\TVUBroadcast.exe:*:Enabled:TVU Broadcast Component -- File not found
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- File not found
"C:\Program Files\Wolfenstein - Enemy Territory\ET.exe" = C:\Program Files\Wolfenstein - Enemy Territory\ET.exe:*:Enabled:ET -- ()
"C:\Program Files\LuckaSoft\EnginSite Editor for PHP\DbgListener.exe" = C:\Program Files\LuckaSoft\EnginSite Editor for PHP\DbgListener.exe:*:Enabled:Listener for php debugger DBG -- (NuSphere Corp., http://www.nusphere.com)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Program Files\Electronic Arts\Need For Speed III\nfs3.exe" = C:\Program Files\Electronic Arts\Need For Speed III\nfs3.exe:*:Enabled:Need For Speed III for Win32 -- (Electronic Arts, Inc.)
"C:\Documents and Settings\Owner\Desktop\bbx\gmini.exe" = C:\Documents and Settings\Owner\Desktop\bbx\gmini.exe:*:Enabled:gmini -- File not found
"C:\Documents and Settings\Owner\Desktop\saopd\gmini.exe" = C:\Documents and Settings\Owner\Desktop\saopd\gmini.exe:*:Enabled:gmini -- File not found
"C:\Program Files\Ares\Ares.exe" = C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows -- File not found
"C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe" = C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0 -- (SmartSoft Ltd.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Documents and Settings\Owner\Desktop\Free Infantry\gmini.exe" = C:\Documents and Settings\Owner\Desktop\Free Infantry\gmini.exe:*:Enabled:gmini -- File not found
"C:\Documents and Settings\Owner\Desktop\mapedit\mapedit\New Folder\gmini.exe" = C:\Documents and Settings\Owner\Desktop\mapedit\mapedit\New Folder\gmini.exe:*:Enabled:gmini -- File not found
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\TVAnts\Tvants.exe" = C:\Program Files\TVAnts\Tvants.exe:*:Enabled:TVAnts -- (Zhejiang University)
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- (www.sopcast.com)
"C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX00.328\Jumper Redux.exe" = C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX00.328\Jumper Redux.exe:*:Enabled:Jumper Redux -- File not found
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX00.703\Jumper Redux.exe" = C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX00.703\Jumper Redux.exe:*:Enabled:Jumper Redux -- File not found
"C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX00.719\Jumper Redux.exe" = C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX00.719\Jumper Redux.exe:*:Enabled:Jumper Redux -- File not found
"C:\Documents and Settings\Owner\Desktop\stuff\Free Infantry\gmini.exe" = C:\Documents and Settings\Owner\Desktop\stuff\Free Infantry\gmini.exe:*:Enabled:gmini -- File not found
"C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX02.078\Jumper Redux.exe" = C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX02.078\Jumper Redux.exe:*:Enabled:Jumper Redux -- File not found
"C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX00.079\Jumper Redux.exe" = C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX00.079\Jumper Redux.exe:*:Enabled:Jumper Redux -- File not found
"C:\Documents and Settings\Owner\Desktop\stuff\saopd\gmini.exe" = C:\Documents and Settings\Owner\Desktop\stuff\saopd\gmini.exe:*:Enabled:gmini -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX00.875\Jumper Redux.exe" = C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX00.875\Jumper Redux.exe:*:Enabled:Jumper Redux -- File not found
"C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" = C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player -- File not found
"C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX00.250\Jumper Redux.exe" = C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX00.250\Jumper Redux.exe:*:Enabled:Jumper Redux -- File not found
"C:\Program Files\Java\jdk1.6.0\jre\bin\java.exe" = C:\Program Files\Java\jdk1.6.0\jre\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG9\avgam.exe" = C:\Program Files\AVG\AVG9\avgam.exe:*:Enabled:avgam.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgdiagex.exe" = C:\Program Files\AVG\AVG9\avgdiagex.exe:*:Enabled:avgdiagex.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox -- (Mozilla Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07FCBED5-94C3-4F94-B9D3-360FA27C7B06}" = Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32
"{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"{14DCD95A-EBA3-4BF0-B7EF-533852E99BE6}" = LG PC Suite II
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite eMachines
"{15AC0C5D-A6FB-4CE2-8CD0-28179EEB5625}" = Nokia Connectivity Cable Driver
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{22AA6B16-C6D2-4378-A700-AB6E48501F0A}" = Futuremark SystemInfo
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{265C893D-9D3D-4CE6-A317-9FFF1C6C9C44}" = RealProducer Basic 11
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2D06F341-5782-4C45-9DB5-D5B5EC0C2902}" = RealProducer Plus 10
"{2E5C075E-11AB-4BDD-918C-7B9A68953FF8}" = Microsoft SQL Server Compact 3.5 Design Tools ENU
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{32A3A4F4-B792-11D6-A78A-00B0D0160000}" = Java™ SE Development Kit 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
"{3FE4D618-A705-47BC-B4A6-072F0825C21B}" = Continuum 0.39 pr1
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{43983EB4-43DC-4C3D-9712-1EF592A31CA8}" = OpenOffice.org 2.1
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}" = Nokia PC Suite
"{5A9FE525-8B8F-4701-A937-7F6745A4E9C7}" = RGSS-RTP Standard
"{5D95AD35-368F-47D5-B63A-A082DDF00111}" = Microsoft Digital Image Starter Edition 2006 Editor
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{691F4068-81BF-49E3-B32E-FE3E16400111}" = Microsoft Digital Image Starter Edition 2006 Library
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D2A44E0-8C7C-47FD-B5AF-7F4857A3EF98}_is1" = Continuum
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}" = Multimedia Keyboard Driver
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{96E3AED5-3D0B-4BB0-84C2-1EDADB204487}" = FlashFXP v3
"{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}" = Apple Mobile Device Support
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B8C0986-647E-40D5-8C36-C67E5A606EBB}" = RealProducer Basic 10
"{9C2DC81B-8114-37D9-A922-95E460A1FAFB}" = Microsoft Visual Basic 2008 Express Edition - ENU
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{ABD7DBE3-E344-4BCA-B8AD-4360494DD1D9}" = LG MC USB U330 driver
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4C0A315-07FB-39F9-85CD-8CE20C019350}" = Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}" = Microsoft SQL Server Compact 3.5 ENU
"{C169D3BB-9A27-43F5-9979-09A0D65FE95C}" = SmartFTP Client
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D7447B32-518C-442F-A8E4-DCF12D8A6D75}" = Station LaunchPad
"{D848D140-41C3-4A53-86D8-E866A100B4CD}" = PC Connectivity Solution
"{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}" = iTunes
"{E0C90349-E55E-4161-87CF-6DCA54FFECF8}" = LG PC Suite II
"{E590FD1C-E8C6-4D2E-8CA9-77B403F7EE01}" = Microsoft Antimalware
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FAD859A8-FB72-4BC3-A892-287E9491E8BE}" = Station Launcher
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"5986551A16FD8E9B1B4C89E7AAD17C1BB3196D28" = Windows Driver Package - Nokia Modem (10/27/2008 7.01.0.1)
"6D296974BAB6CA8429D5E687B292A6DA3E9FBD4A" = Windows Driver Package - Nokia Modem (10/27/2008 3.9)
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player
"AIM_6" = AIM 6
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"AV Voice Changer Software GOLD 6.0" = AV Voice Changer Software GOLD 6.0
"BigFix" = BigFix
"BitTornado" = BitTornado 0.3.18
"BlueJ_is1" = BlueJ 2.5.0
"Call of Combat Lobby" = Call of Combat Lobby
"CamStudio" = CamStudio
"CCleaner" = CCleaner (remove only)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP
"Collab" = Collab
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2007-02-22
"Continuum_is1" = Continuum 0.40
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"Ease Audio Converter_is1" = Ease Audio Converter 4.80
"Edirol HQ Orchestral v1.01" = Edirol HQ Orchestral v1.01
"EnginSite Editor for PHP_is1" = EnginSite Editor for PHP 3.6.4.237
"ERUNT_is1" = ERUNT 1.1j
"ExpressBurn" = Express Burn
"FL Studio 6" = FL Studio 6
"Graboid Video" = Graboid Video 1.6
"Imikimi Plugin" = Imikimi Plugin
"Infinity-Zone1.04" = Infinity-Zone
"InstallShield_{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"InstallShield_{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"Internet Cyclone_is1" = Internet Cyclone 1.92
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"Microsoft Security Essentials" = Microsoft Security Essentials
"Microsoft Visual Basic 2008 Express Edition - ENU" = Microsoft Visual Basic 2008 Express Edition - ENU
"mIRC" = mIRC
"MixPad" = MixPad
"Money2006b" = Microsoft Money 2006
"Motocross Madness Trial 1.0" = Microsoft Motocross Madness Trial
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"MP3 WAV Converter 2.68" = MP3 WAV Converter 2.68
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MsJavaVM" = Microsoft VM for Java
"NBA Basketball 2000" = Fox NBA Basketball 2000
"Need For Speed III" = Need For Speed III
"Nokia PC Suite" = Nokia PC Suite
"Norton PC Checkup" = Norton PC Checkup
"PHP_is1" = PHP 5.2.1
"PictureItSuiteTrial_v11" = Microsoft Digital Image Starter Edition 2006
"PowerStrip 3 (remove only)" = PowerStrip 3 (remove only)
"Professional League" = Professional League 4.31 b25
"RealPlayer 6.0" = RealPlayer
"Recordpad" = Recordpad
"RegistryBooster 2_is1" = Uniblue RegistryBooster 2
"Security Task Manager" = Security Task Manager 1.7f
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SmartFTP Client 2.0 Setup Files" = SmartFTP Client 2.0 Setup Files (remove only)
"Sonic & Knuckles" = Sonic & Knuckles Killer !
"Sonic & Knuckles Collection Documentation" = Sonic & Knuckles Collection Documentation
"Sonic 3D" = Sonic 3D
"Sonic 3D Blast Documentation" = Sonic 3D Blast Documentation
"SopCast" = SopCast 1.1.1
"Switch" = Switch
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"TVAnts 1.0" = TVAnts 1.0
"TVUPlayer" = TVUPlayer 2.4.0.1
"VB Runtime" = VB Runtime
"VB5CCE" = Visual Basic 5.0 Control Creation Edition
"ViewpointMediaPlayer" = Viewpoint Media Player
"Visual Studio 6.0 Enterprise Edition" = Microsoft Visual Studio 6.0 Enterprise Edition
"VLC media player" = VideoLAN VLC media player 0.8.6d
"WavePad" = WavePad Uninstall
"WebPost" = Microsoft Web Publishing Wizard 1.53
"WGA" = Windows Genuine Advantage Validation Tool
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wolfenstein - Enemy Territory" = Wolfenstein - Enemy Territory
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Call of Combat Lobby" = Call of Combat Lobby
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 28/06/2010 4:12:49 AM | Computer Name = HAIB-2CA16646B7 | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 28/06/2010 4:17:07 AM | Computer Name = HAIB-2CA16646B7 | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 28/06/2010 4:18:03 AM | Computer Name = HAIB-2CA16646B7 | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 28/06/2010 4:24:20 AM | Computer Name = HAIB-2CA16646B7 | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 28/06/2010 6:00:25 AM | Computer Name = HAIB-2CA16646B7 | Source = Application Hang | ID = 1002
Description = Hanging application taskmgr.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 28/06/2010 6:00:30 AM | Computer Name = HAIB-2CA16646B7 | Source = Application Hang | ID = 1002
Description = Hanging application taskmgr.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 28/06/2010 6:27:14 AM | Computer Name = HAIB-2CA16646B7 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 28/06/2010 6:27:15 AM | Computer Name = HAIB-2CA16646B7 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 28/06/2010 3:08:21 PM | Computer Name = HAIB-2CA16646B7 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 28/06/2010 3:08:21 PM | Computer Name = HAIB-2CA16646B7 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 28/06/2010 3:30:07 PM | Computer Name = HAIB-2CA16646B7 | Source = Service Control Manager | ID = 7031
Description = The AVG WatchDog service terminated unexpectedly. It has done this
2 time(s). The following corrective action will be taken in 0 milliseconds: Restart
the service.

Error - 28/06/2010 3:30:14 PM | Computer Name = HAIB-2CA16646B7 | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 2 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 28/06/2010 3:39:26 PM | Computer Name = HAIB-2CA16646B7 | Source = DCOM | ID = 10005
Description = DCOM got error "%2" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 28/06/2010 3:39:26 PM | Computer Name = HAIB-2CA16646B7 | Source = Service Control Manager | ID = 7000
Description = The Automatic Updates service failed to start due to the following
error: %%2

Error - 28/06/2010 4:14:16 PM | Computer Name = HAIB-2CA16646B7 | Source = Service Control Manager | ID = 7000
Description = The Background Intelligent Transfer Service service failed to start
due to the following error: %%2

Error - 28/06/2010 4:14:16 PM | Computer Name = HAIB-2CA16646B7 | Source = Service Control Manager | ID = 7000
Description = The Automatic Updates service failed to start due to the following
error: %%2

Error - 28/06/2010 4:28:16 PM | Computer Name = HAIB-2CA16646B7 | Source = DCOM | ID = 10005
Description = DCOM got error "%2" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 28/06/2010 4:28:17 PM | Computer Name = HAIB-2CA16646B7 | Source = Service Control Manager | ID = 7000
Description = The Automatic Updates service failed to start due to the following
error: %%2

Error - 28/06/2010 5:12:05 PM | Computer Name = HAIB-2CA16646B7 | Source = Service Control Manager | ID = 7000
Description = The Background Intelligent Transfer Service service failed to start
due to the following error: %%2

Error - 28/06/2010 5:12:05 PM | Computer Name = HAIB-2CA16646B7 | Source = Service Control Manager | ID = 7000
Description = The Automatic Updates service failed to start due to the following
error: %%2


< End of report >


I feel like that the longer the computer is running, the worse is getting. The malware and virus programs don't seem to be really removing the threats. Please help :)
  • 0

#8
RKinner
Posted 28 June 2010 - 06:16 PM

RKinner

    Malware Expert

  • Expert
  • 24,446 posts
  • MVP
You are still running too many anti-viruses. You also have AVG. Uninstall it then download save and run the AVG removal tool
http://download.avg..../avgremover.exe

I do see some evidence of malware:

The At1 and At2.job files are scheduled tasks that will run malware at odd intervals.

We will let OTL remove them.

Copy the text between the lines of stars by highlighting and Ctrl + c
*******************************************************************
:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C95A4E8E-816D-4655-8C79-D736DA1ADB6D} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} Reg Error: Key error. (Reg Error: Key error.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - H:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{dd6dd551-2f55-11db-b3c1-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{dd6dd551-2f55-11db-b3c1-806d6172696f}\Shell\AutoRun - "" = Auto&Play

:Files
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job

:Commands
[RESETHOSTS]
[purity]
[emptytemp]
[Reboot]

*******************************************************************

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Run Malwarebytes' Anti-Malware

* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Reboot now, please :!:

Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:

OTL Log
MBAM log
Combofix log

Ron

PS You are running some weird proxies to hide your IP address. Are these really necessary? The backup ones go over to Research Triangle Park so if you are at home you might want to get rid of both sets: If you can live without them then use this script for OTL instead of the one at the top.

Copy the text between the lines of stars by highlighting and Ctrl + c
********************************************************************************
*******************
:OTL
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
FF - prefs.js..network.proxy.backup.ftp: "204.85.191.10"
FF - prefs.js..network.proxy.backup.ftp_port: 3128
FF - prefs.js..network.proxy.backup.gopher: "204.85.191.10"
FF - prefs.js..network.proxy.backup.gopher_port: 3128
FF - prefs.js..network.proxy.backup.socks: "204.85.191.10"
FF - prefs.js..network.proxy.backup.socks_port: 3128
FF - prefs.js..network.proxy.backup.ssl: "204.85.191.10"
FF - prefs.js..network.proxy.backup.ssl_port: 3128
FF - prefs.js..network.proxy.ftp: "proxy.changeipaddress.org"
FF - prefs.js..network.proxy.ftp_port: 8231
FF - prefs.js..network.proxy.gopher: "proxy.changeipaddress.org"
FF - prefs.js..network.proxy.gopher_port: 8231
FF - prefs.js..network.proxy.http: "proxy.changeipaddress.org"
FF - prefs.js..network.proxy.http_port: 8231
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "proxy.changeipaddress.org"
FF - prefs.js..network.proxy.socks_port: 8231
FF - prefs.js..network.proxy.ssl: "proxy.changeipaddress.org"
FF - prefs.js..network.proxy.ssl_port: 8231
FF - prefs.js..network.proxy.type: 0
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C95A4E8E-816D-4655-8C79-D736DA1ADB6D} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} Reg Error: Key error. (Reg Error: Key error.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - H:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{dd6dd551-2f55-11db-b3c1-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{dd6dd551-2f55-11db-b3c1-806d6172696f}\Shell\AutoRun - "" = Auto&Play

:Files
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job

:Commands
[RESETHOSTS]
[purity]
[emptytemp]
[Reboot]

*******************************************************************
  • 0

#9
vincec15
Posted 28 June 2010 - 11:48 PM

vincec15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hey there. Sorry for the late response, one of the scans was lengthy. Thank you for helping me with this.

Here is the OTL log:

OTL logfile created on: 28/06/2010 10:06:26 PM - Run 2
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

894.00 Mb Total Physical Memory | 468.00 Mb Available Physical Memory | 52.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 181.01 Gb Total Space | 129.04 Gb Free Space | 71.29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 5.28 Gb Total Space | 3.40 Gb Free Space | 64.36% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: HAIB-2CA16646B7
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/28 17:14:23 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
PRC - [2010/02/21 05:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/17 15:13:47 | 000,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2004/12/08 20:57:36 | 000,550,912 | ---- | M] () -- C:\WINDOWS\zHotkey.exe


========== Modules (SafeList) ==========

MOD - [2010/06/28 17:14:23 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/10 15:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (appoyqcbiu3)
SRV - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/11/11 10:38:06 | 000,620,544 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2006/11/03 20:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2009/12/02 15:23:40 | 000,149,040 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2008/08/26 10:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/06/02 18:10:18 | 004,752,384 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/23 17:25:32 | 000,027,136 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tapvpn.sys -- (tapvpn)
DRV - [2006/09/30 06:35:52 | 000,027,936 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pstrip.sys -- (PStrip)
DRV - [2006/01/18 06:41:00 | 000,080,512 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2006/01/15 02:48:08 | 001,477,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/03/16 20:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/16 20:50:36 | 000,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/03/16 20:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/01/07 20:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/11/10 20:30:18 | 000,024,832 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2004/11/10 20:27:34 | 000,044,288 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2004/08/04 09:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 09:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/04 01:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/18 00:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 00:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 00:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 00:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 00:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 23:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 23:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 23:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 23:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 23:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 23:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 23:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 23:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 23:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 23:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...DTP&M=T5212
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...DTP&M=T5212
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...DTP&M=T5212

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...DTP&M=T5212
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://money.ca.msn.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..network.proxy.backup.ftp: ""
FF - prefs.js..network.proxy.backup.ftp_port: ""
FF - prefs.js..network.proxy.backup.gopher: ""
FF - prefs.js..network.proxy.backup.gopher_port: ""
FF - prefs.js..network.proxy.backup.socks: ""
FF - prefs.js..network.proxy.backup.socks_port: ""
FF - prefs.js..network.proxy.backup.ssl: ""
FF - prefs.js..network.proxy.backup.ssl_port: ""

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/27 05:52:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/27 04:48:19 | 000,000,000 | ---D | M]

[2008/09/01 17:56:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/06/27 23:12:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4es6pf8.default\extensions
[2010/06/03 05:40:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4es6pf8.default\extensions\[email protected](2).com
[2007/07/31 14:35:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4es6pf8.default\extensions\[email protected]
[2007/07/31 14:35:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4es6pf8.default\extensions\[email protected]
[2009/09/02 21:40:36 | 000,000,945 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4es6pf8.default\searchplugins\youtube-video-search.xml
[2010/06/27 23:12:53 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/03 04:48:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/05/22 12:24:03 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/06/28 22:01:07 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (FlashFXP Helper for Internet Explorer) - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Program Files\FlashFXP\IEFlash.dll (IniCom Networks, Inc.)
O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx ()
O4 - HKLM..\Run: [CHotkey] C:\WINDOWS\zHotkey.exe ()
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zon...kr.cab56986.cab (Checkers Class)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zon...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zon...er.cab56986.cab (Minesweeper Flags Class)
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} https://secure.gopet...v/GoPetsWeb.cab (GoPetsWeb Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\system32\msdxm.ocx ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/17 05:41:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/06/28 21:43:18 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/06/28 04:11:16 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/06/28 03:06:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/28 03:05:28 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/27 23:53:43 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/06/27 09:41:57 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/06/27 04:34:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2010/06/26 23:25:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/06/25 21:21:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/06/25 21:20:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2010/06/20 04:40:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\taprognlc
[2010/06/10 18:49:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/06/10 18:49:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/06/05 15:14:05 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/06/05 15:14:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/06/03 09:13:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\qqknglntn
[2010/06/03 05:42:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\piqvomsxq
[2010/06/03 05:42:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2010/06/03 05:40:13 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2010/05/29 21:01:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/22 12:24:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/22 12:21:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Downloads
[2010/04/21 15:03:57 | 000,000,000 | ---D | C] -- C:\Program Files\PartyGaming
[6 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/06/28 22:07:58 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/06/28 22:07:31 | 000,000,374 | -H-- | M] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2010/06/28 22:02:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/28 22:02:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/28 22:02:26 | 937,046,016 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/28 22:01:16 | 008,634,368 | ---- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/06/28 22:01:16 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/06/28 22:01:07 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/06/28 19:06:55 | 001,575,956 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/06/28 04:11:18 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/28 04:06:32 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/28 03:07:13 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/06/28 03:05:29 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk
[2010/06/28 03:05:29 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2010/06/27 23:54:28 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/06/27 09:39:48 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[2010/06/27 09:39:47 | 000,000,976 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/27 09:39:45 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/26 23:55:16 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/06/26 23:55:16 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/06/26 04:24:22 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/22 23:36:04 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\coverletter-hs.doc
[2010/06/22 23:35:58 | 000,035,932 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\resume.tif
[2010/06/22 23:35:50 | 000,043,008 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\resume.doc
[2010/06/22 23:35:37 | 000,053,517 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\4766_103628842889_503482889_2615097_3326266_n.jpg
[2010/06/22 23:35:31 | 000,028,516 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\10047-477-017f.jpg
[2010/06/21 22:47:13 | 003,888,054 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\fallschedule.bmp
[2010/06/21 01:50:54 | 000,002,622 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2010/06/05 16:28:48 | 000,004,442 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/06/05 15:14:19 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/06/05 15:14:19 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/06/03 05:14:40 | 000,444,836 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/03 05:14:40 | 000,072,268 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/16 01:53:10 | 000,526,970 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[6 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/28 04:16:39 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/06/28 04:16:38 | 000,000,374 | -H-- | C] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2010/06/28 04:11:18 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/28 03:05:29 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk
[2010/06/28 03:05:29 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2010/06/27 23:53:43 | 000,002,447 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/06/27 09:34:43 | 937,046,016 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/22 23:36:04 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\coverletter-hs.doc
[2010/06/22 23:36:00 | 000,035,932 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\resume.tif
[2010/06/22 23:35:51 | 000,043,008 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\resume.doc
[2010/06/22 23:35:37 | 000,053,517 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\4766_103628842889_503482889_2615097_3326266_n.jpg
[2010/06/22 23:35:33 | 000,028,516 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\10047-477-017f.jpg
[2010/06/21 22:47:13 | 003,888,054 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\fallschedule.bmp
[2010/06/05 15:14:19 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/06/05 15:14:19 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/06/01 07:19:16 | 000,001,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2010/06/01 07:19:16 | 000,000,986 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
[2010/06/01 06:57:33 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/10/21 21:33:19 | 000,138,280 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2008/05/30 23:32:28 | 000,000,465 | ---- | C] () -- C:\WINDOWS\AudioConverter.INI
[2007/08/16 18:37:03 | 000,000,355 | ---- | C] () -- C:\WINDOWS\Sonic3K.INI
[2007/03/29 23:00:40 | 000,203,264 | ---- | C] () -- C:\WINDOWS\System32\CddbCdda.dll
[2007/03/19 20:35:06 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007/01/30 19:31:46 | 000,002,368 | ---- | C] () -- C:\WINDOWS\EaseAudioConverter.ini
[2007/01/06 12:59:39 | 000,004,442 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/01/05 23:41:10 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/09/30 06:35:52 | 000,027,936 | ---- | C] () -- C:\WINDOWS\System32\drivers\pstrip.sys
[2006/08/19 04:02:27 | 000,532,544 | ---- | C] () -- C:\WINDOWS\PIC.dll
[2006/08/19 04:02:27 | 000,024,576 | ---- | C] () -- C:\WINDOWS\HKNTDLL.dll
[2006/08/19 04:02:27 | 000,011,776 | ---- | C] () -- C:\WINDOWS\HIDMNT.dll
[2006/08/19 03:54:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/21 05:48:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/06/17 05:24:58 | 000,001,442 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/06/17 05:24:57 | 000,000,493 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2006/06/17 05:23:22 | 001,288,192 | ---- | C] () -- C:\WINDOWS\System32\quartz(3).dll
[2006/06/17 05:23:22 | 001,287,680 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2006/04/14 10:37:26 | 000,000,031 | ---- | C] () -- C:\WINDOWS\aceg.ini
[2005/08/30 01:00:00 | 000,781,312 | ---- | C] () -- C:\WINDOWS\System32\RGSS102J.dll
[2005/08/30 01:00:00 | 000,778,752 | ---- | C] () -- C:\WINDOWS\System32\RGSS102E.dll
[2005/08/30 01:00:00 | 000,771,584 | ---- | C] () -- C:\WINDOWS\System32\RGSS100J.dll
[2005/08/06 00:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/06/26 23:26:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/01/14 19:02:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Graboid Inc
[2008/12/31 21:07:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2007/06/28 00:27:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin Games
[2007/01/05 23:38:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2007/10/28 16:19:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/08/05 22:40:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2008/09/27 21:21:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/06/28 03:42:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/08/19 04:04:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/01/05 23:39:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2008/10/03 18:50:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2007/01/07 17:02:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\.BitTornado
[2007/07/10 15:51:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\acccore
[2009/01/21 18:55:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Dev-Cpp
[2007/01/06 00:49:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FlashFXP
[2009/10/17 17:54:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LG Electronics
[2007/03/30 20:22:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LuckaSoft
[2008/03/07 21:13:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MSNInstaller
[2007/10/28 16:19:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
[2008/12/31 21:09:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Nokia
[2008/12/31 21:09:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PC Suite
[2007/10/28 16:19:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Recordpad
[2006/08/19 04:13:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2008/01/23 18:05:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2010/03/26 23:54:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2010/06/28 22:07:58 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/06/28 22:07:31 | 000,000,374 | -H-- | M] () -- C:\WINDOWS\Tasks\MpIdleTask.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


The MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4248

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

29/06/2010 12:54:24 AM
mbam-log-2010-06-29 (00-54-24).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 248138
Time elapsed: 2 hour(s), 41 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP791\A0272896.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP791\A0272908.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP792\A0273070.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Combofix Log:

ComboFix 10-06-28.01 - Owner 29/06/2010 1:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.450 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\george.exe.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\autorun.inf
c:\windows\expert
c:\windows\expert\Apps\Help.ico
c:\windows\expert\Apps\Home.exe
c:\windows\expert\Apps\Install.ico
c:\windows\expert\Apps\PDF.ICO
c:\windows\expert\Apps\Readme.ico
c:\windows\expert\Apps\Register.exe
c:\windows\expert\Apps\Support.exe
c:\windows\expert\X6820.INI
c:\windows\expert\X6822.INI

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))
.

2010-06-28 07:05 . 2010-06-28 07:05 -------- d-----w- c:\program files\ERUNT
2010-06-28 03:53 . 2010-06-28 03:53 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-28 03:53 . 2010-06-28 03:53 -------- d-----w- c:\program files\Trend Micro
2010-06-27 13:41 . 2010-06-27 13:41 -------- d-----w- C:\VundoFix Backups
2010-06-27 09:57 . 2010-06-27 09:57 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-27 09:57 . 2010-06-27 09:57 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-27 09:56 . 2010-06-27 09:56 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-27 09:54 . 2010-06-27 09:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-06-27 09:52 . 2010-06-27 09:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-06-27 08:36 . 2010-06-27 08:36 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-27 08:36 . 2010-06-27 08:36 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-27 08:36 . 2010-06-27 08:36 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-27 08:34 . 2010-06-27 08:34 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-06-27 03:25 . 2010-06-27 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-26 01:21 . 2010-06-26 01:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-06-20 08:40 . 2010-06-26 23:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\taprognlc
2010-06-05 19:14 . 2010-06-29 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-05 19:14 . 2010-06-05 19:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-03 13:13 . 2010-06-05 20:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\qqknglntn
2010-06-03 09:43 . 2010-06-03 09:43 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-03 09:42 . 2010-06-27 13:30 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\piqvomsxq
2010-06-02 00:10 . 2010-06-03 09:42 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-01 10:57 . 2010-06-26 08:24 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 08:18 . 2006-06-17 09:23 577536 ----a-w- c:\windows\system32\USER32.dll
2010-06-28 08:11 . 2010-06-28 08:11 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-28 07:42 . 2007-06-28 04:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-28 07:07 . 2009-05-03 17:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-27 13:30 . 2007-06-28 04:27 -------- d-----w- c:\program files\iWin Games
2010-06-21 05:50 . 2008-01-23 22:05 2622 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2010-06-21 05:29 . 2007-01-12 21:38 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-06-06 18:41 . 2006-06-19 06:36 -------- d-----w- c:\program files\Common Files\New Boundary
2010-06-03 09:42 . 2006-08-19 07:56 -------- d-----w- c:\program files\Java
2010-06-03 09:06 . 2010-03-27 04:01 -------- d-----w- c:\program files\Formatta 7.0
2010-06-03 00:48 . 2010-05-18 00:09 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
2010-05-22 16:24 . 2006-08-19 07:56 -------- d-----w- c:\program files\Common Files\Java
2010-05-22 16:24 . 2010-05-22 16:24 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b1906ae-n\msvcp71.dll
2010-05-22 16:24 . 2010-05-22 16:24 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b1906ae-n\jmc.dll
2010-05-22 16:24 . 2010-05-22 16:24 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b1906ae-n\msvcr71.dll
2010-05-22 16:24 . 2010-05-22 16:24 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5c03367b-n\decora-d3d.dll
2010-05-22 16:24 . 2010-05-22 16:24 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5c03367b-n\decora-sse.dll
2010-05-22 16:24 . 2010-05-22 16:24 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-21 18:14 . 2010-06-28 08:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 19:39 . 2009-05-03 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-05-03 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-06-10 20:30 . 2008-06-10 20:12 84 ----a-r- c:\program files\SETUP.TDF
1998-06-26 22:19 . 2008-06-10 20:11 0 ----a-w- c:\program files\VS98ECD1.INF
1998-06-15 21:01 . 2008-06-10 20:11 2275 ----a-w- c:\program files\SETUPWIZ.INI
1998-06-12 21:02 . 2008-06-10 20:11 149 ----a-w- c:\program files\SETUP.INI
1998-05-31 19:42 . 2008-06-10 20:11 77 ----a-w- c:\program files\IE4CHECK.INI
1998-05-18 23:13 . 2008-06-10 20:11 49152 ----a-w- c:\program files\SMSINST.EXE
1998-04-24 23:19 . 2008-06-10 20:11 74352 ----a-w- c:\program files\ACMBOOT.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-28 16862720]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-03-17 185896]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-7 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2007-04-27 21:17 50736 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 22:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-10-01 22:57 289576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2008-12-03 17:47 1205760 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
2006-11-06 12:35 722176 ----a-w- c:\program files\PowerStrip\pstrip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-12-10 01:44 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]
2007-10-28 20:18 577540 ----a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 01:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-03-17 19:13 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\LuckaSoft\\EnginSite Editor for PHP\\DbgListener.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jdk1.6.0\\jre\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [30/09/2006 6:35 AM 27936]
S1 147a1c24;147a1c24;c:\windows\system32\drivers\147a1c24.sys --> c:\windows\system32\drivers\147a1c24.sys [?]
S2 appoyqcbiu3;Print Spooler Service;c:\windows\system32\jokrvvogukq.exe /service --> c:\windows\system32\jokrvvogukq.exe [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 8:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 22:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4es6pf8.default\
FF - prefs.js: browser.startup.homepage - hxxp://money.ca.msn.com
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-agsdhnor - c:\documents and settings\Owner\Local Settings\Application Data\piqvomsxq\qgshicgtssd.exe
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
AddRemove-AV Voice Changer Software GOLD 6.0 - c:\progra~1\AVVCS6~1.0GO\UNWISE.EXE
AddRemove-Norton PC Checkup - c:\program files\Norton PC Checkup\uninstall.exe
AddRemove-RegistryBooster 2_is1 - c:\program files\Uniblue\RegistryBooster 2\unins000.exe
AddRemove-Security Task Manager - c:\program files\Security Task Manager\Uninstal.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
AddRemove-Sonic 3D - c:\sega\Sonic3D\directx\setup
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-29 01:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-29 01:36:25
ComboFix-quarantined-files.txt 2010-06-29 05:36

Pre-Run: 138,428,936,192 bytes free
Post-Run: 138,385,371,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 8485B45693F155F02FC0C0C70FFE2B68


Just curious, after Combofix was done and I restarted, the Internet Explorer icon appeared on my desktop in addition with what was previously there. Is that fine?
  • 0

#10
RKinner
Posted 28 June 2010 - 11:59 PM

RKinner

    Malware Expert

  • Expert
  • 24,446 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

File::
c:\windows\system32\drivers\147a1c24.sys
c:\windows\system32\jokrvvogukq.exe

Driver::
147a1c24
appoyqcbiu3

Folder::
c:\documents and settings\Owner\Local Settings\Application Data\piqvomsxq

Rootkit::
c:\windows\system32\drivers\147a1c24.sys
c:\windows\system32\jokrvvogukq.exe

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.

There may be something wrong with the old one. Right click on each and select Properties and see if it is a shortcut or the real IE. If it's a shortcut, delete it.

Combofix found a bad driver and claims it repaired it so things should be a bit better now.

Also do the BitDefender scan

http://www.bitdefend...nline/free.html

Ron
  • 0

Advertisements

#11
vincec15
Posted 29 June 2010 - 12:30 AM

vincec15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here is the new log:

ComboFix 10-06-28.01 - Owner 29/06/2010 2:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.510 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\george.exe.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\drivers\147a1c24.sys"
"c:\windows\system32\jokrvvogukq.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application Data\piqvomsxq

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_APPOYQCBIU3
-------\Service_147a1c24
-------\Service_appoyqcbiu3


((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))
.

2010-06-29 01:43 . 2010-06-29 01:43 -------- d-----w- C:\_OTL
2010-06-28 08:14 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-28 08:11 . 2010-06-28 08:11 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-28 07:05 . 2010-06-28 07:05 -------- d-----w- c:\program files\ERUNT
2010-06-28 03:53 . 2010-06-28 03:53 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-28 03:53 . 2010-06-28 03:53 -------- d-----w- c:\program files\Trend Micro
2010-06-27 13:41 . 2010-06-27 13:41 -------- d-----w- C:\VundoFix Backups
2010-06-27 09:57 . 2010-06-27 09:57 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-27 09:57 . 2010-06-27 09:57 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-27 09:56 . 2010-06-27 09:56 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-27 09:54 . 2010-06-27 09:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-06-27 09:52 . 2010-06-27 09:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-06-27 08:36 . 2010-06-27 08:36 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-27 08:36 . 2010-06-27 08:36 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-27 08:36 . 2010-06-27 08:36 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-27 08:34 . 2010-06-27 08:34 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-06-27 03:25 . 2010-06-27 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-26 01:21 . 2010-06-26 01:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-06-20 08:40 . 2010-06-26 23:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\taprognlc
2010-06-05 19:14 . 2010-06-29 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-05 19:14 . 2010-06-05 19:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-03 13:13 . 2010-06-05 20:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\qqknglntn
2010-06-03 09:43 . 2010-06-03 09:43 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-02 00:10 . 2010-06-03 09:42 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-01 10:57 . 2010-06-26 08:24 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 08:18 . 2006-06-17 09:23 577536 ----a-w- c:\windows\system32\USER32.dll
2010-06-28 07:42 . 2007-06-28 04:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-28 07:07 . 2009-05-03 17:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-27 13:30 . 2007-06-28 04:27 -------- d-----w- c:\program files\iWin Games
2010-06-21 05:50 . 2008-01-23 22:05 2622 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2010-06-21 05:29 . 2007-01-12 21:38 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-06-06 18:41 . 2006-06-19 06:36 -------- d-----w- c:\program files\Common Files\New Boundary
2010-06-03 09:42 . 2006-08-19 07:56 -------- d-----w- c:\program files\Java
2010-06-03 09:06 . 2010-03-27 04:01 -------- d-----w- c:\program files\Formatta 7.0
2010-06-03 00:48 . 2010-05-18 00:09 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
2010-05-22 16:24 . 2006-08-19 07:56 -------- d-----w- c:\program files\Common Files\Java
2010-05-22 16:24 . 2010-05-22 16:24 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b1906ae-n\msvcp71.dll
2010-05-22 16:24 . 2010-05-22 16:24 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b1906ae-n\jmc.dll
2010-05-22 16:24 . 2010-05-22 16:24 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b1906ae-n\msvcr71.dll
2010-05-22 16:24 . 2010-05-22 16:24 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5c03367b-n\decora-d3d.dll
2010-05-22 16:24 . 2010-05-22 16:24 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5c03367b-n\decora-sse.dll
2010-05-22 16:24 . 2010-05-22 16:24 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 19:39 . 2009-05-03 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-05-03 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-06-10 20:30 . 2008-06-10 20:12 84 ----a-r- c:\program files\SETUP.TDF
1998-06-26 22:19 . 2008-06-10 20:11 0 ----a-w- c:\program files\VS98ECD1.INF
1998-06-15 21:01 . 2008-06-10 20:11 2275 ----a-w- c:\program files\SETUPWIZ.INI
1998-06-12 21:02 . 2008-06-10 20:11 149 ----a-w- c:\program files\SETUP.INI
1998-05-31 19:42 . 2008-06-10 20:11 77 ----a-w- c:\program files\IE4CHECK.INI
1998-05-18 23:13 . 2008-06-10 20:11 49152 ----a-w- c:\program files\SMSINST.EXE
1998-04-24 23:19 . 2008-06-10 20:11 74352 ----a-w- c:\program files\ACMBOOT.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-28 16862720]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-03-17 185896]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-7 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2007-04-27 21:17 50736 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 22:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-10-01 22:57 289576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2008-12-03 17:47 1205760 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
2006-11-06 12:35 722176 ----a-w- c:\program files\PowerStrip\pstrip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-12-10 01:44 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]
2007-10-28 20:18 577540 ----a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 01:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-03-17 19:13 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\LuckaSoft\\EnginSite Editor for PHP\\DbgListener.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jdk1.6.0\\jre\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [30/09/2006 6:35 AM 27936]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 8:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 22:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4es6pf8.default\
FF - prefs.js: browser.startup.homepage - hxxp://money.ca.msn.com
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2644)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\SmartFTP Client 2.0\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\zHotkey.exe
c:\windows\RTHDCPL.EXE
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-06-29 02:23:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-29 06:23
ComboFix2.txt 2010-06-29 05:36

Pre-Run: 137,899,364,352 bytes free
Post-Run: 137,779,159,040 bytes free

- - End Of File - - 3317545931AFD7007F047707308C43DD

Going to go ahead and do the BitDefender scan
  • 0

#12
vincec15
Posted 29 June 2010 - 12:37 AM

vincec15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
No infections found from the BitDefender scan
  • 0

#13
RKinner
Posted 29 June 2010 - 07:32 AM

RKinner

    Malware Expert

  • Expert
  • 24,446 posts
  • MVP
Is it running any better?

Uninstall these old versions of Java:
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{32A3A4F4-B792-11D6-A78A-00B0D0160000}" = Java™ SE Development Kit 6

Ron
  • 0

#14
vincec15
Posted 29 June 2010 - 05:04 PM

vincec15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Ron. Yep, the computer is running smoothly. The popup redirecting me to google.com is gone, Microsoft security essentials is no longer picking up any threats. Everything seems fine, thank you so much. :)

Just wondering what I could do to make sure this doesn't happen again. The programs I currently have are Microsoft Security Essentials, Malwarebytes Anti Malware, and SpyBot Search and Destroy.
  • 0

#15
RKinner
Posted 29 June 2010 - 05:52 PM

RKinner

    Malware Expert

  • Expert
  • 24,446 posts
  • MVP
We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.4.
http://oldmcdonald.w...orun-eater-v24/
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) and No Script are two others you might want to try.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP