Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

google redirects links to spam pages.

Started by celfan , Aug 15 2010 08:13 AM

Please log in to reply

#1
celfan

Posted 15 August 2010 - 08:13 AM

Member

Member
30 posts

Can’t link from google. Directed to spam websites. Internet slow.

I have XP
I can’t run GMER, it crashes my computer.
Malware bytes removed two objects. I ran it again

I ran malware bytes and got this.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4430

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/14/2010 7:05:07 PM
mbam-log-2010-08-14 (19-05-07).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 177930
Time elapsed: 41 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dllcache\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

Computer is still infected.
This is latest log.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4430

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/14/2010 9:08:09 PM
mbam-log-2010-08-14 (21-08-09).txt

Scan type: Quick scan
Objects scanned: 134059
Time elapsed: 7 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL logfile created on: 8/15/2010 9:13:51 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 533.00 Mb Available Physical Memory | 53.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.25 Gb Total Space | 127.90 Gb Free Space | 91.85% Space Free | Partition Type: NTFS
Drive D: | 9.78 Gb Total Space | 6.31 Gb Free Space | 64.53% Space Free | Partition Type: NTFS
Drive E: | 596.21 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-235B2CE4A2
Current User Name: HP_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/15 09:08:13 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
PRC - [2010/07/29 19:05:30 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/07/21 08:01:28 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/07/16 09:23:35 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/07/16 09:23:28 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/07/16 09:23:28 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/07/16 09:23:24 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/07/16 09:21:39 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/07/16 09:21:37 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/10/11 05:17:45 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe

========== Modules (SafeList) ==========

MOD - [2010/08/15 09:08:13 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
MOD - [2010/07/29 19:06:34 | 000,040,960 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
MOD - [2010/07/29 19:05:32 | 000,499,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp71.dll
MOD - [2010/07/29 19:05:32 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/07/21 08:01:28 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/16 09:23:24 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\pcdrndisuio.sys -- (PcdrNdisuio)
DRV - [2010/07/16 09:23:32 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/16 09:21:39 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/10 15:46:44 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/10/18 20:50:36 | 000,018,816 | ---- | M] (RIF) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dvd43llh.sys -- (dvd43llh)
DRV - [2008/10/26 17:48:00 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/10/26 17:48:00 | 004,881,920 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/09/10 00:10:00 | 000,207,872 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS3.sys -- (HSFHWBS3)
DRV - [2008/09/10 00:09:54 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2008/09/10 00:09:52 | 000,985,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2008/08/07 07:14:56 | 000,111,360 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:1033

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.845
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.5
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 1033

FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/07/21 08:03:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/07/29 19:06:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/29 19:06:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/29 19:06:51 | 000,000,000 | ---D | M]

[2009/07/02 19:38:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Extensions
[2010/08/14 19:37:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\1ehlfnc0.default\extensions
[2009/09/02 07:39:22 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\1ehlfnc0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/14 19:37:26 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/02/28 09:43:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/26 18:25:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (56590081070202880)

========== Files/Folders - Created Within 90 Days ==========

[2010/08/15 09:08:13 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2010/08/14 20:53:35 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\TFC.exe
[2010/08/14 16:38:02 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Administrator\Recent
[2010/08/14 15:29:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Windows Server
[2010/08/11 22:14:01 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/07/29 19:06:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2010/07/29 19:05:32 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/07/29 19:05:30 | 000,000,000 | ---D | C] -- C:\Program Files\Real
[2010/07/29 19:05:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Real
[2010/07/29 19:05:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2010/07/29 19:05:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Real
[2010/07/16 09:23:28 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/06/29 09:17:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/06/10 14:13:10 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/10 12:50:17 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/06/10 12:32:04 | 000,243,024 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/06/10 12:31:53 | 000,216,400 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/06/10 12:31:50 | 000,029,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/06/10 12:31:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/06/10 12:26:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/06/09 11:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\uexsoers
[2010/06/01 09:28:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\vlc
[2010/06/01 09:25:21 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2010/05/27 10:21:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FileCure

========== Files - Modified Within 90 Days ==========

[2010/08/15 09:19:52 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
[2010/08/15 09:19:52 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
[2010/08/15 09:12:04 | 063,466,956 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/08/15 09:08:46 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\prvlcl.dat
[2010/08/15 09:08:13 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2010/08/15 09:07:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/15 09:05:29 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/08/15 09:05:20 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/15 09:05:12 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/15 09:05:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/14 21:40:28 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\gmer.zip
[2010/08/14 20:54:35 | 003,407,872 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\NTUSER.DAT
[2010/08/14 20:54:35 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\HP_Administrator\ntuser.ini
[2010/08/14 20:53:08 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\TFC.exe
[2010/08/14 19:05:28 | 004,297,632 | -H-- | M] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\IconCache.db
[2010/08/12 06:20:17 | 000,151,584 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/11 22:19:40 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/11 22:19:40 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/11 22:19:39 | 000,488,068 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/11 16:32:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/07/29 19:07:58 | 000,000,025 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010/07/29 19:06:35 | 000,000,935 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk
[2010/07/29 19:05:32 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/07/21 14:18:35 | 000,011,722 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\new.docx
[2010/07/16 09:23:32 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/07/16 09:23:28 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/07/16 09:21:39 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/06/10 15:46:44 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/06/10 14:13:17 | 000,000,617 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\NTREGOPT.lnk
[2010/06/10 14:13:17 | 000,000,598 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\ERUNT.lnk
[2010/06/10 12:32:11 | 000,001,513 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/06/10 12:31:50 | 000,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/06/07 13:22:51 | 002,024,223 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\IMG_1380.jpg

========== Files Created - No Company Name ==========

[2010/08/14 21:40:28 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\gmer.zip
[2010/07/29 19:07:58 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/07/29 19:06:35 | 000,000,935 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk
[2010/07/29 19:06:35 | 000,000,308 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
[2010/07/29 19:06:35 | 000,000,300 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
[2010/07/21 14:12:47 | 000,011,722 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\new.docx
[2010/06/25 13:02:33 | 005,280,309 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\IMG_0577.JPG
[2010/06/24 09:46:14 | 002,024,223 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\IMG_1380.jpg
[2010/06/11 11:01:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\prvlcl.dat
[2010/06/10 14:13:17 | 000,000,617 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\NTREGOPT.lnk
[2010/06/10 14:13:17 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\ERUNT.lnk
[2010/06/10 12:32:11 | 000,001,513 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/06/10 12:31:50 | 000,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/06/10 12:31:46 | 063,466,956 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/07/02 18:35:18 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS75.DLL
[2008/11/26 19:38:39 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/11/26 18:40:20 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008/11/26 17:11:00 | 000,000,592 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/11/26 17:10:56 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2008/11/26 17:10:56 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2008/11/26 17:10:56 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2008/11/26 17:10:56 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2008/11/26 17:10:56 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll

========== LOP Check ==========

[2009/10/21 17:06:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
[2010/06/10 12:27:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/07/02 18:35:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/05/27 10:21:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2010/01/27 13:49:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes
[2008/11/26 18:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2008/11/26 18:58:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
[2009/10/18 21:28:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2010/08/14 21:43:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2008/11/26 18:25:49 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/02/22 18:28:08 | 000,000,210 | ---- | M] () -- C:\Boot.bak
[2010/03/08 08:00:52 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/04 00:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2008/11/26 18:25:49 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/09/03 15:30:00 | 000,039,424 | ---- | M] () -- C:\dansnewresume.doc
[2008/11/26 18:25:49 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/05/15 12:22:28 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2008/11/26 18:25:49 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 08:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/08/15 09:05:06 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
[2010/04/19 08:07:25 | 000,000,207 | ---- | M] () -- C:\Shortcut (2) to CD Drive.lnk
[2010/04/19 07:48:22 | 000,000,207 | ---- | M] () -- C:\Shortcut to CD Drive.lnk
[2009/08/31 19:47:55 | 000,000,329 | ---- | M] () -- C:\updatedatfix.log

< %systemroot%\Fonts\*.com >
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2008/11/26 18:25:19 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2005/03/25 01:00:00 | 000,020,992 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD75.DLL
[2005/03/25 01:00:00 | 000,059,392 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP75.DLL
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2008/11/26 10:16:42 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/11/26 10:16:42 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/11/26 10:16:41 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2008/11/26 18:25:54 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-08-12 02:21:10
< End of report >
OTL Extras logfile created on: 8/15/2010 9:13:51 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 533.00 Mb Available Physical Memory | 53.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.25 Gb Total Space | 127.90 Gb Free Space | 91.85% Space Free | Partition Type: NTFS
Drive D: | 9.78 Gb Total Space | 6.31 Gb Free Space | 64.53% Space Free | Partition Type: NTFS
Drive E: | 596.21 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-235B2CE4A2
Current User Name: HP_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}" = CyberLink Recovery Manager
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD SE
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B7917E0-AF55-4E8A-9473-017F0AA03AC8}" = QuickTime
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG9Uninstall" = AVG Free 9.0
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CANONBJ_Deinstall_CNMCP75.DLL" = Canon iP1600
"CCleaner" = CCleaner (remove only)
"CNXT_MODEM_PCI_HSF" = PCIe Soft Data Fax Modem with SmartCP
"CSCLIB" = Canon Camera Support Core Library
"DVD43_is1" = DVD43 v4.5.0
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"EOS Utility" = Canon Utilities EOS Utility
"ERUNT_is1" = ERUNT 1.1j
"Google Chrome" = Google Chrome
"Google Updater" = Google Updater
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007 Trial
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.5.11)" = Mozilla Firefox (3.5.11)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC-Doctor for Windows" = Hardware Diagnostic Tools
"PhotoStitch" = Canon Utilities PhotoStitch
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 12.0" = RealPlayer
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/28/2010 6:35:33 PM | Computer Name = YOUR-235B2CE4A2 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17023, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/24/2010 10:22:38 PM | Computer Name = YOUR-235B2CE4A2 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17023, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2010 11:45:17 AM | Computer Name = YOUR-235B2CE4A2 | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2010 11:45:55 AM | Computer Name = YOUR-235B2CE4A2 | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/1/2010 10:38:15 AM | Computer Name = YOUR-235B2CE4A2 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.46.0.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/1/2010 10:38:19 AM | Computer Name = YOUR-235B2CE4A2 | Source = Application Hang | ID = 1001
Description = Fault bucket 1836621447.

Error - 6/11/2010 11:28:27 AM | Computer Name = YOUR-235B2CE4A2 | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/11/2010 7:23:30 PM | Computer Name = YOUR-235B2CE4A2 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3726, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/3/2010 7:49:47 AM | Computer Name = YOUR-235B2CE4A2 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3834, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/3/2010 7:50:24 AM | Computer Name = YOUR-235B2CE4A2 | Source = Application Hang | ID = 1001
Description = Fault bucket 1940850254.

[ System Events ]
Error - 8/14/2010 9:44:14 PM | Computer Name = YOUR-235B2CE4A2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 8/14/2010 9:44:14 PM | Computer Name = YOUR-235B2CE4A2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 8/14/2010 9:44:14 PM | Computer Name = YOUR-235B2CE4A2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 8/14/2010 9:44:14 PM | Computer Name = YOUR-235B2CE4A2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 8/14/2010 9:44:14 PM | Computer Name = YOUR-235B2CE4A2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 8/14/2010 9:44:15 PM | Computer Name = YOUR-235B2CE4A2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 8/14/2010 9:44:15 PM | Computer Name = YOUR-235B2CE4A2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 8/14/2010 9:44:15 PM | Computer Name = YOUR-235B2CE4A2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 8/15/2010 8:18:44 AM | Computer Name = YOUR-235B2CE4A2 | Source = System Error | ID = 1003
Description = Error code 100000d1, parameter1 00000000, parameter2 0000001c, parameter3
00000001, parameter4 84eab00c.

Error - 8/15/2010 9:00:03 AM | Computer Name = YOUR-235B2CE4A2 | Source = System Error | ID = 1003
Description = Error code 100000d1, parameter1 00000000, parameter2 0000001c, parameter3
00000001, parameter4 849c4804.

< End of report >

#2
RKinner

Posted 15 August 2010 - 11:45 AM

Malware Expert

Expert
24,625 posts

Copy the text in the code box by highlighting and Ctrl + c

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:1033
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 1033
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found

:Commands
[purity]
[emptytemp]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it from the website:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus program at this time :!:

Go to this page and Download TDSSKiller.zip to your Desktop.
Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
Start >All Programs> Accessories> Command Prompt. Copy the following bolded command, then right click and Paste then hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.
If the command does not work just doubleclick on TDSSKiller.exe

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

Are you still getting redirected?

Ron

Edited by RKinner, 15 August 2010 - 11:46 AM.

#3
celfan

Posted 15 August 2010 - 12:24 PM

Member

Topic Starter
Member
30 posts

do you have a link for combofix download?

#4
RKinner

Posted 15 August 2010 - 02:13 PM

Malware Expert

Expert
24,625 posts

There are two links for combofix in my post. Just keep reading.

#5
celfan

Posted 15 August 2010 - 02:58 PM

Member

Topic Starter
Member
30 posts

There are two links for combofix in my post. Just keep reading.

I goofed and ran combofix before OTL.

Did you see my OTL logs in the first message?

Here's combofix log. I'm not being redirected anymore. What should I do next? OTL? or finish instructions?

ComboFix 10-08-15.01 - HP_Administrator 08/15/2010 16:42:59.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.510 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\My Documents\Downloads\george.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Local Settings\Application Data\Windows Server
c:\documents and settings\HP_Administrator\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\HP_Administrator\Local Settings\Application Data\Windows Server\uses32.dat

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
.

2010-07-29 23:05 . 2010-07-29 23:06 -------- d-----w- c:\program files\Real
2010-07-29 23:05 . 2010-07-29 23:06 -------- d-----w- c:\program files\Common Files\Real
2010-07-21 12:02 . 2010-07-21 12:02 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-21 12:02 . 2010-07-21 12:02 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-07-21 12:02 . 2010-07-21 12:02 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-21 12:02 . 2010-07-21 12:02 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe
2010-07-21 12:02 . 2010-07-21 12:02 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 17:23 . 2010-06-11 15:01 0 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\prvlcl.dat
2010-08-15 01:43 . 2010-06-29 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-08-14 20:38 . 2009-07-18 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-12 02:14 . 2009-07-06 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-11 14:54 . 2009-07-03 02:13 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\ZoomBrowser EX
2010-08-11 14:51 . 2009-07-02 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-07-29 23:06 . 2010-07-29 23:06 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-07-29 23:06 . 2010-07-29 23:06 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-07-29 23:06 . 2010-07-29 23:06 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-07-29 23:06 . 2010-07-29 23:06 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-07-29 23:06 . 2010-07-29 23:06 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-07-29 23:06 . 2010-07-29 23:06 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-07-29 23:06 . 2010-07-29 23:06 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-07-29 23:06 . 2010-07-29 23:06 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-07-29 23:06 . 2010-07-29 23:06 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-07-29 23:06 . 2010-07-29 23:06 -------- d-----w- c:\program files\Common Files\xing shared
2010-07-29 23:05 . 2009-07-02 22:36 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-07-29 23:05 . 2009-07-02 22:36 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-07-16 13:23 . 2010-07-16 13:23 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-16 13:23 . 2010-07-16 13:23 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-16 13:23 . 2010-06-10 16:32 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 13:23 . 2010-07-16 13:23 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 13:21 . 2010-06-10 16:31 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-16 13:20 . 2010-07-16 13:20 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-16 13:20 . 2010-07-16 13:20 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-16 13:20 . 2010-07-16 13:20 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-16 13:20 . 2010-07-16 13:20 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-06-30 12:31 . 2008-11-26 21:10 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2008-11-26 21:10 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2008-11-26 21:10 78336 ------w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2008-11-26 21:10 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2008-11-26 21:10 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-11-26 21:10 354304 ------w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-11-26 21:10 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-11-26 22:23 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-11-26 21:10 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-10 19:46 . 2010-06-10 16:31 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-26 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-26 137752]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-09-24 210216]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-29 202256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 13:23 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-10-26 21:47 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2009-10-06 22:01 827904 ----a-w- c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-26 21:48 17021440 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-11 11:31 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/10/2010 12:31 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/10/2010 12:32 PM 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/16/2010 9:21 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:23 AM 308136]
R3 HSFHWBS3;HSFHWBS3;c:\windows\system32\drivers\HSFHWBS3.sys [11/26/2008 6:34 PM 207872]
S2 gupdate1ca021b3d388aee;Google Update Service (gupdate1ca021b3d388aee);c:\program files\Google\Update\GoogleUpdate.exe [7/11/2009 7:32 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-11 11:31]

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-11 11:32]

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-11 11:32]

2010-08-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-08-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:1033
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\1ehlfnc0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2460)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-08-15 16:52:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-15 20:52

Pre-Run: 137,204,805,632 bytes free
Post-Run: 137,209,700,352 bytes free

- - End Of File - - 66E10E46A86D8EA091EF6D66FEDEA4C3

#6
RKinner

Posted 15 August 2010 - 06:21 PM

Malware Expert

Expert
24,625 posts

I know you ran OTL once but that just told me what needed to be fixed. You need to run it two more times. Once with the script I gave you to clean up some signs of infection and some deadwood and then after that finishes I want to see a new OTL log to make sure there is nothing else that we need to work on.

Combofix found several infected files but it says it replaced them with the files from the
c:\windows\ERDNT\cache which was just done so it seems strange that they would be clean copies. Run it one more time and post the log (after you do OTL) so I can make sure that it fixed the files it found.

#7
celfan

Posted 15 August 2010 - 08:46 PM

Member

Topic Starter
Member
30 posts

I know you ran OTL once but that just told me what needed to be fixed. You need to run it two more times. Once with the script I gave you to clean up some signs of infection and some deadwood and then after that finishes I want to see a new OTL log to make sure there is nothing else that we need to work on.

Combofix found several infected files but it says it replaced them with the files from the
c:\windows\ERDNT\cache which was just done so it seems strange that they would be clean copies. Run it one more time and post the log (after you do OTL) so I can make sure that it fixed the files it found.

I ran TDSSKiller after doing everything and it says it found one non-standard or infected MBR. I can't copy the report with standard copy and pace procedure.

Here is everything else

ll processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 1033 removed from network.proxy.http_port
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
AppMgmt removed from NetSvcs value successfully!
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: HP_Administrator
->Temp folder emptied: 12335 bytes
->Temporary Internet Files folder emptied: 700993 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 92692168 bytes
->Flash cache emptied: 6215 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 89.00 mb

OTL by OldTimer - Version 3.2.9.1 log created on 08152010_215833

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

OTL logfile created on: 8/15/2010 10:03:28 PM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 549.00 Mb Available Physical Memory | 54.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.25 Gb Total Space | 127.85 Gb Free Space | 91.82% Space Free | Partition Type: NTFS
Drive D: | 9.78 Gb Total Space | 6.31 Gb Free Space | 64.53% Space Free | Partition Type: NTFS
Drive E: | 596.21 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-235B2CE4A2
Current User Name: HP_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/15 09:08:13 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
PRC - [2010/07/29 19:05:30 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/07/21 08:01:28 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/07/16 09:23:35 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/07/16 09:23:28 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/07/16 09:23:28 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/07/16 09:23:24 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/07/16 09:21:39 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/07/16 09:21:37 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe

========== Modules (SafeList) ==========

MOD - [2010/08/15 09:08:13 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
MOD - [2010/07/29 19:06:34 | 000,040,960 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
MOD - [2010/07/29 19:05:32 | 000,499,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp71.dll
MOD - [2010/07/29 19:05:32 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/07/21 08:01:28 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/16 09:23:24 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\pcdrndisuio.sys -- (PcdrNdisuio)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\george.exe\catchme.sys -- (catchme)
DRV - [2010/07/16 09:23:32 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/16 09:21:39 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/10 15:46:44 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/10/18 20:50:36 | 000,018,816 | ---- | M] (RIF) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dvd43llh.sys -- (dvd43llh)
DRV - [2008/10/26 17:48:00 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/10/26 17:48:00 | 004,881,920 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/09/10 00:10:00 | 000,207,872 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS3.sys -- (HSFHWBS3)
DRV - [2008/09/10 00:09:54 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2008/09/10 00:09:52 | 000,985,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2008/08/07 07:14:56 | 000,111,360 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.845
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.5

FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/07/21 08:03:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/07/29 19:06:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/29 19:06:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/29 19:06:51 | 000,000,000 | ---D | M]

[2009/07/02 19:38:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Extensions
[2010/08/15 19:51:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\1ehlfnc0.default\extensions
[2009/09/02 07:39:22 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\1ehlfnc0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/15 19:51:11 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/08/15 16:49:24 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/26 18:25:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/08/15 21:58:44 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/15 21:58:33 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/08/15 16:41:58 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/15 16:41:58 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/15 16:41:58 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/15 16:41:58 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/15 16:41:51 | 000,000,000 | ---D | C] -- C:\george.exe
[2010/08/15 16:37:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/15 09:08:13 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2010/08/14 20:53:35 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\TFC.exe
[2010/08/14 16:38:02 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Administrator\Recent
[2010/08/11 22:14:01 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/07/29 19:06:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2010/07/29 19:05:32 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/07/29 19:05:30 | 000,000,000 | ---D | C] -- C:\Program Files\Real
[2010/07/29 19:05:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Real
[2010/07/29 19:05:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2010/07/29 19:05:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Real
[2010/07/16 09:23:28 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/06/29 09:17:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/06/10 14:13:10 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/10 12:50:17 | 000,000,000 | ---D | C] -- C:\$AVG
[2010/06/10 12:32:04 | 000,243,024 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/06/10 12:31:53 | 000,216,400 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/06/10 12:31:50 | 000,029,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/06/10 12:31:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/06/10 12:26:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/06/09 11:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\uexsoers
[2010/06/01 09:28:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\vlc
[2010/06/01 09:25:21 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2010/05/27 10:21:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FileCure

========== Files - Modified Within 90 Days ==========

[2010/08/15 22:03:24 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
[2010/08/15 22:03:24 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
[2010/08/15 22:01:56 | 000,011,091 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\files2.docx
[2010/08/15 22:00:09 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/08/15 21:59:59 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/15 21:59:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/15 21:59:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/15 21:58:55 | 003,407,872 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\NTUSER.DAT
[2010/08/15 21:58:55 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\HP_Administrator\ntuser.ini
[2010/08/15 21:07:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/15 18:52:28 | 063,481,130 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/08/15 16:49:34 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/15 16:49:24 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/15 16:41:26 | 000,000,709 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\Shortcut to george.exe.lnk
[2010/08/15 13:23:46 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\prvlcl.dat
[2010/08/15 10:18:32 | 000,029,528 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\files.docx
[2010/08/15 09:08:13 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2010/08/14 21:40:28 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\gmer.zip
[2010/08/14 20:53:08 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\TFC.exe
[2010/08/14 19:05:28 | 004,297,632 | -H-- | M] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\IconCache.db
[2010/08/12 06:20:17 | 000,151,584 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/11 22:19:40 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/11 22:19:40 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/11 22:19:39 | 000,488,068 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/11 16:32:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/07/29 19:07:58 | 000,000,025 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010/07/29 19:06:35 | 000,000,935 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk
[2010/07/29 19:05:32 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/07/21 14:18:35 | 000,011,722 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\new.docx
[2010/07/16 09:23:32 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/07/16 09:23:28 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/07/16 09:21:39 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/06/10 15:46:44 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/06/10 14:13:17 | 000,000,617 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\NTREGOPT.lnk
[2010/06/10 14:13:17 | 000,000,598 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\ERUNT.lnk
[2010/06/10 12:32:11 | 000,001,513 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/06/10 12:31:50 | 000,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/06/07 13:22:51 | 002,024,223 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\IMG_1380.jpg

========== Files Created - No Company Name ==========

[2010/08/15 22:01:55 | 000,011,091 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\files2.docx
[2010/08/15 16:41:58 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/15 16:41:58 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/15 16:41:58 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/15 16:41:58 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/15 16:41:58 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/15 16:41:26 | 000,000,709 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\Shortcut to george.exe.lnk
[2010/08/15 09:23:34 | 000,029,528 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\files.docx
[2010/08/14 21:40:28 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\gmer.zip
[2010/07/29 19:07:58 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/07/29 19:06:35 | 000,000,935 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk
[2010/07/29 19:06:35 | 000,000,308 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
[2010/07/29 19:06:35 | 000,000,300 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
[2010/07/21 14:12:47 | 000,011,722 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\new.docx
[2010/06/25 13:02:33 | 005,280,309 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\IMG_0577.JPG
[2010/06/24 09:46:14 | 002,024,223 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\IMG_1380.jpg
[2010/06/11 11:01:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\prvlcl.dat
[2010/06/10 14:13:17 | 000,000,617 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\NTREGOPT.lnk
[2010/06/10 14:13:17 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\ERUNT.lnk
[2010/06/10 12:32:11 | 000,001,513 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/06/10 12:31:50 | 000,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/06/10 12:31:46 | 063,481,130 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/07/02 18:35:18 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS75.DLL
[2008/11/26 19:38:39 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/11/26 18:40:20 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008/11/26 17:11:00 | 000,000,592 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

========== LOP Check ==========

[2009/10/21 17:06:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
[2010/06/10 12:27:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/07/02 18:35:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/05/27 10:21:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2010/01/27 13:49:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes
[2008/11/26 18:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2008/11/26 18:58:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
[2009/10/18 21:28:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2010/08/14 21:43:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip

========== Purity Check ==========

< End of report >
ComboFix 10-08-15.01 - HP_Administrator 08/15/2010 22:10:54.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.591 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\My Documents\Downloads\george.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))
.

2010-08-16 01:58 . 2010-08-16 01:58 -------- d-----w- C:\_OTL
2010-08-15 20:41 . 2010-08-15 20:52 -------- d-----w- C:\george.exe
2010-07-29 23:05 . 2010-07-29 23:06 -------- d-----w- c:\program files\Real
2010-07-29 23:05 . 2010-07-29 23:06 -------- d-----w- c:\program files\Common Files\Real
2010-07-21 12:02 . 2010-07-21 12:02 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-21 12:02 . 2010-07-21 12:02 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-07-21 12:02 . 2010-07-21 12:02 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-21 12:02 . 2010-07-21 12:02 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe
2010-07-21 12:02 . 2010-07-21 12:02 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 17:23 . 2010-06-11 15:01 0 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\prvlcl.dat
2010-08-15 01:43 . 2010-06-29 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-08-14 20:38 . 2009-07-18 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-12 02:14 . 2009-07-06 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-11 14:54 . 2009-07-03 02:13 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\ZoomBrowser EX
2010-08-11 14:51 . 2009-07-02 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-07-29 23:06 . 2010-07-29 23:06 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-07-29 23:06 . 2010-07-29 23:06 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-07-29 23:06 . 2010-07-29 23:06 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-07-29 23:06 . 2010-07-29 23:06 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-07-29 23:06 . 2010-07-29 23:06 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-07-29 23:06 . 2010-07-29 23:06 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-07-29 23:06 . 2010-07-29 23:06 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-07-29 23:06 . 2010-07-29 23:06 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-07-29 23:06 . 2010-07-29 23:06 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-07-29 23:06 . 2010-07-29 23:06 -------- d-----w- c:\program files\Common Files\xing shared
2010-07-29 23:05 . 2009-07-02 22:36 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-07-29 23:05 . 2009-07-02 22:36 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-07-16 13:23 . 2010-06-10 16:32 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 13:23 . 2010-07-16 13:23 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 13:21 . 2010-06-10 16:31 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31 . 2008-11-26 21:10 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2008-11-26 21:10 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2008-11-26 21:10 78336 ------w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2008-11-26 21:10 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2008-11-26 21:10 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-11-26 21:10 354304 ------w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-11-26 21:10 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-11-26 22:23 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-11-26 21:10 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-10 19:46 . 2010-06-10 16:31 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-08-15_20.49.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-16 02:00 . 2010-08-16 02:00 16384 c:\windows\Temp\Perflib_Perfdata_74.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-26 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-26 137752]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-09-24 210216]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-29 202256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 13:23 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-10-26 21:47 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2009-10-06 22:01 827904 ----a-w- c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-26 21:48 17021440 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-11 11:31 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/10/2010 12:31 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/10/2010 12:32 PM 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/16/2010 9:21 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:23 AM 308136]
R3 HSFHWBS3;HSFHWBS3;c:\windows\system32\drivers\HSFHWBS3.sys [11/26/2008 6:34 PM 207872]
S2 gupdate1ca021b3d388aee;Google Update Service (gupdate1ca021b3d388aee);c:\program files\Google\Update\GoogleUpdate.exe [7/11/2009 7:32 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-11 11:31]

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-11 11:32]

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-11 11:32]

2010-08-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-08-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\1ehlfnc0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-15 22:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1576)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-15 22:17:16
ComboFix-quarantined-files.txt 2010-08-16 02:17
ComboFix2.txt 2010-08-15 20:52

Pre-Run: 137,257,955,328 bytes free
Post-Run: 137,252,175,872 bytes free

- - End Of File - - 75EF19D8B72C46A11C3A685288B7E808

2010/08/15 22:33:45.0703 TDSS rootkit removing tool 2.4.1.1 Aug 10 2010 14:48:09
2010/08/15 22:33:45.0703 ================================================================================
2010/08/15 22:33:45.0703 SystemInfo:
2010/08/15 22:33:45.0703
2010/08/15 22:33:45.0703 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/15 22:33:45.0703 Product type: Workstation
2010/08/15 22:33:45.0703 ComputerName: YOUR-235B2CE4A2
2010/08/15 22:33:45.0703 UserName: HP_Administrator
2010/08/15 22:33:45.0703 Windows directory: C:\WINDOWS
2010/08/15 22:33:45.0703 System windows directory: C:\WINDOWS
2010/08/15 22:33:45.0703 Processor architecture: Intel x86
2010/08/15 22:33:45.0703 Number of processors: 2
2010/08/15 22:33:45.0703 Page size: 0x1000
2010/08/15 22:33:45.0703 Boot type: Normal boot
2010/08/15 22:33:45.0703 ================================================================================
2010/08/15 22:33:46.0031 Initialize success
2010/08/15 22:33:58.0906 ================================================================================
2010/08/15 22:33:58.0906 Scan started
2010/08/15 22:33:58.0906 Mode: Manual;
2010/08/15 22:33:58.0906 ================================================================================
2010/08/15 22:33:59.0343 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/15 22:33:59.0406 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/15 22:33:59.0484 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/15 22:33:59.0578 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/15 22:34:00.0171 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/15 22:34:00.0234 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/15 22:34:00.0296 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/15 22:34:00.0390 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/15 22:34:00.0500 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
2010/08/15 22:34:00.0593 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
2010/08/15 22:34:00.0656 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys
2010/08/15 22:34:00.0734 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/15 22:34:00.0937 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/15 22:34:01.0015 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/15 22:34:01.0078 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/15 22:34:01.0140 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/15 22:34:01.0437 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/15 22:34:01.0531 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/15 22:34:01.0640 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/15 22:34:01.0703 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/15 22:34:01.0781 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/15 22:34:01.0890 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/15 22:34:01.0984 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\WINDOWS\system32\DRIVERS\dvd43llh.sys
2010/08/15 22:34:02.0078 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/15 22:34:02.0140 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/15 22:34:02.0171 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/15 22:34:02.0218 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/15 22:34:02.0265 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/08/15 22:34:02.0281 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/15 22:34:02.0359 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/15 22:34:02.0437 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/15 22:34:02.0546 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/15 22:34:02.0640 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/15 22:34:02.0718 HSFHWBS3 (31b76d75190ce3eec3a357028cd60b6f) C:\WINDOWS\system32\DRIVERS\HSFHWBS3.sys
2010/08/15 22:34:02.0781 HSF_DP (a784c4e750b6a6d9bf77062105103c38) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/08/15 22:34:02.0875 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/15 22:34:02.0984 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/15 22:34:03.0203 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/08/15 22:34:03.0390 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/15 22:34:03.0609 IntcAzAudAddService (bd4d6e6f708aa8503653e2be9d53459b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/08/15 22:34:03.0843 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/15 22:34:03.0890 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/08/15 22:34:03.0953 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/15 22:34:04.0000 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/15 22:34:04.0062 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/15 22:34:04.0109 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/15 22:34:04.0156 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/15 22:34:04.0218 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/15 22:34:04.0250 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/15 22:34:04.0296 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/15 22:34:04.0359 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/15 22:34:04.0406 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/15 22:34:04.0500 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/08/15 22:34:04.0546 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/15 22:34:04.0609 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/15 22:34:04.0625 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/15 22:34:04.0671 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/15 22:34:04.0734 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/15 22:34:04.0859 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/15 22:34:04.0906 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/15 22:34:04.0953 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/15 22:34:04.0984 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/15 22:34:05.0015 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/15 22:34:05.0078 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/15 22:34:05.0171 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/15 22:34:05.0265 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/15 22:34:05.0312 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/15 22:34:05.0359 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/15 22:34:05.0390 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/15 22:34:05.0437 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/15 22:34:05.0484 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/15 22:34:05.0546 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/15 22:34:05.0640 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/15 22:34:05.0687 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/15 22:34:05.0781 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/15 22:34:05.0843 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/15 22:34:05.0859 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/15 22:34:05.0921 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/08/15 22:34:05.0968 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/15 22:34:06.0015 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/15 22:34:06.0078 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/15 22:34:06.0156 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/15 22:34:06.0218 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/15 22:34:06.0265 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2010/08/15 22:34:06.0640 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/15 22:34:06.0671 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/15 22:34:06.0718 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/15 22:34:07.0015 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/15 22:34:07.0062 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/15 22:34:07.0109 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/15 22:34:07.0125 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/15 22:34:07.0171 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/15 22:34:07.0234 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/15 22:34:07.0296 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/15 22:34:07.0343 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/15 22:34:07.0421 RTLE8023xp (f0a21c62b9b835e1c96268eaae31d239) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/08/15 22:34:07.0515 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/15 22:34:07.0578 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/08/15 22:34:07.0656 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/15 22:34:07.0796 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/15 22:34:07.0843 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/15 22:34:07.0906 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/15 22:34:08.0000 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/15 22:34:08.0046 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/15 22:34:08.0203 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/15 22:34:08.0281 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/15 22:34:08.0328 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/15 22:34:08.0359 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/15 22:34:08.0406 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/15 22:34:08.0781 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/15 22:34:08.0890 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/15 22:34:09.0000 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/15 22:34:09.0046 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/15 22:34:09.0109 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/15 22:34:09.0187 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/15 22:34:09.0250 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/15 22:34:09.0312 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/15 22:34:09.0375 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/15 22:34:09.0500 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/15 22:34:09.0593 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/15 22:34:09.0734 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/15 22:34:09.0812 winachsf (b49d4b52d446f8cdd8b7767c28024b11) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/08/15 22:34:10.0000 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/15 22:34:10.0046 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/15 22:34:10.0093 ================================================================================
2010/08/15 22:34:10.0093 Scan finished
2010/08/15 22:34:10.0093 ================================================================================

#8
RKinner

Posted 15 August 2010 - 10:18 PM

Malware Expert

Expert
24,625 posts

Your logs look clean.

MBRCheck should leave a text file on your desktop that you can copy and paste tho I think you can right click in MBRCheck's window or on the top of the window and Select All then right click and Copy or hit Enter or Ctrl +c. Haven't used it in a while.

What PC do you have? Make and model? Some PC makers use a non-standard MBR which makes it hard to be sure it hasn't been tampered with.

Are you still getting redirected?

#9
celfan

Posted 16 August 2010 - 05:14 AM

Member

Topic Starter
Member
30 posts

I have a Compaq CQ2009F

I'm not getting redirected

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 122):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7A88000 \WINDOWS\system32\KDCOM.DLL
0xF7998000 \WINDOWS\system32\BOOTVID.dll
0xF7459000 ACPI.sys
0xF7A8A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7448000 pci.sys
0xF7588000 isapnp.sys
0xF7B50000 pciide.sys
0xF7808000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7598000 MountMgr.sys
0xF7429000 ftdisk.sys
0xF7810000 PartMgr.sys
0xF75A8000 VolSnap.sys
0xF7411000 atapi.sys
0xF75B8000 disk.sys
0xF75C8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73F1000 fltMgr.sys
0xF73DF000 sr.sys
0xF73C8000 KSecDD.sys
0xF733B000 Ntfs.sys
0xF730E000 NDIS.sys
0xF72F4000 Mup.sys
0xF7658000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6D16000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF6D02000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6CDA000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6CA7000 \SystemRoot\system32\DRIVERS\HSFHWBS3.sys
0xF6C84000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6B93000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF6AE0000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7878000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6AC4000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xF7880000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6AA0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7888000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7668000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7890000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7678000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF78A0000 \SystemRoot\System32\DRIVERS\dvd43llh.sys
0xF7688000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7698000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7B66000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF76A8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A28000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6A89000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76B8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76C8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78A8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6A78000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76D8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78B0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78B8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF76E8000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF76F8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF78C0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A8E000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6A1A000 \SystemRoot\system32\DRIVERS\update.sys
0xF7A38000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7708000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7728000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A90000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAA24E000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA22A000 \SystemRoot\system32\drivers\portcls.sys
0xF7738000 \SystemRoot\system32\drivers\drmk.sys
0xF7A9A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7CA2000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A9C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78F0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7900000 \SystemRoot\System32\drivers\vga.sys
0xF7AA0000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7AA2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7908000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7910000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF72B4000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA1CF000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA176000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA114000 \SystemRoot\System32\Drivers\avgtdix.sys
0xAA0EE000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7768000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7918000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAA0C6000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA0A4000 \SystemRoot\System32\drivers\afd.sys
0xF7778000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA079000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA009000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7788000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7930000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xA9FD5000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF7948000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF69CE000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF77A8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF69C6000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF77E8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA9F95000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AB6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7A80000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7960000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C1C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA9EA1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9C20000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA9B1B000 \SystemRoot\system32\drivers\wdmaud.sys
0xAA770000 \SystemRoot\system32\drivers\sysaudio.sys
0xA990D000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA9752000 \SystemRoot\system32\DRIVERS\srv.sys
0xF7820000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA922F000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA90FE000 \SystemRoot\System32\Drivers\HTTP.sys
0xA9022000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xF7B0C000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xF78D8000 \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys
0xF7850000 \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mbr.sys
0xA8E75000 \SystemRoot\system32\drivers\kmixer.sys
0xA92EA000 \SystemRoot\system32\drivers\klmd.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 40):
0 System Idle Process
4 System
604 C:\WINDOWS\system32\smss.exe
652 csrss.exe
676 C:\WINDOWS\system32\winlogon.exe
720 C:\WINDOWS\system32\services.exe
732 C:\WINDOWS\system32\lsass.exe
900 C:\WINDOWS\system32\svchost.exe
968 svchost.exe
1064 C:\WINDOWS\system32\svchost.exe
1188 svchost.exe
1260 svchost.exe
1360 C:\Program Files\AVG\AVG9\avgchsvx.exe
1368 C:\Program Files\AVG\AVG9\avgrsx.exe
1444 C:\WINDOWS\system32\spoolsv.exe
1520 svchost.exe
1680 C:\Program Files\AVG\AVG9\avgwdsvc.exe
1696 C:\Program Files\AVG\AVG9\avgcsrvx.exe
116 C:\Program Files\Java\jre6\bin\jqs.exe
216 C:\WINDOWS\system32\svchost.exe
1256 C:\Program Files\AVG\AVG9\avgemc.exe
1620 C:\Program Files\AVG\AVG9\avgnsx.exe
2088 C:\Program Files\Canon\CAL\CALMAIN.exe
2464 C:\WINDOWS\system32\igfxsrvc.exe
2492 C:\WINDOWS\system32\hkcmd.exe
2532 C:\WINDOWS\system32\igfxpers.exe
2592 C:\Program Files\Hp\HP Software Update\hpwuschd2.exe
2608 C:\Program Files\Java\jre6\bin\jusched.exe
2652 C:\Program Files\AVG\AVG9\avgcsrvx.exe
2660 C:\PROGRA~1\AVG\AVG9\avgtray.exe
2728 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3160 alg.exe
932 C:\Program Files\Java\jre6\bin\jucheck.exe
3224 C:\WINDOWS\system32\ctfmon.exe
1576 C:\WINDOWS\explorer.exe
3548 C:\Program Files\Mozilla Firefox\firefox.exe
3724 C:\Documents and Settings\HP_Administrator\My Documents\Downloads\tdsskiller\TDSSKiller.exe
4084 C:\WINDOWS\system32\notepad.exe
4032 C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
2616 C:\Documents and Settings\HP_Administrator\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000022`d0868600 (NTFS)

PhysicalDrive0 Model Number: ST3160812AS, Rev: 3.AHL

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 7FB19490A593990E7A4CA58AFF15AC04EFCADFCB

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

#10
RKinner

Posted 16 August 2010 - 09:32 AM

Malware Expert

Expert
24,625 posts

Compaq & HP use a special MBR so I expect since the redirect is gone that it's OK.

Unless there are other problems I think we are done here. Just some housekeeping to take care of.

We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You do not have the latest Java (Java™ 6 Update 21). Get the latest at:

http://javadl.sun.co...?BundleId=41723

Save it to your PC then close all browsers and install it.

Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
Java™ 6 Update 17 which may be new enough that it will be removed automatically.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Flash Player recently came out with a new version which fixes an exploit hole. See http://aumha.net/vie...&st=0&sk=t&sd=a
(There are different versions for IE and Firefox/Chrome so if you use anything but IE -and you should! - then you will need both downloads.)
Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 18.1 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB devices you might want to install Autorun Eater v2.5.
http://oldmcdonald.w...orun-eater-v25/
Another small program which will stay resident and prevent an infected USB device from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) and No Script are two others you might want to try.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

If you have a router, log on to it today and change the default password! We are seeing a lot of infected routers.

Ron

Edited by RKinner, 16 August 2010 - 09:33 AM.