Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Security Sphere 2012

Started by purplelavender , Oct 09 2011 11:04 AM

This topic is locked

#16
purplelavender

Posted 14 October 2011 - 06:08 PM

Member

Topic Starter
Member
20 posts

I tried to run the Fix but the machine bascially hung and was unresponsive. I left it for about 2 hours and nothing so I rebooted and ran the OTL scan with nothing in the bottom portion as I was not sure if you wanted something specific as you did not say. I tried to download the ComboFix but Link 1 did not work and Link 2 was in Spanish?

I cannot post the log here as it keeps booting me out so again will attach.

Thanks

#17
purplelavender

Posted 14 October 2011 - 06:10 PM

Member

Topic Starter
Member
20 posts

log attached - only one this time

OTL logfile created on: 14/10/2011 5:25:53 PM - Run 2
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

502.80 Mb Total Physical Memory | 70.57 Mb Available Physical Memory | 14.03% Memory free
1.20 Gb Paging File | 0.65 Gb Available in Paging File | 54.30% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 2.15 Gb Free Space | 5.77% Space Free | Partition Type: NTFS

Computer Name: ACS03976 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/14 07:07:41 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe
PRC - [2011/10/09 22:02:36 | 000,246,600 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe
PRC - [2011/10/09 22:02:33 | 000,218,440 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
PRC - [2011/09/23 06:31:50 | 002,404,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/09/21 19:53:12 | 000,973,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2011/09/13 06:32:40 | 001,227,616 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/09/08 20:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/08/15 06:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2011/06/21 17:10:24 | 000,366,024 | ---- | M] (IncrediMail, Ltd.) -- C:\Program Files\IncrediMail\bin\IncMail.exe
PRC - [2011/06/21 17:10:21 | 000,263,624 | ---- | M] (IncrediMail, Ltd.) -- C:\Program Files\IncrediMail\bin\ImApp.exe
PRC - [2011/04/22 06:21:10 | 000,247,728 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
PRC - [2011/04/22 06:21:10 | 000,092,592 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2011/02/19 08:55:18 | 000,826,368 | ---- | M] (ActMask Co.,Ltd - http://www.all2pdf.com) -- C:\WINDOWS\system32\PrintDisp.exe
PRC - [2010/03/23 14:02:38 | 000,045,056 | ---- | M] () -- C:\Program Files\DOS2USB\elsvc.exe
PRC - [2009/10/28 19:59:48 | 000,065,536 | ---- | M] (ActMask Co.,Ltd - HTTP://WWW.ALL2PDF.COM) -- C:\WINDOWS\system32\PrintCtrl.exe
PRC - [2009/03/23 20:00:00 | 001,983,816 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/01/10 13:07:32 | 000,102,400 | ---- | M] (Intel Corp.) -- C:\Program Files\Intel\Intel® Active Monitor\imonNT.exe
PRC - [2002/09/12 11:13:18 | 001,101,824 | ---- | M] (Copyright © ahead software gmbh and its licensors) -- C:\Program Files\Ahead\InCD\InCD.exe
PRC - [2002/07/15 17:36:54 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2002/06/26 18:36:58 | 000,090,112 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
PRC - [1997/09/12 00:00:00 | 000,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE

========== Modules (No Company Name) ==========

MOD - [2011/10/09 22:02:36 | 000,246,600 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe
MOD - [2011/10/09 22:02:33 | 000,218,440 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
MOD - [2011/06/21 17:10:31 | 000,071,112 | ---- | M] () -- C:\Program Files\IncrediMail\bin\wlessfp1.dll
MOD - [2011/06/21 17:10:27 | 000,267,720 | ---- | M] () -- C:\Program Files\IncrediMail\bin\ImLookExU.dll
MOD - [2011/06/21 17:10:25 | 000,132,552 | ---- | M] () -- C:\Program Files\IncrediMail\bin\ImComUtlU.dll
MOD - [2011/06/21 17:10:25 | 000,079,304 | ---- | M] () -- C:\Program Files\IncrediMail\bin\ImAppRU.dll
MOD - [2010/12/29 04:40:24 | 000,107,896 | ---- | M] () -- C:\Program Files\IncrediMail\bin\PMC.dll
MOD - [2010/03/23 14:02:38 | 000,045,056 | ---- | M] () -- C:\Program Files\DOS2USB\elsvc.exe
MOD - [2009/09/04 23:15:06 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2002/09/13 09:08:28 | 000,458,752 | ---- | M] () -- C:\Program Files\Ahead\InCD\Res.dll
MOD - [1997/09/12 00:00:00 | 003,782,416 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\MSO97.DLL
MOD - [1997/09/12 00:00:00 | 000,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/10/09 22:02:36 | 000,246,600 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe -- (vToolbarUpdater)
SRV - [2011/09/12 06:23:46 | 005,265,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2011/04/22 06:21:10 | 000,092,592 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2010/03/23 14:02:38 | 000,045,056 | ---- | M] () [Auto | Running] -- C:\Program Files\DOS2USB\elsvc.exe -- (elAPIsvc)
SRV - [2009/10/28 19:59:48 | 000,065,536 | ---- | M] (ActMask Co.,Ltd - HTTP://WWW.ALL2PDF.COM) [Auto | Running] -- C:\WINDOWS\system32\PrintCtrl.exe -- (Printer Control)
SRV - [2009/05/01 15:35:54 | 000,181,544 | ---- | M] (Seagate Technology LLC) [Auto | Stopped] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2003/01/10 13:07:32 | 000,102,400 | ---- | M] (Intel Corp.) [Auto | Running] -- C:\Program Files\Intel\Intel® Active Monitor\imonNT.exe -- (imonNT) Intel®
SRV - [2002/07/15 17:36:54 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - [2011/09/25 19:00:08 | 000,161,936 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2011/09/25 19:00:08 | 000,070,416 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2011/09/25 19:00:08 | 000,056,336 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/08/07 08:09:13 | 000,216,912 | ---- | M] () [Kernel | System | Running] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys -- (RapportCerberus_29574)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:30 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/07/11 01:14:28 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:28 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/07/11 01:14:26 | 000,134,608 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/07/11 01:13:46 | 000,229,840 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2009/04/30 22:56:32 | 000,495,768 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV561AV.SYS -- (PID_0928) Logitech QuickCam Express(PID_0928)
DRV - [2004/08/03 23:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/01/10 13:05:10 | 000,007,424 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\SIODRV.SYS -- (SIODRV)
DRV - [2003/01/10 13:04:46 | 000,016,480 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\iSMBIOS.SYS -- (iSMBIOS)
DRV - [2002/10/23 10:05:06 | 000,021,963 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smb.sys -- (smbusp) Intel®
DRV - [2002/09/13 06:35:44 | 000,448,640 | ---- | M] (ahead software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\bsudf.sys -- (BsUDF)
DRV - [2002/06/05 17:07:00 | 000,009,344 | ---- | M] (B.H.A Co.,Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\bsstor.sys -- (BsStor)
DRV - [2001/08/17 07:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)
DRV - [2001/08/17 07:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)
DRV - [2001/08/17 07:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 07:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)
DRV - [2001/08/17 07:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)
DRV - [2001/08/17 07:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)
DRV - [2001/08/17 07:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)
DRV - [2001/08/17 07:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)
DRV - [2001/08/17 07:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-507921405-1383384898-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\S-1-5-21-507921405-1383384898-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.facebook.....com/login.php"
FF - prefs.js..keyword.URL: "http://isearch.avg.c...2:40&sap=ku&q="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\ZEON/PDF,version=2.0: C:\Program Files\Nuance\PDF Reader\bin\nppdf.dll (Zeon Corporation)
FF - HKCU\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2011/10/09 22:02:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/02 16:53:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/07 13:05:14 | 000,000,000 | ---D | M]

[2010/12/18 15:57:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010/12/18 15:57:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions\[email protected]
[2011/10/09 22:02:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\aeyfzste.default\extensions
[2011/09/19 12:09:43 | 000,000,000 | ---D | M] (LinkedIn Companion for Firefox) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\aeyfzste.default\extensions\{e2337727-f9c9-411b-929e-287584341d1a}
[2011/10/09 22:02:51 | 000,000,000 | ---D | M] (AVG Security Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\aeyfzste.default\extensions\avg@toolbar
[2011/10/12 15:30:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/10/12 15:30:43 | 000,000,000 | ---D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011/10/09 22:02:56 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX4
[2009/12/12 12:59:01 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/10/02 16:53:19 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/02 16:53:12 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

========== Chrome ==========

CHR - default_search_provider: MyStart Search (Enabled)
CHR - default_search_provider: search_url = http://mystart.incre...box_im2_test_v2
CHR - default_search_provider: suggest_url =
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\8.0.552.224\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\8.0.552.224\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\8.0.552.224\gcswf32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: CANON iMAGE GATEWAY Album Plugin Utility (Enabled) = C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.51204.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

Hosts file not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (IEToolbarBHO Class) - {1A1DAC8C-074D-440F-8707-7009A672D7D1} - C:\Program Files\LinkedIn\IE Toolbar\3.2.5.1001\LinkedInIEToolbar.dll (LinkedIn)
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\8.0.0.34\AVG Secure Search_toolbar.dll ()
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\8.0.0.34\AVG Secure Search_toolbar.dll ()
O3 - HKLM\..\Toolbar: (LinkedIn Toolbar) - {BB670D0B-5C46-40C7-B38B-40DD26987723} - C:\Program Files\LinkedIn\IE Toolbar\3.2.5.1001\LinkedInIEToolbar.dll (LinkedIn)
O3 - HKU\S-1-5-21-507921405-1383384898-725345543-1004\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-507921405-1383384898-725345543-1004\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKU\S-1-5-21-507921405-1383384898-725345543-1004\..\Toolbar\WebBrowser: (LinkedIn Toolbar) - {BB670D0B-5C46-40C7-B38B-40DD26987723} - C:\Program Files\LinkedIn\IE Toolbar\3.2.5.1001\LinkedInIEToolbar.dll (LinkedIn)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe ()
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe (Copyright © ahead software gmbh and its licensors)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Nuance PDF Reader-reminder] C:\Program Files\Nuance\PDF Reader\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PrintDisp] C:\WINDOWS\system32\PrintDisp.exe (ActMask Co.,Ltd - http://www.all2pdf.com)
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O4 - HKU\S-1-5-21-507921405-1383384898-725345543-1004..\Run: [ccleaner] C:\Program Files\CCleaner\CCleaner.exe (Piriform Ltd)
O4 - HKU\S-1-5-21-507921405-1383384898-725345543-1004..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe (IncrediMail, Ltd.)
O4 - HKU\S-1-5-21-507921405-1383384898-725345543-1004..\Run: [ISUSPM] C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet\Connect\11\ISUSPM.exe (Acresso Corporation)
O4 - HKU\S-1-5-21-507921405-1383384898-725345543-1004..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O4 - HKU\.DEFAULT..\RunOnce: [KeApplet] C:\WINDOWS\TEMP\ke64vrxlka.exe File not found
O4 - HKU\S-1-5-18..\RunOnce: [KeApplet] C:\WINDOWS\TEMP\ke64vrxlka.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1383384898-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Linked&In Search - C:\Program Files\LinkedIn\IE Toolbar\3.2.5.1001\LinkedInIEToolbar.dll (LinkedIn)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O15 - HKU\S-1-5-21-507921405-1383384898-725345543-1004\..Trusted Domains: tenroxhosting.com ([dgegroup] https in Trusted sites)
O16 - DPF: {0D221D00-A6ED-477C-8A91-41F3B660A832} https://dgegroup.ten...OpType=PrintCab (RSClientPrint 2005 Class)
O16 - DPF: {0FACC666-E038-43FF-B1A5-064FFB536934} https://dgegroup.ten...load/Upload.CAB (Upload.clsUpload)
O16 - DPF: {19F50ACB-5C69-4661-9697-BD100AE8DF08} https://dgegroup.ten...ckBooksLive.CAB (TQuickBooksLive.TQuickBooks)
O16 - DPF: {3E059DAB-6894-435C-B758-2977F014D734} https://dgegroup.ten...TClientProc.CAB (TClientProc.ClientSettings)
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bit...m/qsax/qsax.cab (BitDefender QuickScan Control)
O16 - DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} https://dgegroup.ten...intCab&Arch=X86 (RSClientPrint 2008 Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1259950594571 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1259950666758 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {9CF0560E-8FDC-45DB-8FBB-E7C9AE50BCE9} https://dgegroup.ten...orkflowMapX.cab (TWorkflowMapX.WorkflowMapX)
O16 - DPF: {A37AAD86-1B27-4B98-80CF-DAC66FB22F33} https://dgegroup.ten.../OWCPrinter.cab (OWC Helper Excel Print Object)
O16 - DPF: {AC017924-474A-4D75-B480-82473C5CA0F2} https://dgegroup.ten...TenroxOWC11.CAB (TenroxOWC11.TChart)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C78075F7-D370-4AD3-916B-1526D095411D}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/09/24 19:08:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/09/24 19:01:36 | 000,000,099 | ---- | M] () - C:\AUTOEXEC.SYD -- [ NTFS ]
O33 - MountPoints2\{2e5439de-756c-11df-b12e-0007e9c5703f}\Shell - "" = AutoRun
O33 - MountPoints2\{2e5439de-756c-11df-b12e-0007e9c5703f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2e5439de-756c-11df-b12e-0007e9c5703f}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{a2a0f55c-62dd-11df-b120-0007e9c5703f}\Shell - "" = AutoRun
O33 - MountPoints2\{a2a0f55c-62dd-11df-b120-0007e9c5703f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a2a0f55c-62dd-11df-b120-0007e9c5703f}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/14 17:19:11 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\User\Recent
[2011/10/14 15:30:19 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/10/12 15:28:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Skype
[2011/10/09 22:51:50 | 000,000,000 | -H-D | C] -- C:\$AVG
[2011/10/09 22:26:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\AVG2012
[2011/10/09 22:02:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\AVG 2012
[2011/10/09 22:02:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\AVG Secure Search
[2011/10/09 22:02:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVG Secure Search
[2011/10/09 22:02:32 | 000,000,000 | ---D | C] -- C:\Program Files\AVG Secure Search
[2011/10/09 22:00:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVG2012
[2011/10/09 22:00:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\AVG
[2011/10/09 21:58:54 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/10/09 21:55:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MFAData
[2011/10/09 19:31:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/10/09 15:05:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2011/10/09 15:04:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/10/09 15:04:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2011/10/09 15:04:37 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/10/09 15:04:37 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/10/09 14:52:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Start Menu\Programs\Security Sphere 2012
[2011/10/09 01:38:01 | 003,897,504 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\User\My Documents\avg_avct_stb_all_2012_1796_cm10.exe
[2011/10/09 00:30:06 | 000,000,000 | ---D | C] -- C:\Program Files\gaaphfcr
[2011/10/09 00:29:16 | 000,000,000 | ---D | C] -- C:\Help
[2011/10/08 22:41:34 | 000,200,976 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/10/08 22:06:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\QuickScan
[2011/09/25 19:00:08 | 000,056,336 | ---- | C] (Trusteer Ltd.) -- C:\WINDOWS\System32\drivers\RapportKELL.sys
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\User\*.tmp files -> C:\Documents and Settings\User\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/14 17:46:16 | 007,422,951 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm.prepare
[2011/10/14 17:35:06 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/14 17:35:05 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/10/14 17:18:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/14 16:43:22 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/14 09:00:54 | 106,553,095 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/10/14 08:35:39 | 000,494,328 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/10/14 08:35:39 | 000,084,746 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/10/13 08:26:28 | 000,083,456 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/13 08:09:36 | 106,488,068 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm.old
[2011/10/13 07:23:23 | 000,218,448 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/12 15:28:41 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Skype.lnk
[2011/10/11 16:27:57 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/10 12:24:45 | 000,043,520 | ---- | M] () -- C:\Documents and Settings\User\My Documents\cc_20111010_122402.reg
[2011/10/09 22:02:57 | 000,000,712 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\AVG 2012.lnk
[2011/10/09 21:45:33 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2011/10/09 19:25:12 | 000,012,406 | ---- | M] () -- C:\Documents and Settings\User\Desktop\297985_1845408835005_1834186588_1265489_300355665_n.jpg
[2011/10/09 15:04:44 | 000,000,794 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/10/09 01:38:05 | 003,897,504 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\User\My Documents\avg_avct_stb_all_2012_1796_cm10.exe
[2011/10/09 01:02:53 | 000,001,152 | ---- | M] () -- C:\WINDOWS\System32\windrv.sys
[2011/10/09 00:50:38 | 000,136,015 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\census.cache
[2011/10/09 00:50:26 | 000,183,856 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\ars.cache
[2011/10/09 00:41:16 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2011/10/07 13:11:03 | 000,005,210 | ---- | M] () -- C:\Documents and Settings\User\My Documents\cc_20111007_131054.reg
[2011/10/07 11:28:20 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/10/06 16:02:46 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\CCleaner.lnk
[2011/10/03 10:18:26 | 000,093,935 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ATT0000666764.jpg
[2011/10/01 09:24:50 | 000,010,947 | ---- | M] () -- C:\Documents and Settings\User\Desktop\305396_1825749222063_1790253175_1227652_2005563563_n.jpg
[2011/10/01 08:52:08 | 000,016,612 | ---- | M] () -- C:\Documents and Settings\User\Desktop\297688_1825642059384_1790253175_1227609_1524653768_n.jpg
[2011/09/30 20:25:51 | 000,153,992 | ---- | M] () -- C:\Documents and Settings\User\My Documents\cc_20110930_202543.reg
[2011/09/25 19:00:08 | 000,056,336 | ---- | M] (Trusteer Ltd.) -- C:\WINDOWS\System32\drivers\RapportKELL.sys
[2011/09/20 19:21:15 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Microsoft Word (2).lnk
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\User\*.tmp files -> C:\Documents and Settings\User\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/14 09:00:54 | 106,553,095 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/10/13 08:09:36 | 106,488,068 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm.old
[2011/10/12 15:28:41 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Skype.lnk
[2011/10/10 12:24:06 | 000,043,520 | ---- | C] () -- C:\Documents and Settings\User\My Documents\cc_20111010_122402.reg
[2011/10/09 22:02:57 | 000,000,712 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\AVG 2012.lnk
[2011/10/09 19:25:10 | 000,012,406 | ---- | C] () -- C:\Documents and Settings\User\Desktop\297985_1845408835005_1834186588_1265489_300355665_n.jpg
[2011/10/09 15:04:44 | 000,000,794 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/10/09 13:50:44 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/09 01:02:53 | 000,001,152 | ---- | C] () -- C:\WINDOWS\System32\windrv.sys
[2011/10/09 00:50:38 | 000,136,015 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\census.cache
[2011/10/09 00:50:26 | 000,183,856 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\ars.cache
[2011/10/09 00:41:16 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2011/10/07 13:11:00 | 000,005,210 | ---- | C] () -- C:\Documents and Settings\User\My Documents\cc_20111007_131054.reg
[2011/10/04 07:24:48 | 000,093,935 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ATT0000666764.jpg
[2011/10/01 09:24:49 | 000,010,947 | ---- | C] () -- C:\Documents and Settings\User\Desktop\305396_1825749222063_1790253175_1227652_2005563563_n.jpg
[2011/10/01 08:52:06 | 000,016,612 | ---- | C] () -- C:\Documents and Settings\User\Desktop\297688_1825642059384_1790253175_1227609_1524653768_n.jpg
[2011/09/30 20:25:46 | 000,153,992 | ---- | C] () -- C:\Documents and Settings\User\My Documents\cc_20110930_202543.reg
[2011/08/30 09:42:36 | 001,391,616 | ---- | C] () -- C:\WINDOWS\System32\ActPDF.dll
[2011/08/30 09:42:17 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\PrtPass.exe
[2011/08/30 09:42:16 | 000,691,200 | ---- | C] () -- C:\WINDOWS\System32\PrintLog.exe
[2011/05/10 06:56:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/02/24 08:28:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\Application Data\bibstats
[2010/06/27 17:06:14 | 000,083,456 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/11 12:20:28 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2010/04/29 14:10:59 | 000,000,050 | ---- | C] () -- C:\WINDOWS\SwDrvs.ini
[2010/04/29 14:10:56 | 000,000,192 | ---- | C] () -- C:\WINDOWS\MYOB.INI
[2010/04/28 19:39:02 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\User\Application Data\PFP110JPR.{PB
[2010/04/28 19:39:02 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\User\Application Data\PFP110JCM.{PB
[2010/04/16 20:41:32 | 000,000,044 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2010/04/16 20:41:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\popcreg.dat
[2009/12/10 12:14:54 | 000,000,149 | ---- | C] () -- C:\WINDOWS\chartist.ini
[2009/12/09 20:39:38 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\User\Application Data\PFP100JPR.{PB
[2009/12/09 20:39:38 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\User\Application Data\PFP100JCM.{PB
[2009/12/09 20:37:23 | 000,000,325 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2009/12/09 20:23:50 | 000,000,120 | ---- | C] () -- C:\WINDOWS\MSMAIL32.INI
[2009/12/09 20:06:50 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/12/09 19:42:23 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2009/12/09 18:20:46 | 000,000,508 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/12/04 11:47:52 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2009/12/04 11:45:03 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2009/12/04 11:37:27 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/12/04 11:31:35 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/12/04 04:21:47 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/12/04 04:20:44 | 000,218,448 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/30 22:39:36 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/01/05 15:44:10 | 000,053,248 | ---- | C] () -- C:\WINDOWS\bdoscandel.exe
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2004/08/02 15:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2002/03/21 16:39:02 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\UNACEV2.DLL
[2001/08/18 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/18 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 06:00:00 | 000,494,328 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 06:00:00 | 000,084,746 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 06:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/18 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1999/04/03 10:54:02 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1997/09/12 01:00:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\ODBCMON.DLL
[1997/09/12 01:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1997/09/12 01:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/09/12 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2011/04/27 18:01:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Trusteer
[2009/11/03 18:14:41 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/11/09 16:39:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJ
[2009/11/06 21:19:23 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMyPrinter
[2009/11/09 16:38:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
[2009/11/09 16:38:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2009/11/06 21:19:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJSolutionMenu
[2009/03/14 16:55:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GenuTax
[2009/03/22 10:42:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IM
[2009/03/22 09:18:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IncrediMail
[2009/05/10 11:13:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2011/10/09 01:19:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/09/04 09:12:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/10/22 14:40:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/11/14 08:30:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ACD Systems
[2011/10/10 15:09:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVG2012
[2009/12/09 19:24:41 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonBJ
[2011/08/29 20:41:32 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonIJEGV
[2011/08/21 19:04:20 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonIJMyPrinter
[2011/08/29 20:37:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonIJScan
[2011/08/21 19:04:35 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonIJSolutionMenu
[2011/10/09 22:02:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\COMMON FILES
[2011/03/08 21:04:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\GenuTax
[2009/12/09 18:05:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\IM
[2009/12/09 18:03:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\IncrediMail
[2011/10/13 08:10:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MFAData
[2011/08/30 14:51:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nuance
[2011/08/30 11:06:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PlotSoft
[2010/04/16 20:42:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PopCap Games
[2011/08/30 14:49:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft
[2010/06/11 13:59:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SQL Anywhere 10
[2011/08/30 09:42:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Temp
[2010/12/18 15:57:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TomTom
[2011/03/31 20:08:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer
[2010/01/24 17:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\XHEO INC
[2010/09/27 07:40:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/12/17 19:05:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2011/04/27 18:01:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User.WINDOWS\Application Data\Trusteer
[2010/11/20 18:41:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guest\Application Data\Canon Easy-WebPrint EX
[2009/11/09 16:38:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\Canon
[2009/11/06 20:51:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\Canon Easy-WebPrint EX
[2006/12/26 20:55:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\CD Viewer
[2003/08/09 17:34:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\Freedom
[2005/12/26 13:11:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\FUJIFILM
[2005/08/21 21:45:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\ispnews
[2008/08/04 09:11:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\Leadertech
[2006/12/23 11:14:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\OfficeUpdate12
[2006/10/04 20:11:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\OLYMPUS
[2008/06/17 20:57:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\SpinTop
[2006/09/03 17:26:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\Ulead Systems
[2008/01/11 18:09:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\UploadFiles
[2009/10/20 10:02:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\VirtualStore
[2006/09/17 08:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathy Godlewski\Application Data\WholeSecurity
[2010/11/15 18:54:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\pandasecuritytb
[2010/11/15 18:54:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\SurfSecret Privacy Suite
[2011/10/09 22:02:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\AVG Secure Search
[2011/10/09 22:26:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\AVG2012
[2011/08/29 20:37:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Canon
[2011/08/29 20:53:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Canon Easy-WebPrint EX
[2011/02/02 18:16:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Costco Photo Organizer
[2011/02/02 18:21:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Costco Photo Viewer CA-FR
[2010/05/24 10:17:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Leadertech
[2011/07/29 17:49:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\LinkedIn
[2011/08/30 14:51:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Nuance
[2011/10/08 22:09:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\QuickScan
[2010/12/18 15:56:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\TomTom
[2011/03/31 20:09:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Trusteer
[2011/08/30 14:50:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Zeon

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2D5907B8

< End of report >

Attached Files

OTL.Txt 104.43KB 117 downloads

#18
purplelavender

Posted 14 October 2011 - 08:51 PM

Member

Topic Starter
Member
20 posts

here is the log from ComboFix

ComboFix 11-10-14.04 - User 14/10/2011 18:48:59.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.126 [GMT -6:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Kathy Godlewski\Desktopvirii
c:\documents and settings\Kathy Godlewski\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe
c:\documents and settings\Kathy Godlewski\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe
c:\documents and settings\Kathy Godlewski\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe
c:\documents and settings\Kathy Godlewski\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe
c:\documents and settings\Kathy Godlewski\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe
c:\documents and settings\Kathy Godlewski\WINDOWS
c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\phrwshqh.log
c:\documents and settings\User\dos2usb.tmp
c:\documents and settings\User\g2mdlhlpx.exe
c:\documents and settings\User\Local Settings\Application Data\liiwcidh.log
c:\documents and settings\User\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-09-15 to 2011-10-15 )))))))))))))))))))))))))))))))
.
.
2011-10-14 21:30 . 2011-10-14 21:30 -------- d-----w- C:\_OTL
2011-10-10 04:51 . 2011-10-10 04:51 -------- d-----w- C:\$AVG
2011-10-10 04:26 . 2011-10-10 04:26 -------- d-----w- c:\documents and settings\User\Application Data\AVG2012
2011-10-10 04:02 . 2011-10-10 04:02 -------- d-----w- c:\documents and settings\User\Application Data\AVG Secure Search
2011-10-10 04:02 . 2011-10-10 04:02 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-10-10 04:02 . 2011-10-10 04:02 -------- d-----w- c:\program files\AVG Secure Search
2011-10-10 04:00 . 2011-10-14 23:55 -------- d-----w- c:\windows\system32\drivers\AVG
2011-10-10 04:00 . 2011-10-10 21:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG2012
2011-10-10 03:58 . 2011-10-10 03:58 -------- d-----w- c:\program files\AVG
2011-10-10 03:55 . 2011-10-14 23:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\MFAData
2011-10-09 21:05 . 2011-10-09 21:05 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-10-09 21:04 . 2011-10-09 21:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-10-09 21:04 . 2011-10-09 23:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-09 21:04 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-09 07:02 . 2011-10-09 07:02 1152 ----a-w- c:\windows\system32\windrv.sys
2011-10-09 06:30 . 2011-10-10 21:05 -------- d-----w- c:\program files\gaaphfcr
2011-10-09 06:29 . 2011-10-09 06:29 -------- d-----w- C:\Help
2011-10-09 04:41 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-10-09 04:35 . 2011-10-09 04:35 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-10-09 04:06 . 2011-10-09 04:09 -------- d-----w- c:\documents and settings\User\Application Data\QuickScan
2011-10-08 22:36 . 2011-10-08 22:36 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2011-10-02 22:53 . 2011-10-02 22:53 105432 ----a-w- c:\program files\Mozilla Firefox\nssdbm3.dll
2011-10-02 22:53 . 2011-10-02 22:53 89048 ----a-w- c:\program files\Mozilla Firefox\nssutil3.dll
2011-09-26 20:20 . 2011-09-26 20:20 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Trusteer
2011-09-26 01:00 . 2011-09-26 01:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-13 12:30 . 2011-09-13 12:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12 . 2001-08-18 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-22 23:48 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2001-08-18 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2009-12-04 19:01 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2001-08-18 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-08 12:08 . 2011-08-08 12:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-10-02 22:53 . 2011-05-10 12:56 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2011-10-10 04:02 1451336 ----a-w- c:\program files\AVG Secure Search\8.0.0.34\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\8.0.0.34\AVG Secure Search_toolbar.dll" [2011-10-10 1451336]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2011-06-21 366024]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2011-09-29 2647872]
"ISUSPM"="c:\documents and settings\All Users.WINDOWS\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-10-16 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-10-16 114688]
"IMONTRAY"="c:\program files\Intel\Intel® Active Monitor\imontray.exe" [2003-01-10 32768]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-27 90112]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2002-09-12 1101824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-14 421160]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"PrintDisp"="c:\windows\system32\PrintDisp.exe" [2011-02-19 826368]
"Nuance PDF Reader-reminder"="c:\program files\Nuance\PDF Reader\Ereg\Ereg.exe" [2010-07-05 333088]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-09-23 2404704]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2011-10-10 218440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-9-12 111376]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-4-3 65588]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-9-12 51984]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [11/07/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [13/09/2011 6:30 AM 32592]
R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [09/12/2009 7:49 PM 9344]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [25/09/2011 7:00 PM 56336]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [11/07/2011 1:13 AM 229840]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/07/2011 1:14 AM 295248]
R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys [07/08/2011 8:09 AM 216912]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [25/09/2011 7:00 PM 70416]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/09/2011 7:00 PM 161936]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 6:09 AM 192776]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [09/12/2009 7:49 PM 448640]
R2 elAPIsvc;elAPI - Service Server;c:\program files\DOS2USB\elsvc.exe [09/06/2010 8:49 PM 45056]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [09/10/2011 3:04 PM 366152]
R2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [30/08/2011 9:42 AM 65536]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [22/04/2011 6:21 AM 92592]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [09/10/2011 10:02 PM 246600]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [09/10/2011 3:04 PM 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [01/05/2009 3:35 PM 181544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/06/2010 12:50 PM 135664]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/09/2011 6:23 AM 5265248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [11/07/2011 1:14 AM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [11/07/2011 1:14 AM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [11/07/2011 1:14 AM 16720]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/06/2010 12:50 PM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2011-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-12 18:49]
.
2011-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-12 18:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Linked&In Search - c:\program files\LinkedIn\IE Toolbar\3.2.5.1001\LinkedInIEToolbar.dll/ContextMenu.htm
Trusted Zone: tenroxhosting.com\dgegroup
TCP: DhcpNameServer = 192.168.0.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
DPF: {0D221D00-A6ED-477C-8A91-41F3B660A832} - hxxps://dgegroup.tenroxhosting.com/TEnterprise/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=b57d585d6beb4d528afc83985f6d5776&ControlID=4a571a2c9927412fbd6cf3cf6088e067&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
DPF: {0FACC666-E038-43FF-B1A5-064FFB536934} - hxxps://dgegroup.tenroxhosting.com/TEnterprise/Download/Upload.CAB
DPF: {19F50ACB-5C69-4661-9697-BD100AE8DF08} - hxxps://dgegroup.tenroxhosting.com/TEnterprise/Download/TQuickBooksLive.CAB
DPF: {3E059DAB-6894-435C-B758-2977F014D734} - hxxps://dgegroup.tenroxhosting.com/TEnterprise/download/TClientProc.CAB
DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxps://dgegroup.tenrox.net/TEnterprise/Reserved.ReportViewerWebControl.axd?Culture=1033&CultureOverrides=True&UICulture=1033&UICultureOverrides=True&ReportStack=1&ControlID=38845cec171946d79cfec99a3dacb7a8&Mode=true&OpType=PrintCab&Arch=X86
DPF: {9CF0560E-8FDC-45DB-8FBB-E7C9AE50BCE9} - hxxps://dgegroup.tenrox.net/TEnterprise/Download/TWorkflowMapX.cab
DPF: {A37AAD86-1B27-4B98-80CF-DAC66FB22F33} - hxxps://dgegroup.tenroxhosting.com/TEnterprise/download/OWCPrinter.cab
DPF: {AC017924-474A-4D75-B480-82473C5CA0F2} - hxxps://dgegroup.tenroxhosting.com/TEnterprise/Download/TenroxOWC11.CAB
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\aeyfzste.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/login.php
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Ba6ccd002-c965-48e3-8a1e-e5d5b4e8c201%7D&mid=f9830c0c250f47d195b8d14eaf2199cc-b0c8ae55d107968f47cdc5335349dbc53066c769&ds=AVG&v=8.0.0.34.1&lang=en&pr=fr&d=2011-10-09%2022%3A02%3A40&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
ShellIconOverlayIdentifiers-{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6} - (no file)
ShellIconOverlayIdentifiers-{9AE343CB-BA45-4618-AF6A-0230EE6FC793} - (no file)
HKU-Default-RunOnce-KeApplet - c:\windows\TEMP\ke64vrxlka.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-14 19:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ISUSPM = "c:\documents and settings\All Users.WINDOWS\Application Data\FLEXnet\Connect\11\ISUSPM.exe" -scheduler???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????w??????C??????x?+}???????????}?????????????](}0???????????H??????? ??|???????|????????j??|????0???????[???????????????????????????????????[?=?8?>?????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST340016A rev.3.19 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8330B31B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3504)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\program files\Intel\Intel® Active Monitor\imonnt.exe
c:\program files\IncrediMail\Bin\ImApp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-10-14 19:36:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-15 01:35
.
Pre-Run: 2,205,380,608 bytes free
Post-Run: 2,150,223,872 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 0EBD8AFCCFAF8F8C264EF6F497A81A3F

#19
Essexboy

Posted 15 October 2011 - 04:48 AM

GeekU Moderator

Retired Staff
69,964 posts

What are your current problems ?

Please update and then run Malwarebytes, posting the resultant log

#20
purplelavender

Posted 15 October 2011 - 09:50 AM

Member

Topic Starter
Member
20 posts

Currently the machine is very slow and at times unresponsive. I will run Malwarebytes but still cannot go thru Safe Mode. So does that not mean the possibility that the virus, if still there, will be in memory?

#21
Essexboy

Posted 15 October 2011 - 10:06 AM

GeekU Moderator

Retired Staff
69,964 posts

Are you unable to access safe mode ? What error do you get

#22
purplelavender

Posted 15 October 2011 - 12:30 PM

Member

Topic Starter
Member
20 posts

OK I was now able to get into Safe Mode prior to that it would come up with the screen but never went into Safe Mode only booted normally. Here is the text log from Malwarebytes scan and these are sitting in the Quart folder....what is the IP address it keeps blocking???

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7949

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

15/10/2011 12:04:04 PM
mbam-log-2011-10-15 (12-03-53).txt

Scan type: Full scan (C:\|)
Objects scanned: 406911
Time elapsed: 1 hour(s), 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{f29fd0a6-3a53-4387-9cc3-7aaf6780b9d3}\RP215\A0109203.dll (PUP.FunWebProducts) -> No action taken.
c:\system volume information\_restore{f29fd0a6-3a53-4387-9cc3-7aaf6780b9d3}\RP215\A0109204.dll (PUP.FunWebProducts) -> No action taken.
c:\system volume information\_restore{f29fd0a6-3a53-4387-9cc3-7aaf6780b9d3}\RP215\A0109205.exe (Spyware.Passwords.XGen) -> No action taken.
c:\system volume information\_restore{f29fd0a6-3a53-4387-9cc3-7aaf6780b9d3}\RP215\A0109207.exe (Trojan.FakeAV) -> No action taken.
c:\system volume information\_restore{f29fd0a6-3a53-4387-9cc3-7aaf6780b9d3}\RP215\A0109220.exe (Spyware.Passwords.XGen) -> No action taken.
c:\system volume information\_restore{f29fd0a6-3a53-4387-9cc3-7aaf6780b9d3}\RP216\A0109889.exe (Spyware.Passwords.XGen) -> No action taken.
c:\system volume information\_restore{f29fd0a6-3a53-4387-9cc3-7aaf6780b9d3}\RP216\A0109911.exe (Spyware.Passwords.XGen) -> No action taken.
c:\system volume information\_restore{f29fd0a6-3a53-4387-9cc3-7aaf6780b9d3}\RP218\A0110007.exe (Spyware.Passwords.XGen) -> No action taken.
c:\system volume information\_restore{f29fd0a6-3a53-4387-9cc3-7aaf6780b9d3}\RP218\A0110008.exe (Spyware.Passwords.XGen) -> No action taken.

Protection log report

09:22:14 (null) MESSAGE Protection started successfully
09:26:29 User MESSAGE IP Protection started successfully
09:26:30 User IP-BLOCK 46.251.237.162 (Type: outgoing)
09:26:39 User IP-BLOCK 46.251.237.162 (Type: outgoing)
09:31:35 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:31:44 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:31:57 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:32:00 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:32:06 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:32:18 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:32:21 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:32:27 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:32:40 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:32:43 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:32:49 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:33:01 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:33:04 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:33:10 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:33:26 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:33:29 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:33:35 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:33:47 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:33:50 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:33:56 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:36:38 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:37:01 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:37:04 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:37:10 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:37:28 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:37:31 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:37:37 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:38:12 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:38:33 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:38:36 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:38:42 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:40:11 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:40:35 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:40:38 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:40:44 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:42:56 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:42:59 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:43:05 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:43:18 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:43:21 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:43:27 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:43:39 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:43:42 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:43:48 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:44:00 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:44:03 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:44:09 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:44:22 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:44:25 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:44:31 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:44:43 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:44:46 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:44:52 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:45:04 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:45:07 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:45:13 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:47:25 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:47:28 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:47:34 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:47:47 User IP-BLOCK 46.251.237.161 (Type: outgoing)
09:47:50 User IP-BLOCK 46.251.237.161 (Type: outgoing)
09:47:56 User IP-BLOCK 46.251.237.161 (Type: outgoing)
09:48:08 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:48:11 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:48:17 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:48:29 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:48:32 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:48:38 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:48:50 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:48:53 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:48:59 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:49:11 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:49:14 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:49:20 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:49:32 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:49:35 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:49:41 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:49:53 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:49:56 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:50:02 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:52:14 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:52:17 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:52:23 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:52:35 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:52:38 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:52:44 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:52:56 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:52:59 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:53:05 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:53:18 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:53:21 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:53:27 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:53:39 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:53:42 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:53:48 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:54:00 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:54:03 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:54:09 User IP-BLOCK 46.251.237.165 (Type: outgoing)
09:54:28 (null) IP-BLOCK 46.251.237.165 (Type: outgoing)
12:08:13 (null) MESSAGE Protection started successfully
12:10:26 (null) MESSAGE Scheduled update executed successfully
12:13:20 User MESSAGE IP Protection started successfully
12:13:25 User MESSAGE IP Protection stopped
12:14:45 User MESSAGE Database updated successfully
12:14:59 User MESSAGE IP Protection started successfully
12:17:03 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:17:06 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:17:12 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:17:25 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:17:28 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:17:34 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:17:47 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:17:50 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:17:56 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:18:08 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:18:11 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:18:17 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:18:29 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:18:32 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:18:38 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:18:50 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:18:53 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:18:59 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:19:12 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:19:15 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:19:21 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:21:33 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:21:36 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:21:42 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:22:01 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:22:04 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:22:10 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:22:22 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:22:25 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:22:31 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:22:44 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:22:47 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:22:53 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:23:05 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:23:08 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:23:14 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:23:26 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:23:29 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:23:35 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:23:48 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:23:51 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:23:57 User IP-BLOCK 46.251.237.165 (Type: outgoing)
12:26:09 User IP-BLOCK 46.251.237.165 (Type: outgoing)

#23
Essexboy

Posted 15 October 2011 - 12:45 PM

GeekU Moderator

Retired Staff
69,964 posts

The IP is in Germany and was suspect

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

#24
purplelavender

Posted 15 October 2011 - 01:03 PM

Member

Topic Starter
Member
20 posts

when I try and download I get a pop up asking if ok to download I select yes and receive a blank screen

#25
Essexboy

Posted 15 October 2011 - 01:06 PM

GeekU Moderator

Retired Staff
69,964 posts

Here is a copy I have just downloaded

Download the attached zip file to your desktop
Extract aswMBR and then follow the previous instructions

#26
purplelavender

Posted 15 October 2011 - 01:44 PM

Member

Topic Starter
Member
20 posts

ok worked here is the log and my AVG picked up the dat file as a virus virus after the run

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-15 13:39:55
-----------------------------
13:39:55.421 OS Version: Windows 5.1.2600 Service Pack 3
13:39:55.421 Number of processors: 1 586 0x204
13:39:55.421 ComputerName: ACS03976 UserName: User
13:39:56.500 Initialize success
13:40:14.937 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:40:14.937 Disk 0 Vendor: ST340016A 3.19 Size: 38166MB BusType: 3
13:40:14.953 Device \Driver\atapi -> DriverStartIo 8330831b
13:40:16.984 Disk 0 MBR read successfully
13:40:16.984 Disk 0 MBR scan
13:40:16.984 Disk 0 TDL4@MBR code has been found
13:40:16.984 Disk 0 Windows XP default MBR code found via API
13:40:16.984 Disk 0 MBR hidden
13:40:16.984 Disk 0 MBR [TDL4] **ROOTKIT**
13:40:16.984 Disk 0 trace - called modules:
13:40:16.984 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x833084d0]<<
13:40:16.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83389ab8]
13:40:16.984 3 CLASSPNP.SYS[f87d3fd7] -> nt!IofCallDriver -> \Device\00000065[0x8333cf18]
13:40:16.984 5 ACPI.sys[f873a620] -> nt!IofCallDriver -> [0x83379b58]
13:40:17.515 \Driver\atapi[0x833d3030] -> IRP_MJ_CREATE -> 0x833084d0
13:40:17.515 Scan finished successfully
13:40:34.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
13:40:34.796 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"

#27
Essexboy

Posted 15 October 2011 - 02:29 PM

GeekU Moderator

Retired Staff
69,964 posts

OK that is the culprit. aswMBR may appear to hang after the fix, so if necessary just reboot the computer

ok worked here is the log and my AVG picked up the dat file as a virus virus after the run

Oh well better late than never

Re-Run aswMBR

Click Scan

On completion of the scanClick the Fix Button

Posted Image

Save the log as before and post in your next reply

#28
purplelavender

Posted 15 October 2011 - 03:10 PM

Member

Topic Starter
Member
20 posts

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-15 13:39:55
-----------------------------
13:39:55.421 OS Version: Windows 5.1.2600 Service Pack 3
13:39:55.421 Number of processors: 1 586 0x204
13:39:55.421 ComputerName: ACS03976 UserName: User
13:39:56.500 Initialize success
13:40:14.937 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:40:14.937 Disk 0 Vendor: ST340016A 3.19 Size: 38166MB BusType: 3
13:40:14.953 Device \Driver\atapi -> DriverStartIo 8330831b
13:40:16.984 Disk 0 MBR read successfully
13:40:16.984 Disk 0 MBR scan
13:40:16.984 Disk 0 TDL4@MBR code has been found
13:40:16.984 Disk 0 Windows XP default MBR code found via API
13:40:16.984 Disk 0 MBR hidden
13:40:16.984 Disk 0 MBR [TDL4] **ROOTKIT**
13:40:16.984 Disk 0 trace - called modules:
13:40:16.984 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x833084d0]<<
13:40:16.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83389ab8]
13:40:16.984 3 CLASSPNP.SYS[f87d3fd7] -> nt!IofCallDriver -> \Device\00000065[0x8333cf18]
13:40:16.984 5 ACPI.sys[f873a620] -> nt!IofCallDriver -> [0x83379b58]
13:40:17.515 \Driver\atapi[0x833d3030] -> IRP_MJ_CREATE -> 0x833084d0
13:40:17.515 Scan finished successfully
13:40:34.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
13:40:34.796 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-15 14:59:20
-----------------------------
14:59:20.578 OS Version: Windows 5.1.2600 Service Pack 3
14:59:20.578 Number of processors: 1 586 0x204
14:59:20.687 ComputerName: ACS03976 UserName: User
14:59:58.437 Initialize success
15:00:39.906 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:00:39.906 Disk 0 Vendor: ST340016A 3.19 Size: 38166MB BusType: 3
15:00:42.015 Disk 0 MBR read successfully
15:00:42.015 Disk 0 MBR scan
15:00:42.015 Disk 0 Windows XP default MBR code
15:00:42.187 Disk 0 scanning sectors +78156225
15:00:42.562 Disk 0 scanning C:\WINDOWS\system32\drivers
15:01:41.578 Service scanning
15:01:46.671 Modules scanning
15:02:29.781 Disk 0 trace - called modules:
15:02:29.796 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
15:02:29.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x833705e0]
15:02:29.812 3 CLASSPNP.SYS[f87c3fd7] -> nt!IofCallDriver -> \Device\00000065[0x833d2f18]
15:02:29.812 5 ACPI.sys[f873a620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x833d1d98]
15:02:29.843 Scan finished successfully
15:03:49.281 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
15:03:49.328 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"