Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

CMD.EXE, REGEDIT.EXE Won't Run; AVG Update Page Inaccessible [Solv

Started by oze , Mar 30 2009 04:57 PM

  • This topic is locked This topic is locked

#1
oze
Posted 30 March 2009 - 04:57 PM

oze

    Member

  • Member
  • PipPip
  • 44 posts
Hello, All!

When I attempt to run either cmd or regedit, the desktop flashes, all shortcuts disappear for a couple of seconds, as does the task bar. Everything then returns to what poses as normal. I'm also getting errors from AVG when I attempt to perform any updates (site unreachable)--I'm using Firefox 3.0.8.

Things that I've tried so far include a complete scan with AVG (purchased (not free) version 8.5.276), including anti-spyware and anti-rootkit scans. Three hours later, the report is that no intrusions were detected. I also ran (in safe mode) AVG's "fixwen" and mydoom fixes, because these are what I suspected at first to be my problem. I've also followed the steps in the Spyware Cleaning Guide at this site. Thanks in advance for your help.

Dave

OTListIT Log:

OTListIt logfile created on: 3/30/2009 5:37:52 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.7.2 Folder = C:\Documents and Settings\Owner\Desktop\Worm
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

759.52 Mb Total Physical Memory | 394.78 Mb Available Physical Memory | 51.98% Memory free
1.82 Gb Paging File | 1.45 Gb Available in Paging File | 79.78% Paging File free
Paging file location(s): C:\pagefile.sys 1140 2280;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.76 Gb Total Space | 42.55 Gb Free Space | 39.85% Space Free | Partition Type: NTFS
Drive D: | 5.02 Gb Total Space | 1.18 Gb Free Space | 23.50% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 50.86 Gb Total Space | 45.90 Gb Free Space | 90.25% Space Free | Partition Type: NTFS
Drive G: | 5.02 Gb Total Space | 5.02 Gb Free Space | 100.00% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe (Seagate Technology LLC)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe ()
PRC - C:\Program Files\AVG\AVG8\avgam.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
PRC - c:\WINDOWS\system32\ZuneBusEnum.exe (Microsoft Corporation)
PRC - C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\system32\qimlsrv.exe (Comvigo, Inc.)
PRC - C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\system32\dsrviml.exe (Comvigo, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Documents and Settings\Owner\Desktop\Worm\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Disabled | Stopped]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (avg8emc [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (Basics Service [Auto | Running]) -- C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe (Seagate Technology LLC)
SRV - (bgsvcgen [Disabled | Stopped]) -- C:\WINDOWS\system32\bgsvcgen.exe (B.H.A Corporation)
SRV - (Bonjour Service [Disabled | Stopped]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (KPF4 [Auto | Stopped]) -- C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe (Sunbelt Software)
SRV - (McAfee SiteAdvisor Service [Auto | Running]) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe ()
SRV - (NMIndexingService [Disabled | Stopped]) -- File not found
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (Pml Driver HPZ12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (Viewpoint Manager Service [Auto | Running]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (ZuneBusEnum [Auto | Running]) -- c:\WINDOWS\system32\ZuneBusEnum.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc [On_Demand | Stopped]) -- c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (ZuneWlanCfgSvc [On_Demand | Stopped]) -- c:\WINDOWS\system32\ZuneWlanCfgSvc.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (Afc [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\Afc.sys (Arcsoft, Inc.)
DRV - (AFS2K [System | Running]) -- C:\WINDOWS\System32\drivers\AFS2K.SYS (Oak Technology Inc.)
DRV - (ALCXWDM [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgRkx86 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX [System | Running]) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (cdrbsdrv [System | Running]) -- C:\WINDOWS\System32\drivers\cdrbsdrv.sys (B.H.A Corporation)
DRV - (CoachAud [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\CoachAud.sys (FotoNation Inc.)
DRV - (CoachUsb [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\CoachUsb.sys (FotoNation Inc.)
DRV - (CoachVc [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\CoachVc.sys (FotoNation Inc.)
DRV - (E100B [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (eaps2kbd [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\eaps2kbd.sys (Compaq Computer Corp.)
DRV - (EAWDMFD [System | Running]) -- C:\WINDOWS\system32\drivers\EAWDMFD.sys (Compaq Computer Corporation)
DRV - (FTD2XX [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\FTD2XX.sys (FTDI Ltd.)
DRV - (fwdrv [System | Running]) -- C:\WINDOWS\system32\drivers\fwdrv.sys (Sunbelt Software)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (giveio [Boot | Running]) -- C:\WINDOWS\system32\giveio.sys ()
DRV - (HPZid412 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys (HP)
DRV - (i81x [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\i81xnt5.sys (Intel® Corporation)
DRV - (iAimFP0 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wADV01nt.sys (Intel® Corporation)
DRV - (iAimFP1 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wADV02NT.sys (Intel® Corporation)
DRV - (iAimFP2 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wADV05NT.sys (Intel® Corporation)
DRV - (iAimFP3 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys (Intel® Corporation)
DRV - (iAimFP4 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys (Intel® Corporation)
DRV - (iAimTV0 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wATV01nt.sys (Intel® Corporation)
DRV - (iAimTV1 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wATV02NT.sys (Intel® Corporation)
DRV - (iAimTV3 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wATV04nt.sys (Intel® Corporation)
DRV - (iAimTV4 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys (Intel® Corporation)
DRV - (ialm [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (khips [System | Running]) -- C:\WINDOWS\system32\drivers\khips.sys ()
DRV - (ltmodem5 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys (Agere Systems)
DRV - (LwUsbHid [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\LwUsbHid.sys (Logitech Inc.)
DRV - (mr7910 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\mr7910.sys (Mars Semiconductor Corp.)
DRV - (MxlW2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\MxlW2k.sys (MusicMatch, Inc.)
DRV - (ntcdrdrv [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys (NoteBurn Software)
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (nv_agp [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys (NVIDIA Corporation)
DRV - (PcdrNt [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\PcdrNt.sys (PC-Doctor Inc.)
DRV - (pfc [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (Point32 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\point32.sys (Microsoft Corporation)
DRV - (Ps2 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\PS2.sys (Hewlett-Packard Company)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys (Sonic Solutions)
DRV - (RTL8023xp [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (rtl8139 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS (Realtek Semiconductor Corporation)
DRV - (S3Psddr [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\s3gnbm.sys (S3 Graphics, Inc.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SiS315 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (SISAGP [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\SISAGP.sys (Silicon Integrated Systems Corporation)
DRV - (speedfan [Boot | Running]) -- C:\WINDOWS\system32\speedfan.sys (Windows ® 2000 DDK provider)
DRV - (TVICHW32 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS (EnTech Taiwan)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.)
DRV - (USBCM [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\Sacm2K.sys ( )
DRV - (USB_RNDIS [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\usb8023.sys (Microsoft Corporation)
DRV - (viaagp1 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (WinUSB [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\WinUSB.sys (Microsoft Corporation)
DRV - (zumbus [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\zumbus.sys (Microsoft Corporation)
DRV - ({6080A529-897E-4629-A488-ABA0C29B635E} [System | Stopped]) -- C:\WINDOWS\system32\drivers\ialmsbw.sys (Intel Corporation)
DRV - ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ialmkchw.sys (Intel Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;localhost;*.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://portal.wowway....net/index.php"
FF - prefs.js..extensions.enabledItems: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51}:2.2.48
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:3.9.1
FF - prefs.js..extensions.enabledItems: {71C54606-83ED-4ea6-9315-1AAB29466D33}:3.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.12
FF - prefs.js..extensions.enabledItems: {77b819fa-95ad-4f2c-ac7c-486b356188a9}:1.5.20090207
FF - prefs.js..extensions.enabledItems: {FDD8ECF0-451A-414D-8C8F-7B7F78B0ECD3}:1.3.3
FF - prefs.js..extensions.enabledItems: {ada4b710-8346-4b82-8199-5de2b400a6ae}:1.9.1
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.28
FF - prefs.js..extensions.enabledItems: [email protected]:2.0
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20090325
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.8
FF - prefs.js..extensions.enabledItems: {F587B2D4-7C09-4a23-AC4A-8D6E3CE8C7DA}:3.2


FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/03/28 21:21:49 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/03/28 21:21:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Components: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\COMPONENTS [2009/03/21 09:29:47 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\PLUGINS [2009/01/26 23:11:26 | 00,000,000 | ---D | M]

[2008/08/29 08:09:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Extensions
[2008/08/29 08:09:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/30 13:07:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions
[2009/03/30 13:02:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
[2006/08/19 19:12:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe41}
[2009/02/28 19:20:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}(2)
[2006/08/19 19:12:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}(2)
[2009/01/29 11:24:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{71C54606-83ED-4ea6-9315-1AAB29466D33}
[2009/02/10 00:39:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2009/03/30 13:02:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2007/07/21 21:04:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{AB592EF6-52F0-4969-A648-57121FE97538}
[2009/03/30 13:02:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
[2008/12/18 11:01:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2008/08/16 11:31:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51}
[2009/03/30 13:01:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{F587B2D4-7C09-4a23-AC4A-8D6E3CE8C7DA}
[2008/08/29 08:10:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{FDD8ECF0-451A-414D-8C8F-7B7F78B0ECD3}
[2007/10/20 14:36:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\[email protected]
[2007/10/20 14:36:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\[email protected]
[2009/03/30 13:02:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\1nq9i9mp.default\extensions\{F587B2D4-7C09-4a23-AC4A-8D6E3CE8C7DA}\chrome\mozapps\extensions
[2009/03/25 07:28:48 | 00,002,053 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\1nq9i9mp.default\searchplugins\hostip.xml
[2007/06/09 12:57:08 | 00,002,386 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\1nq9i9mp.default\searchplugins\siteadvisor.xml
[2006/10/24 17:06:44 | 00,001,668 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\1nq9i9mp.default\searchplugins\stumbleupon.xml
[2008/08/29 08:09:59 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/28 21:21:48 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/28 21:21:39 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/03/28 21:21:39 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/09/24 20:21:16 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/09/24 20:21:16 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/09/24 20:21:16 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/11/14 21:43:27 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/09/24 20:21:16 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/09/24 20:21:16 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/09/24 20:21:16 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (640439 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
O1 - Hosts: 127.0.0.1 www.abcsearcher.com #[Spamdexing][Microsoft.Strider]
O1 - Hosts: 127.0.0.1 abc-search.info
O1 - Hosts: 127.0.0.1 abloga.info #[Spamdexing]
O1 - Hosts: 127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
O1 - Hosts: 127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
O1 - Hosts: 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
O1 - Hosts: 127.0.0.1 phpadsnew.abac.com
O1 - Hosts: 127.0.0.1 a.abnad.net
O1 - Hosts: 127.0.0.1 b.abnad.net
O1 - Hosts: 127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
O1 - Hosts: 127.0.0.1 d.abnad.net
O1 - Hosts: 127.0.0.1 e.abnad.net
O1 - Hosts: 127.0.0.1 t.abnad.net
O1 - Hosts: 127.0.0.1 banners.absolpublisher.com
O1 - Hosts: 127.0.0.1 tracking.absolstats.com
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 gtcc1.acecounter.com
O1 - Hosts: 16875 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [ptrun32] C:\WINDOWS\system32\ptrun32\ptrun32.exe -startup (Ignite Software, Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" (Microsoft Corporation)
O4 - HKCU..\Run: [PTRUN32] C:\WINDOWS\system32\ptrun32\ptr32w.exe (Ignite Software, Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IML.lnk = C:\WINDOWS\system32\iml.vbs ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Search - http://edits.mywebse...html?p=ZJfox000
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Xilisoft Download YouTube Video - C:\Documents and Settings\Owner\My Documents\anna\Download YouTube Video\upod_link.HTM
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: flashpaq.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] https in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([update] http in Trusted sites)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([download] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 3 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo.walgree...eensActivia.cab (Snapfish Activia)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1135802222035 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1135802445551 (MUWebControl Class)
O16 - DPF: {77538FC7-CE52-4704-9865-494FE92BC320} http://www.ultimateb...o/launchubo.OCX (LaunchUBO.Ulit)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} http://driveragent.c...driveragent.cab (Driver Agent ActiveX Control)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcp.../pcpitstop2.dll (PCPitstop Exam)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O29 - HKLM SecurityProviders - ( digeste.dll) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O32 - Autorun File - D:\AUTOEXEC.BAT () - [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2009/03/30 17:22:10 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Owner\Desktop\Worm
[2009/03/30 17:20:51 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/30 17:09:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/03/30 17:09:32 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/30 17:09:32 | 00,000,707 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/30 17:09:29 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/30 17:09:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/30 17:09:27 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/30 17:06:23 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/03/30 17:05:54 | 00,000,622 | ---- | C] () -- C:\DOCUME~1\Owner\Desktop\NTREGOPT.lnk
[2009/03/30 17:05:53 | 00,000,603 | ---- | C] () -- C:\DOCUME~1\Owner\Desktop\ERUNT.lnk
[2009/03/30 17:05:47 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/03/30 13:29:27 | 79,648,7680 | -HS- | C] () -- C:\hiberfil.sys
[2009/03/25 16:53:58 | 00,042,635 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\order_history.pdf
[2009/03/23 20:23:59 | 00,011,864 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\zoo trip.odt
[2009/03/21 18:11:47 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/03/21 14:22:28 | 00,001,518 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\AVG 8.5.lnk
[2009/03/21 14:22:27 | 00,107,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/03/21 14:22:27 | 00,012,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2009/03/21 14:22:27 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/03/21 14:22:26 | 00,325,640 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/03/21 14:22:21 | 34,583,408 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/03/21 14:22:21 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/03/21 14:22:21 | 00,401,372 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/03/21 14:22:21 | 00,008,322 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/03/21 14:22:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/03/21 14:22:05 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/03/21 14:22:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/03/12 20:28:32 | 00,283,497 | ---- | C] () -- C:\DOCUME~1\Owner\Desktop\jrg_bk1_lesson7.pdf
[2009/03/08 17:31:41 | 00,005,632 | -HS- | C] () -- C:\Thumbs.db
[2009/03/07 20:43:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/03/07 20:41:55 | 00,001,773 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Google SketchUp 7.lnk
[2009/03/02 10:50:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\WinZip
[2009/03/02 10:49:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/03/01 01:00:56 | 00,000,672 | ---- | C] () -- C:\DOCUME~1\Owner\Desktop\IM Lock.lnk
[2009/03/01 01:00:55 | 00,039,672 | ---- | C] () -- C:\WINDOWS\System32\tnblf.exe
[2009/03/01 01:00:55 | 00,000,640 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IML.lnk
[2009/03/01 01:00:53 | 01,067,016 | ---- | C] (Comvigo, Inc.) -- C:\WINDOWS\System32\imlock.exe
[2009/03/01 00:57:16 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Owner\Desktop\Downloads

========== Files - Modified Within 30 Days ==========

[13 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[1 C:\Documents and Settings\Owner\My Documents\*.tmp files]
[2009/03/30 17:09:32 | 00,000,707 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/30 17:05:54 | 00,000,622 | ---- | M] () -- C:\DOCUME~1\Owner\Desktop\NTREGOPT.lnk
[2009/03/30 17:05:53 | 00,000,603 | ---- | M] () -- C:\DOCUME~1\Owner\Desktop\ERUNT.lnk
[2009/03/30 13:32:08 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/30 13:30:55 | 00,182,276 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/03/30 13:29:46 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/30 13:29:34 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/30 13:29:27 | 79,648,7680 | -HS- | M] () -- C:\hiberfil.sys
[2009/03/30 13:21:33 | 00,003,840 | ---- | M] () -- C:\WINDOWS\System32\drivers\fwdrv.err
[2009/03/30 12:55:19 | 01,381,776 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/03/30 10:21:50 | 00,466,934 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/30 10:21:50 | 00,399,232 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/30 10:21:50 | 00,060,656 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/30 10:14:23 | 00,000,488 | ---- | M] () -- C:\hpfr5550.xml
[2009/03/30 08:41:15 | 00,009,216 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/29 16:45:58 | 34,583,408 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/03/29 16:30:46 | 00,008,716 | ---- | M] () -- C:\WINDOWS\System32\winiml.dat
[2009/03/29 16:30:46 | 00,008,716 | ---- | M] () -- C:\WINDOWS\System32\iml.xml
[2009/03/28 22:38:24 | 00,107,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/03/28 22:38:24 | 00,008,322 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/03/26 16:49:56 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/26 16:49:50 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/25 16:54:00 | 00,042,635 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\order_history.pdf
[2009/03/24 19:28:18 | 00,011,864 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\zoo trip.odt
[2009/03/23 15:22:45 | 00,000,028 | ---- | M] () -- C:\WINDOWS\MotionSDSTUDIO.INI
[2009/03/21 14:22:28 | 00,001,518 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\AVG 8.5.lnk
[2009/03/21 14:22:27 | 00,012,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2009/03/21 14:22:27 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/03/21 14:22:26 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/03/21 14:22:26 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/03/21 14:22:21 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/03/21 14:22:21 | 00,401,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/03/21 13:47:13 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/03/21 10:01:34 | 00,002,137 | ---- | M] () -- C:\DOCUME~1\Owner\Desktop\iTunes.lnk
[2009/03/12 20:28:32 | 00,283,497 | ---- | M] () -- C:\DOCUME~1\Owner\Desktop\jrg_bk1_lesson7.pdf
[2009/03/12 18:35:48 | 00,000,870 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/12 08:56:41 | 00,261,432 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/11 22:29:43 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/03/08 17:31:45 | 00,007,168 | -HS- | M] () -- C:\WINDOWS\Thumbs.db
[2009/03/08 17:31:43 | 00,005,632 | -HS- | M] () -- C:\Thumbs.db
[2009/03/07 20:41:55 | 00,001,773 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Google SketchUp 7.lnk
[2009/03/02 10:50:30 | 00,001,743 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\WinZip.lnk
[2009/03/01 01:00:56 | 00,000,672 | ---- | M] () -- C:\DOCUME~1\Owner\Desktop\IM Lock.lnk
[2009/03/01 01:00:55 | 00,039,672 | ---- | M] () -- C:\WINDOWS\System32\tnblf.exe
[2009/03/01 01:00:55 | 00,000,640 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IML.lnk

========== Alternate Data Streams ==========

@Alternate Data Stream - 232 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A505A878
@Alternate Data Stream - 163 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:66E02052
@Alternate Data Stream - 161 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
< End of report >


Extras Log:

OTListIt Extras logfile created on: 3/30/2009 5:37:52 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.7.2 Folder = C:\Documents and Settings\Owner\Desktop\Worm
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

759.52 Mb Total Physical Memory | 394.78 Mb Available Physical Memory | 51.98% Memory free
1.82 Gb Paging File | 1.45 Gb Available in Paging File | 79.78% Paging File free
Paging file location(s): C:\pagefile.sys 1140 2280;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.76 Gb Total Space | 42.55 Gb Free Space | 39.85% Space Free | Partition Type: NTFS
Drive D: | 5.02 Gb Total Space | 1.18 Gb Free Space | 23.50% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 50.86 Gb Total Space | 45.90 Gb Free Space | 90.25% Space Free | Partition Type: NTFS
Drive G: | 5.02 Gb Total Space | 5.02 Gb Free Space | 100.00% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] --

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 ()
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\Program Files\AdSubtract\adsub.exe:*:Enabled:AdSubtract PRO File not found
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe:*:Enabled:Sunbelt Kerio Personal Firewall 4 - GUI (Sunbelt Software)
C:\Documents and Settings\Owner\Local Settings\Temp\~os60.tmp\ossproxy.exe:*:Enabled:ossproxy.exe File not found
C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 ()
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader (AOL LLC)
C:\Program Files\NETAMIN\UBO_2007\game\ubo.exe:*:Enabled:UBOnline (Netamin Communication)
C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM (AOL LLC)
C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour (Apple Inc.)
C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes (Apple Inc.)
C:\Program Files\AVG\AVG8\avgam.exe:*:Enabled:avgam.exe (AVG Technologies CZ, s.r.o.)
C:\Program Files\AVG\AVG8\avgdiag.exe:*:Enabled:avgdiag.exe (AVG Technologies CZ, s.r.o.)
C:\Program Files\AVG\AVG8\avgdiagex.exe:*:Enabled:avgdiagex.exe (AVG Technologies CZ, s.r.o.)
C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe (AVG Technologies CZ, s.r.o.)
C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe (AVG Technologies CZ, s.r.o.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{07241C26-FE77-48C7-B4A4-598C2C68DEE0}" = Jamorama Maestro Bonus Tools
"{0749256F-E98D-4EF1-A15B-AED26BCC1DC8}" = Sonic DVD for Photo Story 3 for Windows
"{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}" = Civilization III
"{0E70CFA6-93E3-453F-B47C-855196C2589E}" = Logitech Harmony Remote Software 7
"{121634B0-2F4A-11D3-ADA3-00C04F52DD53}" = Windows Installer Clean Up
"{14C76057-E495-47E1-BDF0-1A1CC1752ADF}" = ExtraPutty 0.22
"{1B6966AB-F2B4-439A-8B8E-437E9E8B298A}" = Baseball Mogul 2007
"{1EEE2A9F-6471-42fa-8923-E8879168CE26}" = HP Photo and Imaging 1.1 - Photosmart Cameras
"{29D88826-2AB9-11D5-8854-00902761A46D}" = WordPerfect Productivity Pack
"{2B4F75A0-EFB1-46DF-9F8B-115E73DAB3CF}" =
"{2CA80D1B-4931-445E-A07E-422F5E0D9C49}" = Jamorama Maestro
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{34D6EED8-7650-4E1C-BC26-F5B2DDE185C6}" = OverDrive Media Console
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3580211E-3BB7-42C0-ADC3-9A8C1EFFF2CB}" = ArcSoft Media Card Companion
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{3D374523-CFDE-461A-827E-2A102E2AB365}" = Star Wars Battlefront II
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{58A8E2AC-7223-4F43-881E-5ED8BD2477AB}" = UBO 2007 Edition
"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
"{621C02EA-AAFF-4026-A903-165D59529A16}" = Driver Detective
"{64E8AED8-A461-4CC5-92AF-5B6EF867A911}" = SuperchipsUpdate
"{68092110-6F47-47F8-B8F5-FEC7C3E47976}" = Flashpaq Tune-Up
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7C4196CA-CA41-4F34-9C08-7724E7705D52}" = Jasc Animation Shop 3
"{8214CC02-6271-4DC8-B8DD-779933450264}" = RecordNow
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A68FB84-06D1-45e3-8C61-A6FD34663592}" = MP3 Remix Player Standalone
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8AB8D458-939E-403F-0097-9BA1C1F013D5}" = The Sims 2
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{93539D60-1817-11D1-9504-00805F26A89C}" = Easy Access Button Support
"{93F599DF-519B-4706-A3F1-9530DF2590B4}" = ArcSoft PhotoImpression 5
"{93FB47FB-4FDF-4131-B5FD-7A37883868E7}" = hp psc 2170 series
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}" = Apple Mobile Device Support
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{987AE1EA-9AF0-484D-A0F9-11A2E0EB4AA0}" = OpenOffice.org 2.0
"{9B26CF0A-EE65-4379-B2D4-6E6AABE06498}" = Paint.NET v2.6
"{A990EAA7-8941-4621-BC27-4F16261D3180}" = Sunbelt Kerio Personal Firewall
"{AA47D951-588B-48A5-8183-21C44B1EA6EA}" = VRWriter4
"{AC76BA86-1033-0000-BA7E-100000000002}" = Adobe Acrobat 7.0 Standard
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{B279B0DA-6F60-4FBD-9847-0C9AB79A3674}" = PigPen
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B8F19DA6-0BCD-48FC-9998-C6ACEAEEDEFE}" = Photo Explosion Deluxe
"{B90E85EB-B7C9-44F7-8CAA-935BC628F6ED}" = Drive Manager
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{BE3A3126-D6B4-4FCE-8FD6-E33C49B4282D}" = PMP DV
"{C1939820-A945-11D4-86F6-0001031E5712}" = InterVideo WinDVD
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{CDCBF62D-8E74-44A5-91AD-44AB4C2EFD89}" = InterVideo FilterSDK for Panasonic
"{D18A31C8-585E-46C3-9CC9-11933DFDC5F1}" =
"{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}" = iTunes
"{DE114695-AE58-4B66-8E0F-2505188602FB}_is1" = Uninstall Startup Inspector
"{DFAE9340-E8BB-4433-9A08-C8334DAFE1B9}" = Star Wars Republic Commando
"{E045A5E3-0FC6-4AC2-BBE3-C49D68BA54DA}" = MotionSD STUDIO 1.3E
"{E1423608-F529-40A1-93CA-C7F396F30DF0}" = Google SketchUp
"{E5BD1F9C-8BBA-410E-837D-94D523269F8F}" = ArcSoft MediaConverter
"{E5D52570-5EF1-4576-A434-6CCD92268F0F}" = Google SketchUp 7
"{E62C706B-1352-4DCA-B4D4-81C24750B70F}" = Detto IntelliMover Demo
"{EBC91840-41E1-4CC3-AC11-0B889546223C}" = Microsoft IntelliPoint 5.5
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{F7A4D9BE-D989-45B9-BB49-2C0EA34B9991}" = Kublox
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FF384BDE-429B-45AD-A0C6-E593393D9D1C}" = HP Memories Disc
"{FF70513F-E3A7-402F-84FB-B7810A064BE2}" = Zune
"693218053459EBF14C6505EA1172F17672B50DD1" = Windows Driver Package - (mr7910) Image (08/08/2006 1.4.0.0)
"741061E49314785336CEAF4196481C7E3909482D" = Windows Driver Package - Superchips (FTD2XX) USB (12/01/2005 3.01.02)
"9E7CC5B61905F067350816919F53936B5087164B" = Windows Driver Package - Superchips (FTD2XX) USB (12/01/2005 3.01.02)
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Acrobat 7.0 Standard - V" = Adobe Acrobat 7.0 Standard
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AIM_6" = AIM 6
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3
"AOL Diagnostics_N" =
"AOLOCP_Y" =
"ArcSoft Software Suite" = ArcSoft Software Suite
"Audacity_is1" = Audacity 1.2.6
"AudibleManager" = AudibleManager
"Auto Photo Editor 3.3_is1" = Auto Photo Editor 3.3
"AVG8Uninstall" = AVG 8.5
"BackWeb-137903 Uninstaller" = hp center
"Big Fish Games Texas Hold `em" = Big Fish Games Texas Hold `em (remove only)
"Connection Manager" =
"Cucusoft YouTube Mate (Downloader+Player+Converter)_is1" = Cucusoft YouTube Mate 7.12
"Dan Elwell's Broadband Speed Test_is1" = Dan Elwell's Broadband Speed Test
"E7E5BE06A7D59D8FAAAE05F5712A10D09AE0F096" = Windows Driver Package - FTDI (FTD2XX) USB (12/01/2005 3.01.02)
"ERUNT_is1" = ERUNT 1.1j
"Finale NotePad 2003a" = Finale NotePad 2003a
"FMS" = FMS
"Freeciv-gtk2-2.0.8_is1" = Freeciv 2.0.8 (GTK+ client)
"FTD2XX" = FTDI FTD2XX USB Drivers
"HP Instant Support" = hp instant support
"HP PSC 2170 Series" = HP Photo and Imaging 2.0 - hp psc 2170 series
"HPTOOLKIT" = hp toolkit
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Imj32.exe" = Interactive Math Journey
"InstallShield Uninstall Information" =
"InstallShield_{621C02EA-AAFF-4026-A903-165D59529A16}" = Driver Detective
"InstallShield_{9233F6E2-952D-48C5-A0A2-FA6AEEFA8194}" = Logitech Harmony Remote Client
"InstallShield_{B90E85EB-B7C9-44F7-8CAA-935BC628F6ED}" = Drive Manager
"Kid Pix Studio Deluxe 1.0" = Kid Pix Studio Deluxe
"Kudos" = Kudos (remove only)
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate1.7" = LiveUpdate 1.7 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft Interactive Training" =
"Mozilla Firefox (3.0.8)" = Mozilla Firefox (3.0.8)
"Mozilla Thunderbird (2.0.0.21)" = Mozilla Thunderbird (2.0.0.21)
"MSB Dino" = Magic School Bus - Dinosaurs
"MSI30a-KB884016" =
"MSI30-Beta1" =
"MSI30-Beta2" =
"MSI30-KB884016" =
"MSI30-RC1" =
"MSI30-RC2" =
"MSI31-Beta" =
"MSI31-RC1" =
"MSN Music Assistant" = MSN Music Assistant
"MUSICMATCH Jukebox" = MUSICMATCH Jukebox
"MyCD.exe" =
"MyWebSearch bar Uninstall" = My Web Search (Zwinky)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NoteBurner_is1" = NoteBurner 2.25
"NVIDIA Drivers" = NVIDIA Drivers
"Parent Tools for AIM_is1" = PT32
"PC Pitstop Erase_is1" = PC Pitstop Erase 1.1
"PC Pitstop Optimize_is1" = PC Pitstop Optimize 1.5
"PC Pitstop Optimize2_is1" = PC Pitstop Optimize2 2.0
"PCDoctor" = PC-Doctor for Windows
"PCHealth" =
"Photo Viewer" = Photo Viewer 2.24
"PrintMaster 8.0" = PrintMaster® Platinum 8.0
"PS2" = PS2
"Python 2.2 combined Win32 extensions" = Python 2.2 combined Win32 extensions
"Python 2.2.1" = Python 2.2.1
"Quicken WillMaker Plus 2006" = Quicken WillMaker Plus 2006
"Registry Mechanic_is1" = Registry Mechanic 7.0
"ResChanger 20051.0" = ResChanger 2005
"S3Display" = S3Display
"S3Gamma2" = S3Gamma2
"S3Info2" = S3Info2
"S3Overlay" = S3Overlay
"Santa Writing Pad Wallpaper" = Santa Writing Pad Wallpaper
"SecondLife" = SecondLife (remove only)
"Serif DrawPlus 3.0" = Serif DrawPlus 3.0
"Shining Stars Wallpaper" = Shining Stars Wallpaper
"SpeedFan" = SpeedFan (remove only)
"SystemRequirementsLab" = System Requirements Lab
"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
"Typing Tutor 7" = Typing Tutor 7
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01000" =
"Wdf01001" =
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WebPost" = Microsoft Web Publishing Wizard 1.52
"WebSTAR DPX2100 Uninstall" = Scientific Atlanta WebSTAR 2000 series Cable Modem
"WildTangent CDA" = WildTangent Web Driver
"WildTangentDDC" = WildTangent Channel Manager
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinSPMBT" = WinSPMBT
"WinSPWW2v1 DL Edition" = WinSPWW2v1 DL Edition
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"WordPerfect Productivity Pack" = WordPerfect Productivity Pack
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"Xilisoft Download YouTube Video" = Xilisoft Download YouTube Video
"Zune" = Zune

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/28/2009 11:27:58 PM | Computer Name = OFFICE | Source = Application Error | ID = 1000
Description = Faulting application avgnsx.exe, version 8.5.0.268, faulting module
unknown, version 0.0.0.0, fault address 0x10001e39.

Error - 3/28/2009 11:28:27 PM | Computer Name = OFFICE | Source = Application Error | ID = 1001
Description = Fault bucket 1204660312.

Error - 3/29/2009 9:09:52 AM | Computer Name = OFFICE | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x10001e39.

Error - 3/30/2009 4:42:20 PM | Computer Name = OFFICE | Source = Application Error | ID = 1000
Description = Faulting application thunderbird.exe, version 1.8.20090.30215, faulting
module unknown, version 0.0.0.0, fault address 0x10001e39.

Error - 3/30/2009 6:09:52 PM | Computer Name = OFFICE | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.35.0.0, faulting module unknown,
version 0.0.0.0, fault address 0x18011e39.

Error - 3/30/2009 6:09:57 PM | Computer Name = OFFICE | Source = Application Error | ID = 1001
Description = Fault bucket 1205867071.

Error - 3/30/2009 6:19:42 PM | Computer Name = OFFICE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3372, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/30/2009 6:19:50 PM | Computer Name = OFFICE | Source = Application Hang | ID = 1001
Description = Fault bucket 1203592333.

Error - 3/30/2009 6:34:22 PM | Computer Name = OFFICE | Source = Application Hang | ID = 1002
Description = Hanging application OTListIt2.exe, version 2.0.7.2, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/30/2009 6:37:21 PM | Computer Name = OFFICE | Source = Application Hang | ID = 1002
Description = Hanging application OTListIt2.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 3/30/2009 2:23:25 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support
Environment service which failed to start because of the following error: %%31

Error - 3/30/2009 2:23:25 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 3/30/2009 2:23:25 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec khips MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 3/30/2009 2:28:40 PM | Computer Name = OFFICE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/30/2009 2:31:34 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7001
Description = The Universal Plug and Play Device Host service depends on the SSDP
Discovery Service service which failed to start because of the following error:
%%1058

Error - 3/30/2009 2:31:34 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the AVG8 E-mail Scanner service
to connect.

Error - 3/30/2009 2:31:34 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7000
Description = The AVG8 E-mail Scanner service failed to start due to the following
error: %%1053

Error - 3/30/2009 2:35:48 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7034
Description = The TCP/IP NetBIOS Helper service terminated unexpectedly. It has
done this 1 time(s).

Error - 3/30/2009 2:35:48 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7034
Description = The WebClient service terminated unexpectedly. It has done this 1
time(s).

Error - 3/30/2009 2:35:54 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).


< End of report >
  • 0

Advertisements

#2
Jimmy2012
Posted 03 April 2009 - 05:33 PM

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello oze and welcome to Geeks to go. :)
Sorry about the delay.



Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#3
oze
Posted 04 April 2009 - 10:16 AM

oze

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Hi and thanks for getting back. I should note that the computer had gotten into such a bad state, that I could not even access the AVG console--I decided to run ComboFix anyway, because, really, how much worse could things get? Anyway...

God bless you and whomever wrote ComboFix! I've attached the log output, but I'm here to tell you that, already, cmd and regedit work--I'll try AVG and Firefox soon. I can't find much on the two files that ComboFix deleted (rfgm.xdn and wiaserviv.log), nor how/from where we were infected, but from what little I did find, I think the teenager has some 'splainin' to do! Thanks, and please let me know if there is anything further I need to do.

ComboFix 09-04-03.01 - Owner 2009-04-04 10:43:18.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\Malware\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
FW: Kerio Personal Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\rfgm.xdn
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.

2009-04-01 09:43 . 2009-04-01 09:46 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-31 21:37 . 2009-03-31 21:37 <DIR> d-------- c:\documents and settings\Owner\DoctorWeb
2009-03-31 15:20 . 2009-03-31 15:20 <DIR> d-------- C:\VundoFix Backups
2009-03-30 17:20 . 2009-03-31 16:36 <DIR> d-------- C:\Rooter$
2009-03-30 17:09 . 2009-03-30 17:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-30 17:09 . 2009-03-30 17:09 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-30 17:09 . 2009-03-30 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-30 17:09 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-30 17:09 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-30 17:05 . 2009-03-30 17:06 <DIR> d-------- c:\program files\ERUNT
2009-03-21 18:11 . 2009-04-01 18:46 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-21 14:22 . 2009-04-04 10:56 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-21 14:22 . 2009-03-21 14:22 <DIR> d-------- c:\program files\AVG
2009-03-21 14:22 . 2009-03-28 22:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-21 14:22 . 2009-03-21 14:22 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-21 14:22 . 2009-03-31 09:13 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-21 14:22 . 2009-03-21 14:22 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-03-21 14:22 . 2009-03-21 14:22 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-08 17:31 . 2009-03-08 17:31 5,632 --ahs---- C:\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 15:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-03 16:43 --------- d-----w c:\documents and settings\Owner\Application Data\wsInspector
2009-04-03 14:59 --------- d-----w c:\program files\Mozilla Thunderbird
2009-04-03 13:50 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-01 01:49 --------- d-----w c:\program files\SUPERAntiSpyware
2009-04-01 01:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-01 01:49 --------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-03-31 16:10 4,005 -c--a-w c:\windows\system32\drivers\fwdrv.err
2009-03-31 15:12 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-31 15:12 --------- d-----w c:\program files\Napster
2009-03-31 15:12 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-03-31 15:05 --------- d-----w c:\program files\Apple Software Update
2009-03-31 12:12 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-03-21 13:12 31 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-03-19 01:19 --------- d-----w c:\program files\McAfee
2009-03-08 01:41 --------- d-----w c:\program files\Google
2009-03-02 15:51 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-03-01 06:00 39,672 ----a-w c:\windows\system32\tnblf.exe
2009-02-26 13:12 169,992 ----a-w c:\windows\system32\qimlsrv.exe
2009-02-26 13:12 1,067,016 ----a-w c:\windows\system32\imlock.exe
2009-02-14 02:12 --------- d-----w c:\program files\PCPitstop
2009-02-14 01:59 --------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-01-18 11:32 75,784 ----a-w c:\windows\system32\dsrviml.exe
2009-01-18 11:32 4,164 ----a-w c:\windows\system32\iml.vbs
2006-05-04 02:52 34 -c--a-w c:\documents and settings\Owner\flush.bat
2007-12-12 00:24 2,098 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ptrun32"="c:\windows\system32\ptrun32\ptrun32.exe" [2007-03-27 942080]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-21 1932568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 36864]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
IML.lnk - c:\windows\system32\iml.vbs [2009-01-18 4164]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
IML.lnk - c:\windows\system32\iml.vbs [2009-01-18 4164]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-21 14:22 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Sonic INSTALLit! Setup.lnk]
backup=c:\windows\pss\Sonic INSTALLit! Setup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-08-10 09:37 61440 c:\program files\AIM95\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
--a------ 2007-09-28 16:32 169328 c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 16:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
--a------ 2008-11-28 19:27 5656576 c:\program files\NoteBurner\VTBurnerGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 14:01 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTRUN32]
--a------ 2007-03-27 02:29 942080 c:\windows\system32\ptrun32\ptrun32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-11-10 13:23 157312 c:\program files\Zune\ZuneLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sunbelt Software\\Personal Firewall 4\\kpf4gui.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\NETAMIN\\UBO_2007\\game\\ubo.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-03-21 12552]
R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys [2008-11-30 13440]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-21 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-21 108552]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-12-15 274432]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2005-12-15 81920]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-21 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-21 298264]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-22 210216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-02-12 24652]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\system32\Drivers\OCDE.sys --> c:\windows\system32\Drivers\OCDE.sys [?]
S3 AdWatchDrv;AW Realtime Driver;\??\c:\windows\system32\drivers\AWRTPD.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]
S3 FTD2XX;Flashpaq FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2008-10-17 34639]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
.
Contents of the 'Scheduled Tasks' folder

2008-05-05 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1202058135.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 18:56]

2002-07-27 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2001-11-19 20:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
uDefault_Search_URL = hxxp://srch-us6.hpwis.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-us6.hpwis.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Search
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download with Xilisoft Download YouTube Video - c:\documents and settings\Owner\My Documents\anna\Download YouTube Video\upod_link.HTM
Trusted Zone: flashpaq.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {77538FC7-CE52-4704-9865-494FE92BC320} - hxxp://www.ultimatebaseballonline.com/myubo/launchubo.OCX
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1nq9i9mp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.thefoxnation.com/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 10:58:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1238661117-66767829-436321949-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{01CBDE8A-F9AF-A5A9-BABF-9CDB2AFA071B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"dbkpdfncpokaphmmejamhdbgeeggaghdjadjcnme"=hex:6a,61,64,67,66,69,65,6c,66,70,
69,64,63,6d,6e,6e,6c,6a,69,6a,00,00
"cbalfdldhkobpabepfjmiadcchbcllicgclman"=hex:6a,61,64,67,63,6b,68,6c,6c,70,70,
69,69,6e,6b,65,66,64,6f,6a,00,00
"abgapkolilekkljdhhhffkgjffclchmlal"=hex:61,61,00,e4
"mafagjamkamfcoeaabjadphefe"=hex:61,61,00,e4

[HKEY_USERS\S-1-5-21-1238661117-66767829-436321949-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{29427567-EF59-35D7-2143-C28A31054DE4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"dbffgcnlaikickcpepdpibhnfidchhhddkfmicgn"=hex:6a,61,6a,6d,6a,6b,6a,61,66,6c,
6d,65,68,67,70,6c,68,65,65,6e,00,fb
"cblemffeifknabahpmmoabcmboflnogdllcnne"=hex:6a,61,6a,6d,6a,6b,6a,61,6f,6a,66,
64,65,66,6b,6c,69,64,63,6d,00,fb
"iaffgcnlaikickcpep"=hex:61,61,00,00
"halemffeifknabah"=hex:61,61,00,00
"iajgonbglajnijmibf"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-1238661117-66767829-436321949-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{315F31DD-5C00-6ED6-295F-15228F059615}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"bbeomgdllkdnlbeogklpodkjbjopbljkhcae"=hex:69,61,68,62,61,6a,6c,66,6c,61,6c,6c,
66,66,64,62,61,67,00,00
"abkockfpihjnmpmkonaheejfmfbkconnih"=hex:69,61,68,62,61,6a,6c,66,6c,61,6c,6c,
66,66,64,62,61,67,00,00
"iaeomgdllkdnlbeogk"=hex:61,61,00,00
"hakockfpihjnmpmk"=hex:61,61,00,00
"iaipmhfgbfnfleccab"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-1238661117-66767829-436321949-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{84D3D8A4-E1FD-6400-190C-91B3D22A5BF4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"dbkdiomgiikpdamepeacelmacbefjggdgahpndhp"=hex:6a,61,67,6b,6c,63,64,6c,66,6c,
70,6c,63,6a,6c,6a,6c,66,6c,70,00,e1
"cbedkenbajmacakcailphcdpckailldpcipkep"=hex:6a,61,68,6b,62,62,63,62,65,62,67,
65,65,6f,6a,6d,64,6c,63,69,00,e1

[HKEY_USERS\S-1-5-21-1238661117-66767829-436321949-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8CEA33E7-171B-601D-9DE1-2C711984FB98}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"dbbddangefpolmghdahhfchdepaiajfgepkldche"=hex:6a,61,66,63,66,61,6b,6d,6e,6e,
6c,6b,66,65,63,67,70,70,69,66,00,1a
"cbpdbpjkjngliadfnlbcnfjpkfacoglehmdpoa"=hex:6a,61,69,63,61,61,6c,6e,68,6e,68,
6e,65,69,6d,68,65,6b,6d,66,00,1a
"iabddangefpolmghda"=hex:61,61,00,00
"hapdbpjkjngliadf"=hex:61,61,00,00
"iafelbmnhkihobfool"=hex:61,61,00,00
"abfeladkbmkibkledjmbidmpmojablheel"=hex:61,61,00,00
"makeaclpdjjeopnppoafbjamgo"=hex:61,61,00,00
"dbbddangefpolmghdahhfchdockieegbmilneacd"=hex:69,61,6b,63,68,70,61,69,66,66,
61,6f,69,63,6c,61,6c,6b,00,00
"cbpdbpjkjngliadfnlbcnflpedcaajefpkgimk"=hex:69,61,68,63,67,70,68,64,63,67,6e,
68,6f,66,6d,63,69,61,00,00

[HKEY_USERS\S-1-5-21-1238661117-66767829-436321949-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E9907B94-0A2E-A871-0F30-7982615BB869}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"cbibbkeblamnnkhiiabmflafpgbpmhbjpkakjl"=hex:69,61,66,6f,61,6b,65,67,65,6e,69,
65,6d,6b,66,6c,70,62,00,00
"bboadkbigellefaccmmpfbefmadpokoagngo"=hex:69,61,66,6f,61,6b,65,67,65,6e,69,65,
6d,6b,66,6c,70,62,00,00
"iaibbkeblamnnkhiia"=hex:61,61,00,7f
"haoadkbigellefac"=hex:61,61,00,7f
"iaeajjinoamkdfghcc"=hex:61,61,00,7f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3320)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Windows Media Player\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
c:\windows\system32\wscript.exe
c:\windows\system32\qimlsrv.exe
c:\windows\system32\dsrviml.exe
.
**************************************************************************
.
Completion time: 2009-04-04 11:03:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-04 16:03:43

Pre-Run: 47,782,252,544 bytes free
Post-Run: 47,745,294,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

324 --- E O F --- 2009-03-13 03:21:17
  • 0

#4
Jimmy2012
Posted 04 April 2009 - 11:06 AM

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello oze,

already, cmd and regedit work

That's good to hear. :)

I'll try AVG and Firefox soon

Ok, please let me know.



  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    • c:\windows\system32\dsrviml.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.





1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\tnblf.exe
c:\windows\system32\qimlsrv.exe

SysRst::

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post the following reports into your next reply:
  • Combofix.txt
  • VirScan log.

  • 0

#5
oze
Posted 04 April 2009 - 02:18 PM

oze

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Thanks again. So far, AVG can now update, and Firefox seems stable. I'm noticing what seems to be strange behavior from explorer--it seems to "flicker" or jump around as the cursor changes from normal to the "wait" hourglass icon. Below is the VirSCAN log--I'll send the next set of logs in the following reply.

VirSCAN.org Scanned Report :
Scanned time : 2009/04/04 15:04:49 (CDT)
Scanner results: 3% Scanner(1/37) found malware!
File Name : dsrviml.exe
File Size : 75784 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : f1a3842adf3315037d6fb3d8e022fb70
SHA1 : eaf4861358d33e371427931742856fb02c9e510b
Online report : http://virscan.org/r...43eab1bcd0.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090404223124 2009-04-04 4.25 -
AhnLab V3 2009.04.05.00 2009.04.05 2009-04-05 0.72 -
AntiVir 7.9.0.138 7.1.3.13 2009-04-03 1.94 HEUR/Malware
Antiy 2.0.18 20090404.2276042 2009-04-04 0.12 -
Authentium 5.1.1 200904031911 2009-04-03 1.19 -
AVAST! 3.0.1 090404-0 2009-04-04 0.01 -
AVG 7.5.52.442 270.11.41/2041 2009-04-04 1.99 -
BitDefender 7.81008.2828809 7.24606 2009-04-05 2.62 -
CA (VET) 9.0.0.143 31.6.6435 2009-04-04 3.95 -
ClamAV 0.95 9203 2009-04-04 0.02 -
Comodo 3.8 1099 2009-04-04 0.55 -
CP Secure 1.1.0.715 2009.04.04 2009-04-04 7.96 -
Dr.Web 4.44.0.9170 2009.04.04 2009-04-04 4.33 -
F-Prot 4.4.4.56 20090403 2009-04-03 1.11 -
F-Secure 5.51.6100 2009.04.04.01 2009-04-04 0.08 -
Fortinet 2.81-3.117 10.244 2009-04-04 0.19 -
GData 19.4408/19.288 20090404 2009-04-04 5.27 -
ViRobot 20090403 2009.04.03 2009-04-03 0.57 -
Ikarus T3.1.01.49 2009.04.04.72524 2009-04-04 2.90 -
JiangMin 11.0.706 2009.04.03 2009-04-03 2.02 -
Kaspersky 5.5.10 2009.04.04 2009-04-04 0.07 -
KingSoft 2009.2.5.15 2009.4.4.21 2009-04-04 0.57 -
McAfee 5.3.00 5574 2009-04-04 2.70 -
Microsoft 1.4502 2009.04.04 2009-04-04 4.35 -
mks_vir 2.01 2009.04.04 2009-04-04 2.74 -
Norman 6.00.06 6.00.00 2009-04-03 8.01 -
Panda 9.05.01 2009.04.04 2009-04-04 1.83 -
Trend Micro 8.700-1004 5.944.02 2009-04-03 0.03 -
Quick Heal 10.00 2009.04.04 2009-04-04 2.60 -
Rising 20.0 21.23.40.00 2009-04-03 1.07 -
Sophos 2.85.0 4.40 2009-04-05 2.05 -
Sunbelt 5077 5077 2009-04-03 0.60 -
Symantec 1.3.0.24 20090403.004 2009-04-03 0.05 -
nProtect 20090404.01 3419489 2009-04-04 4.20 -
The Hacker 6.3.4.0 v00301 2009-04-03 0.55 -
VBA32 3.12.10.2 20090403.1044 2009-04-03 1.79 -
VirusBuster 4.5.11.10 10.102.33/1210066 2009-04-04 1.53 -
  • 0

#6
oze
Posted 04 April 2009 - 02:50 PM

oze

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Here are the ComboFix.txt (VirScan.log is in the previous message). Thanks again!



ComboFix 09-04-04.01 - Owner 2009-04-04 15:23:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.760.516 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Malware\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\Malware\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)
FW: Kerio Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\qimlsrv.exe
c:\windows\system32\tnblf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\qimlsrv.exe
c:\windows\system32\tnblf.exe
J:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.

2009-04-01 09:43 . 2009-04-01 09:46 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-31 21:37 . 2009-03-31 21:37 <DIR> d-------- c:\documents and settings\Owner\DoctorWeb
2009-03-31 15:20 . 2009-03-31 15:20 <DIR> d-------- C:\VundoFix Backups
2009-03-30 17:20 . 2009-03-31 16:36 <DIR> d-------- C:\Rooter$
2009-03-30 17:09 . 2009-03-30 17:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-30 17:09 . 2009-03-30 17:09 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-30 17:09 . 2009-03-30 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-30 17:09 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-30 17:09 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-30 17:05 . 2009-03-30 17:06 <DIR> d-------- c:\program files\ERUNT
2009-03-21 18:11 . 2009-04-04 12:12 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-21 14:22 . 2009-04-04 10:56 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-21 14:22 . 2009-03-21 14:22 <DIR> d-------- c:\program files\AVG
2009-03-21 14:22 . 2009-03-28 22:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-21 14:22 . 2009-03-21 14:22 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-21 14:22 . 2009-03-31 09:13 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-21 14:22 . 2009-03-21 14:22 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-03-21 14:22 . 2009-03-21 14:22 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-18 20:22 . 2009-03-18 20:22 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-08 17:31 . 2009-03-08 17:31 5,632 --ahs---- C:\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 16:33 --------- d-----w c:\program files\Mozilla Thunderbird
2009-04-04 16:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-03 16:43 --------- d-----w c:\documents and settings\Owner\Application Data\wsInspector
2009-04-03 13:50 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-01 01:49 --------- d-----w c:\program files\SUPERAntiSpyware
2009-04-01 01:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-01 01:49 --------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-03-31 16:10 4,005 -c--a-w c:\windows\system32\drivers\fwdrv.err
2009-03-31 15:12 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-31 15:12 --------- d-----w c:\program files\Napster
2009-03-31 15:12 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-03-31 15:05 --------- d-----w c:\program files\Apple Software Update
2009-03-31 12:12 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-03-21 13:12 31 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-03-19 01:19 --------- d-----w c:\program files\McAfee
2009-03-08 01:41 --------- d-----w c:\program files\Google
2009-03-02 15:51 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-02-26 13:12 1,067,016 ----a-w c:\windows\system32\imlock.exe
2009-02-14 02:12 --------- d-----w c:\program files\PCPitstop
2009-02-14 01:59 --------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-01-18 11:32 75,784 ----a-w c:\windows\system32\dsrviml.exe
2009-01-18 11:32 4,164 ----a-w c:\windows\system32\iml.vbs
2006-05-04 02:52 34 -c--a-w c:\documents and settings\Owner\flush.bat
2007-12-12 00:24 2,098 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

2009-03-31 15:19 119808 c:\documents and settings\Owner\Desktop\Malware\VundoFix.exe
2009-03-31 15:19 119808 {B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP1\A0000119.exe

2009-04-04 11:21 128 c:\windows\system32\ptrun32\acl.bat
2009-04-04 10:21 128 {B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP1\A0000028.bat
2009-04-04 11:18 128 {B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP1\A0000113.bat

c:\windows\system32\qimlsrv.exe
2009-02-26 08:12 169992 {B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP2\A0000208.exe

c:\windows\system32\tnblf.exe
2009-03-01 01:00 39672 {B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP2\A0000209.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ptrun32"="c:\windows\system32\ptrun32\ptrun32.exe" [2007-03-27 942080]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-21 1932568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 36864]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
IML.lnk - c:\windows\system32\iml.vbs [2009-01-18 4164]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
IML.lnk - c:\windows\system32\iml.vbs [2009-01-18 4164]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-21 14:22 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Sonic INSTALLit! Setup.lnk]
backup=c:\windows\pss\Sonic INSTALLit! Setup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-08-10 09:37 61440 c:\program files\AIM95\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
--a------ 2007-09-28 16:32 169328 c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 16:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
--a------ 2008-11-28 19:27 5656576 c:\program files\NoteBurner\VTBurnerGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 14:01 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTRUN32]
--a------ 2007-03-27 02:29 942080 c:\windows\system32\ptrun32\ptrun32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-11-10 13:23 157312 c:\program files\Zune\ZuneLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sunbelt Software\\Personal Firewall 4\\kpf4gui.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\NETAMIN\\UBO_2007\\game\\ubo.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-03-21 12552]
R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys [2008-11-30 13440]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-21 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-21 108552]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-12-15 274432]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2005-12-15 81920]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-21 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-21 298264]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-22 210216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-02-12 24652]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\system32\Drivers\OCDE.sys --> c:\windows\system32\Drivers\OCDE.sys [?]
S3 AdWatchDrv;AW Realtime Driver;\??\c:\windows\system32\drivers\AWRTPD.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]
S3 FTD2XX;Flashpaq FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2008-10-17 34639]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
.
Contents of the 'Scheduled Tasks' folder

2008-05-05 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1202058135.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 18:56]

2002-07-27 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2001-11-19 20:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
uDefault_Search_URL = hxxp://srch-us6.hpwis.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-us6.hpwis.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Search
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download with Xilisoft Download YouTube Video - c:\documents and settings\Owner\My Documents\anna\Download YouTube Video\upod_link.HTM
Trusted Zone: flashpaq.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {77538FC7-CE52-4704-9865-494FE92BC320} - hxxp://www.ultimatebaseballonline.com/myubo/launchubo.OCX
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1nq9i9mp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.thefoxnation.com/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 15:29:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1238661117-66767829-436321949-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{01CBDE8A-F9AF-A5A9-BABF-9CDB2AFA071B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"dbkpdfncpokaphmmejamhdbgeeggaghdjadjcnme"=hex:6a,61,64,67,66,69,65,6c,66,70,
69,64,63,6d,6e,6e,6c,6a,69,6a,00,00
"cbalfdldhkobpabepfjmiadcchbcllicgclman"=hex:6a,61,64,67,63,6b,68,6c,6c,70,70,
69,69,6e,6b,65,66,64,6f,6a,00,00
"abgapkolilekkljdhhhffkgjffclchmlal"=hex:61,61,00,e4
"mafagjamkamfcoeaabjadphefe"=hex:61,61,00,e4

[HKEY_USERS\S-1-5-21-1238661117-66767829-436321949-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{29427567-EF59-35D7-2143-C28A31054DE4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"dbffgcnlaikickcpepdpibhnfidchhhddkfmicgn"=hex:6a,61,6a,6d,6a,6b,6a,61,66,6c,
6d,65,68,67,70,6c,68,65,65,6e,00,fb
"cblemffeifknabahpmmoabcmboflnogdllcnne"=hex:6a,61,6a,6d,6a,6b,6a,61,6f,6a,66,
64,65,66,6b,6c,69,64,63,6d,00,fb
"iaffgcnlaikickcpep"=hex:61,61,00,00
"halemffeifknabah"=hex:61,61,00,00
"iajgonbglajnijmibf"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-1238661117-66767829-436321949-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{315F31DD-5C00-6ED6-295F-15228F059615}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"bbeomgdllkdnlbeogklpodkjbjopbljkhcae"=hex:69,61,68,62,61,6a,6c,66,6c,61,6c,6c,
66,66,64,62,61,67,00,00
"abkockfpihjnmpmkonaheejfmfbkconnih"=hex:69,61,68,62,61,6a,6c,66,6c,61,6c,6c,
66,66,64,62,61,67,00,00
"iaeomgdllkdnlbeogk"=hex:61,61,00,00
"hakockfpihjnmpmk"=hex:61,61,00,00
"iaipmhfgbfnfleccab"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-1238661117-66767829-436321949-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{84D3D8A4-E1FD-6400-190C-91B3D22A5BF4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"dbkdiomgiikpdamepeacelmacbefjggdgahpndhp"=hex:6a,61,67,6b,6c,63,64,6c,66,6c,
70,6c,63,6a,6c,6a,6c,66,6c,70,00,e1
"cbedkenbajmacakcailphcdpckailldpcipkep"=hex:6a,61,68,6b,62,62,63,62,65,62,67,
65,65,6f,6a,6d,64,6c,63,69,00,e1

[HKEY_USERS\S-1-5-21-1238661117-66767829-436321949-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8CEA33E7-171B-601D-9DE1-2C711984FB98}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"dbbddangefpolmghdahhfchdepaiajfgepkldche"=hex:6a,61,66,63,66,61,6b,6d,6e,6e,
6c,6b,66,65,63,67,70,70,69,66,00,1a
"cbpdbpjkjngliadfnlbcnfjpkfacoglehmdpoa"=hex:6a,61,69,63,61,61,6c,6e,68,6e,68,
6e,65,69,6d,68,65,6b,6d,66,00,1a
"iabddangefpolmghda"=hex:61,61,00,00
"hapdbpjkjngliadf"=hex:61,61,00,00
"iafelbmnhkihobfool"=hex:61,61,00,00
"abfeladkbmkibkledjmbidmpmojablheel"=hex:61,61,00,00
"makeaclpdjjeopnppoafbjamgo"=hex:61,61,00,00
"dbbddangefpolmghdahhfchdockieegbmilneacd"=hex:69,61,6b,63,68,70,61,69,66,66,
61,6f,69,63,6c,61,6c,6b,00,00
"cbpdbpjkjngliadfnlbcnflpedcaajefpkgimk"=hex:69,61,68,63,67,70,68,64,63,67,6e,
68,6f,66,6d,63,69,61,00,00

[HKEY_USERS\S-1-5-21-1238661117-66767829-436321949-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E9907B94-0A2E-A871-0F30-7982615BB869}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"cbibbkeblamnnkhiiabmflafpgbpmhbjpkakjl"=hex:69,61,66,6f,61,6b,65,67,65,6e,69,
65,6d,6b,66,6c,70,62,00,00
"bboadkbigellefaccmmpfbefmadpokoagngo"=hex:69,61,66,6f,61,6b,65,67,65,6e,69,65,
6d,6b,66,6c,70,62,00,00
"iaibbkeblamnnkhiia"=hex:61,61,00,7f
"haoadkbigellefac"=hex:61,61,00,7f
"iaeajjinoamkdfghcc"=hex:61,61,00,7f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-04 15:34:12
ComboFix-quarantined-files.txt 2009-04-04 20:34:06
ComboFix2.txt 2009-04-04 16:03:58

Pre-Run: 47,725,821,952 bytes free
Post-Run: 47,715,037,184 bytes free

315 --- E O F --- 2009-03-13 03:21:17
  • 0

#7
Jimmy2012
Posted 04 April 2009 - 09:11 PM

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello oze,

  • Please start Malwarebytes' Anti-Malware and update it.
  • To update please do this, click Update and then click Check for Updates.
  • It will now install any updates it finds.
  • Once it is done updating please click Scanner and then click "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
~~~~~~~~~~~~~~~
In your next reply please have these logs.
The Malwarebytes log
And the Eset log
  • 0

#8
oze
Posted 05 April 2009 - 06:28 PM

oze

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Thanks for staying with me. I think that we found and deleted a false positve yesterday--a program that I use to regulate my daughter's internet activity (IM Lock) is not functioning--I've contacted them to see about reinstalling it). Attached are the logs from the tools you had me run--note that Malwarebyte found nothing (even after the update):


Malwarebytes' Anti-Malware 1.35
Database version: 1942
Windows 5.1.2600 Service Pack 2

4/5/2009 5:30:23 PM
mbam-log-2009-04-05 (17-30-23).txt

Scan type: Quick Scan
Objects scanned: 74549
Time elapsed: 6 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And here's the Eset scanner log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3988 (20090404)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=6099179a44e9cc4d9301c753f292c4dc
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-06 12:20:30
# local_time=2009-04-05 07:20:30 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=494613
# found=3
# scan_time=6154
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\hp\bin\AUTOPLAY.EXE Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
  • 0

#9
Jimmy2012
Posted 05 April 2009 - 10:32 PM

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello oze,

I think that we found and deleted a false positve yesterday--a program that I use to regulate my daughter's internet activity (IM Lock) is not functioning--I've contacted them to see about reinstalling it)

If you are sure those files are related to IM lock and are safe, I can move them back to your computer. The reason for deleting them is, everything I found on them said they were bad.

Edited by Jimmy2012, 05 April 2009 - 10:33 PM.

  • 0

#10
oze
Posted 06 April 2009 - 06:19 AM

oze

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts

Hello oze,

I think that we found and deleted a false positve yesterday--a program that I use to regulate my daughter's internet activity (IM Lock) is not functioning--I've contacted them to see about reinstalling it)

If you are sure those files are related to IM lock and are safe, I can move them back to your computer. The reason for deleting them is, everything I found on them said they were bad.

Jimmy,
Thank you, but since I couldn't be sure, I just used the company's uninstaller and did a clean (re)install of the tool. The only reason I mentioned it was for the sake of completeness of information.

Anything further I need to do to continue the cleanup of all of the nasties, or are we done now? Thanks again for all of your help.
  • 0

Advertisements

#11
Jimmy2012
Posted 06 April 2009 - 05:52 PM

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello oze,

Anything further I need to do to continue the cleanup of all of the nasties, or are we done now?

How is your computer running, any other problems you see?
  • 0

#12
oze
Posted 06 April 2009 - 08:21 PM

oze

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts

Hello oze,
How is your computer running, any other problems you see?

Jimmy,

Everything seems to be back to normal, as far as I can tell. Assuming we are good to go, do I need to remove some of the free software that I downloaded? Thanks again for all of your help.

Dave
  • 0

#13
Jimmy2012
Posted 06 April 2009 - 11:38 PM

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello oze,

do I need to remove some of the free software that I downloaded?

Yep, we will do that now. :)

Thanks again for all of your help.

You are welcome. :)


Lets go ahead and remove the tools used and update a few things.




You are using a old version of Adobe Acrobat Reader, please update it here.








Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image







Please download OTCleanIt and save it to your Desktop.
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button to begin removing tools used to clean your computer
  • If you are prompted to Reboot during the cleanup, please select Yes

Please remove any leftover tools used to clean your computer.







The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spywareguard: Is realtime protection from spyware.

2. Spywareblaster: Helps protect against any bad ActiveX from installing on your computer.

3. SuperAntiSpyware: Use this program to help remove any spyware that may have gotten on your computer.

4. FireFox: This is a great alternate browser over Internet Explorer. Firefox is much more secure then Internet Explorer and also has a bulilt in pop up blocker.

5. ATF Cleaner: This program cleans out your temporary files. This is a great tool that can help speed your computer up.

6. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • 0

#14
oze
Posted 07 April 2009 - 07:35 AM

oze

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Jimmy,

Done and done. I did all of the cleanup activities you listed, and all seems well except for a somewhat odd behavior from Windows Explorer. When I open up an explorer window, I'm getting the busy "hourglass" cursor flashing on and off, every second or so. I don't know if this is something to be concerned with or not.

Thanks again for everything. Where's the PayPal link? :)
  • 0

#15
oze
Posted 07 April 2009 - 07:51 AM

oze

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
I wanted to add something from Comvigo, the company that distributes the IM Lock tool that I use. FYI anyone that comes across these files (and is using IM Lock), they are most likely safe:

qimlsrv.exe
dsrviml.exe
imlock.exe
iml.xml

Edited by oze, 07 April 2009 - 07:52 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP