Malwarebytes Forum > SKYNET trojan problem

snodes

Aug 16 2009, 05:53 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50:29, on 16/08/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?&.s...ntl=uk&rl=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7233 bytes

Maurice Naggar

Aug 16 2009, 06:10 PM

Hello snodes and welcome to MalwareBytes forums.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member snodes only. If you are a casual viewer, do NOT try this on your system!
If you are not snodes and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Show all files:

Click the Start button, and then click Computer.
On the Organize menu, click Folder and Search Options.
Click the View tab.
Locate and uncheck Hide file extensions for known file types.
Locate and uncheck Hide protected operating system files (Recommended).
Locate and click Show hidden files and folders.
Click Apply > OK.

=

Go here and download RootRepeal to your Desktop.
Doubleclick to extract the compressed file to it's own folder and
then Right-click on RootRepeal.exe and choose "Run as Administrator"
Click on the Report tab and then click on Scan.
A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there).
When you have done this, please copy and paste it in this thread.
=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

Run Security Check
Follow the onscreen instructions inside of the command window.
A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

the contents of Rootrepeal.txt;
the contents of OTL.txt;
the contents of Extras.txt ; and
the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

snodes

Aug 16 2009, 07:18 PM

OTL logfile created on: 16/08/2009 20:05:01 - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Users\The Snowdons\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 0.63 Gb Available Physical Memory | 31.66% Memory free
4.00 Gb Paging File | 2.70 Gb Available in Paging File | 67.40% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 410.19 Gb Free Space | 88.07% Space Free | Partition Type: NTFS
Drive D: | 83.13 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: THESNOWDONS-PC
Current User Name: The Snowdons
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2008/09/18 00:55:00 | 00,196,608 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe
PRC - [2009/03/06 01:04:30 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/28 16:59:04 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2007/02/09 17:35:10 | 00,278,608 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
PRC - [2008/08/29 00:53:18 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe
PRC - [2007/02/09 09:35:54 | 00,262,247 | ---- | M] () -- C:\Program Files\CyberLink\Shared files\RichVideo.exe
PRC - [2007/05/28 17:57:54 | 00,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
PRC - [2009/07/28 16:59:09 | 00,832,792 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgam.exe
PRC - [2009/07/28 16:59:10 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/07/28 16:59:15 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/07/28 16:59:11 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/07/28 16:59:14 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/01/26 15:31:10 | 01,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/01/19 08:33:40 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe
PRC - [2007/02/09 17:35:12 | 00,110,677 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
PRC - [2008/10/29 07:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE
PRC - [2009/08/14 01:07:30 | 02,007,832 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2007/06/18 09:39:10 | 00,061,440 | ---- | M] () -- C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
PRC - [2009/08/13 11:14:17 | 00,472,064 | ---- | M] ( ) -- C:\Users\The Snowdons\Desktop\RootRepeal.exe
PRC - [2009/07/28 16:59:14 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2006/11/02 13:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe
PRC - [2008/01/19 08:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe
PRC - [2009/08/16 19:51:41 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\The Snowdons\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/03/06 01:04:30 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2009/07/28 16:59:10 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/07/28 16:59:04 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2007/02/09 17:35:10 | 00,278,608 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe -- (CLCapSvc [Auto | Running])
SRV - [2008/07/27 19:03:13 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2007/02/09 17:35:12 | 00,110,677 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe -- (CLSched [Auto | Running])
SRV - [2008/01/19 08:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Running])
SRV - [2006/11/02 13:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Running])
SRV - [2006/11/02 13:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])
SRV - [2008/01/19 08:36:53 | 01,013,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto | Running])
SRV - [2008/06/20 02:14:44 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/03/24 10:43:16 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2008/06/20 02:14:31 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2008/08/29 00:53:18 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService [Auto | Running])
SRV - [2008/06/20 02:14:31 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/09/18 00:55:00 | 00,196,608 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/02/09 09:35:54 | 00,262,247 | ---- | M] () -- C:\Program Files\CyberLink\Shared files\RichVideo.exe -- (RichVideo [Auto | Running])
SRV - [2009/01/26 15:31:10 | 01,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService [Auto | Running])
SRV - [2007/05/28 17:57:54 | 00,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE [Auto | Running])
SRV - [2008/01/19 08:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Running])
SRV - [2008/01/19 08:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2007/01/25 19:42:50 | 02,831,232 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Windows\System32\DRIVERS\3xHybrid.sys -- (3xHybrid [On_Demand | Running])
DRV - [2006/11/02 10:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx [Disabled | Stopped])
DRV - [2006/11/02 10:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci [Disabled | Stopped])
DRV - [2006/11/02 10:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m [Disabled | Stopped])
DRV - [2006/11/02 10:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320 [Disabled | Stopped])
DRV - [2006/11/02 10:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx [Disabled | Stopped])
DRV - [2006/11/02 10:49:20 | 00,014,952 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\system32\drivers\aliide.sys -- (aliide [Disabled | Stopped])
DRV - [2006/11/02 10:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arc.sys -- (arc [Disabled | Stopped])
DRV - [2006/11/02 10:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas [Disabled | Stopped])
DRV - [2009/07/28 16:59:15 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/07/28 16:59:15 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/04/24 09:24:55 | 00,012,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\Drivers\avgrkx86.sys -- (AvgRkx86 [Boot | Running])
DRV - [2009/04/24 09:24:47 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2006/11/02 09:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo [On_Demand | Stopped])
DRV - [2006/11/02 09:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp [On_Demand | Stopped])
DRV - [2006/11/02 09:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserid.sys -- (Brserid [Disabled | Stopped])
DRV - [2006/11/02 09:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm [Disabled | Stopped])
DRV - [2006/11/02 09:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm [Disabled | Stopped])
DRV - [2006/11/02 09:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer [On_Demand | Stopped])
DRV - [2006/11/02 10:49:28 | 00,016,488 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide [Disabled | Stopped])
DRV - [2006/11/02 08:30:54 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\Windows\System32\DRIVERS\E1G60I32.sys -- (E1G60 [On_Demand | Stopped])
DRV - [2006/11/02 10:51:34 | 00,316,520 | ---- | M] (Emulex) -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor [Disabled | Stopped])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\Windows\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2006/11/02 10:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs [Disabled | Stopped])
DRV - [2006/11/02 10:51:25 | 00,232,040 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV [Disabled | Stopped])
DRV - [2006/11/02 10:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp [Disabled | Stopped])
DRV - [2006/11/02 10:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi [Disabled | Stopped])
DRV - [2006/11/02 10:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid [Disabled | Stopped])
DRV - [2006/11/02 10:50:04 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC [Disabled | Stopped])
DRV - [2006/11/02 10:50:05 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS [Disabled | Stopped])
DRV - [2006/11/02 10:50:10 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI [Disabled | Stopped])
DRV - [2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Stopped])
DRV - [2006/11/02 10:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\megasas.sys -- (megasas [Disabled | Stopped])
DRV - [2006/11/02 10:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x [Disabled | Stopped])
DRV - [2007/11/17 02:34:22 | 00,019,712 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50 [On_Demand | Stopped])
DRV - [2007/11/17 02:34:22 | 00,018,304 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50 [On_Demand | Stopped])
DRV - [2006/11/02 10:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960 [Disabled | Stopped])
DRV - [2006/11/02 08:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi [Disabled | Stopped])
DRV - [2009/05/09 01:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\DRIVERS\NuidFltr.sys -- (NuidFltr [On_Demand | Running])
DRV - [2008/09/18 00:55:00 | 07,379,872 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\DRIVERS\nvlddmkm.sys -- (nvlddmkm [On_Demand | Running])
DRV - [2006/11/02 10:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid [Disabled | Stopped])
DRV - [2006/11/02 10:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor [Disabled | Stopped])
DRV - [2007/04/03 11:43:28 | 01,131,136 | ---- | M] (Philips Semiconductors GmbH) -- C:\Windows\System32\DRIVERS\Ph3xIB32.sys -- (Ph3xIB32 [On_Demand | Stopped])
DRV - [2004/04/27 00:31:04 | 00,474,304 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\DRIVERS\LVCD.sys -- (QCDonner [On_Demand | Stopped])
DRV - [2006/11/02 10:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300 [Disabled | Stopped])
DRV - [2006/11/02 10:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx [Disabled | Stopped])
DRV - [2006/11/02 08:30:56 | 00,044,544 | ---- | M] (Realtek Corporation) -- C:\Windows\System32\DRIVERS\Rtlh86.sys -- (RTL8169 [On_Demand | Running])
DRV - [2009/08/05 16:06:28 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/08/05 16:06:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/08/05 16:06:28 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2006/11/02 07:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv [Auto | Running])
DRV - [2006/11/02 10:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2 [Disabled | Stopped])
DRV - [2006/11/02 10:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4 [Disabled | Stopped])
DRV - [2009/04/14 15:41:49 | 00,717,296 | ---- | M] () -- C:\Windows\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2007/06/21 10:45:08 | 00,029,696 | ---- | M] (Service & Quality Technology.) -- C:\Windows\System32\Drivers\Capt913D.sys -- (SQTECH913D [On_Demand | Stopped])
DRV - [2006/11/02 10:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx [Disabled | Stopped])
DRV - [2006/11/02 10:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi [Disabled | Stopped])
DRV - [2006/11/02 10:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3 [Disabled | Stopped])
DRV - [2006/11/02 10:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci [Disabled | Stopped])
DRV - [2006/11/02 10:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata [Disabled | Stopped])
DRV - [2006/11/02 10:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2 [Disabled | Stopped])
DRV - [2009/03/06 00:59:00 | 00,036,864 | ---- | M] (Apple, Inc.) -- C:\Windows\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2006/11/02 10:49:30 | 00,017,512 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\system32\drivers\viaide.sys -- (viaide [Disabled | Stopped])
DRV - [2006/11/02 10:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid [Disabled | Stopped])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?&.s...ntl=uk&rl=1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/14 09:05:24 | 00,000,000 | ---D | M]

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKCU..\Run: [AlcoholAutomount] C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe (Alcohol Soft Development Team)
O4 - HKCU..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/16 20:03:40 | 00,177,664 | ---- | C] () -- C:\Users\The Snowdons\Documents\snodes root repeal scan.doc
[2009/08/16 19:52:01 | 00,838,010 | ---- | C] () -- C:\Users\The Snowdons\Desktop\SecurityCheck.exe
[2009/08/16 19:51:31 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Users\The Snowdons\Desktop\OTL.exe
[2009/08/16 19:36:46 | 00,465,298 | ---- | C] () -- C:\Users\The Snowdons\Desktop\RootRepeal.rar
[2009/08/16 19:34:41 | 00,000,000 | ---- | C] () -- C:\Users\The Snowdons\Desktop\settings.dat
[2009/08/16 19:34:35 | 00,472,064 | ---- | C] ( ) -- C:\Users\The Snowdons\Desktop\RootRepeal.exe
[2009/08/16 18:50:07 | 00,001,874 | ---- | C] () -- C:\Users\The Snowdons\Desktop\HijackThis.lnk
[2009/08/16 18:50:06 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/08/16 18:42:35 | 03,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\The Snowdons\Desktop\mbam-setup.exe
[2009/08/16 17:15:41 | 01,718,504 | ---- | C] () -- C:\Users\The Snowdons\Documents\Resident Shield File.csv
[2009/08/14 09:06:32 | 01,256,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsasrv.dll
[2009/08/14 09:06:32 | 00,499,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\kerberos.dll
[2009/08/14 09:06:32 | 00,439,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\ksecdd.sys
[2009/08/14 09:06:32 | 00,270,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\schannel.dll
[2009/08/14 09:06:32 | 00,213,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msv1_0.dll
[2009/08/14 09:06:32 | 00,175,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wdigest.dll
[2009/08/14 09:06:32 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secur32.dll
[2009/08/14 09:06:32 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsass.exe
[2009/08/13 00:07:58 | 00,001,267 | ---- | C] () -- C:\Windows\wininit.ini
[2009/08/12 22:31:40 | 00,123,416 | ---- | C] () -- C:\MGlogs.zip
[2009/08/12 22:31:38 | 00,000,000 | ---D | C] -- C:\MGtools
[2009/08/12 22:29:25 | 00,000,000 | ---D | C] -- C:\Users\The Snowdons\AppData\Roaming\Malwarebytes
[2009/08/12 22:29:22 | 00,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/12 22:29:20 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/08/12 22:29:19 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/08/12 22:29:19 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/08/12 22:29:18 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/12 22:28:26 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2009/08/12 22:28:16 | 00,000,902 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/08/12 22:28:15 | 00,000,000 | ---D | C] -- C:\Users\The Snowdons\AppData\Roaming\SUPERAntiSpyware.com
[2009/08/12 22:28:15 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/08/12 22:27:39 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/08/12 18:56:35 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\atl.dll
[2009/08/12 18:56:33 | 00,160,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wkssvc.dll
[2009/08/12 18:56:32 | 02,066,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstscax.dll
[2009/08/12 18:56:30 | 00,091,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\avifil32.dll
[2009/08/12 18:56:26 | 10,626,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmp.dll
[2009/08/12 18:56:25 | 00,313,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmpdxm.dll
[2009/08/12 18:56:25 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\spwmp.dll
[2009/08/12 18:56:21 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdxm.ocx
[2009/08/12 18:56:21 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxmasf.dll
[2009/08/12 18:56:17 | 08,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL
[2009/08/12 18:56:17 | 00,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdxm.tlb
[2009/08/12 18:56:17 | 00,018,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\amcompat.tlb
[2009/08/07 17:47:35 | 00,622,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\icardagt.exe
[2009/08/07 17:47:35 | 00,105,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
[2009/08/07 17:47:35 | 00,097,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\infocardapi.dll
[2009/08/07 17:47:35 | 00,043,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2009/08/07 17:47:35 | 00,037,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\infocardcpl.cpl
[2009/08/07 17:47:35 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\icardres.dll
[2009/08/07 17:47:34 | 00,781,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationNative_v0300.dll
[2009/08/07 17:47:33 | 00,326,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2009/08/07 17:41:07 | 00,096,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dfshim.dll
[2009/08/07 17:41:06 | 00,282,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mscoree.dll
[2009/08/07 17:41:05 | 00,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2009/08/07 17:40:54 | 00,158,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mscorier.dll
[2009/08/07 17:40:51 | 00,083,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mscories.dll
[2009/07/29 16:52:59 | 03,583,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2009/07/29 16:52:58 | 06,069,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll
[2009/07/29 16:52:58 | 00,146,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\occache.dll
[2009/07/29 16:52:57 | 01,166,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll
[2009/07/29 16:52:57 | 00,827,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll
[2009/07/29 16:52:57 | 00,458,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2009/07/29 16:52:57 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2009/07/29 16:52:57 | 00,270,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll
[2009/07/29 16:52:56 | 00,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2009/07/29 16:52:56 | 00,389,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2009/07/29 16:52:56 | 00,230,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2009/07/29 16:52:56 | 00,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll
[2009/07/29 16:52:56 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2009/07/29 16:52:56 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2009/07/29 16:52:55 | 01,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2009/06/24 15:39:39 | 00,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2009/06/24 15:35:11 | 00,000,025 | ---- | C] () -- C:\Windows\CDE SX200DEFGIPS.ini
[2009/04/14 15:41:49 | 00,717,296 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2009/02/12 17:35:29 | 00,003,072 | ---- | C] () -- C:\Windows\System32\34CoInstaller.dll
[2008/12/05 21:29:19 | 00,000,000 | ---- | C] () -- C:\Windows\PTWebCam.INI
[2008/03/04 18:17:58 | 00,001,265 | ---- | C] () -- C:\Windows\disney.ini
[2008/01/17 00:17:23 | 00,164,352 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2008/01/17 00:17:20 | 01,559,040 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2008/01/17 00:17:20 | 00,282,624 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2008/01/17 00:17:19 | 03,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/01/17 00:17:18 | 00,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008/01/17 00:17:18 | 00,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2008/01/16 21:09:55 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2006/11/02 13:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:23:31 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 11:23:31 | 00,000,168 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 08:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2004/03/26 10:56:40 | 00,017,191 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini

========== Files - Modified Within 30 Days ==========

[1 C:\Windows\*.tmp files]
[2009/08/16 20:03:41 | 00,177,664 | ---- | M] () -- C:\Users\The Snowdons\Documents\snodes root repeal scan.doc
[2009/08/16 19:52:13 | 00,838,010 | ---- | M] () -- C:\Users\The Snowdons\Desktop\SecurityCheck.exe
[2009/08/16 19:51:41 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\The Snowdons\Desktop\OTL.exe
[2009/08/16 19:48:21 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/08/16 19:48:21 | 00,599,942 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/08/16 19:48:21 | 00,105,448 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/08/16 19:43:43 | 00,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2009/08/16 19:41:19 | 00,004,176 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/08/16 19:41:19 | 00,004,176 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/08/16 19:41:17 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/08/16 19:41:15 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/08/16 19:38:04 | 03,934,607 | -H-- | M] () -- C:\Users\The Snowdons\AppData\Local\IconCache.db
[2009/08/16 19:36:55 | 00,465,298 | ---- | M] () -- C:\Users\The Snowdons\Desktop\RootRepeal.rar
[2009/08/16 19:34:41 | 00,000,000 | ---- | M] () -- C:\Users\The Snowdons\Desktop\settings.dat
[2009/08/16 18:50:07 | 00,001,874 | ---- | M] () -- C:\Users\The Snowdons\Desktop\HijackThis.lnk
[2009/08/16 18:43:36 | 00,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/16 18:42:53 | 03,942,048 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\The Snowdons\Desktop\mbam-setup.exe
[2009/08/16 17:38:46 | 39,893,964 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2009/08/16 17:17:27 | 00,000,432 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{503AD6C4-E33D-4F0D-9A98-6601BC6AF1EF}.job
[2009/08/16 17:15:42 | 01,718,504 | ---- | M] () -- C:\Users\The Snowdons\Documents\Resident Shield File.csv
[2009/08/15 17:36:35 | 00,065,360 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2009/08/14 23:28:42 | 00,001,267 | ---- | M] () -- C:\Windows\wininit.ini
[2009/08/13 20:36:41 | 00,001,085 | ---- | M] () -- C:\Users\The Snowdons\Desktop\Spybot - Search & Destroy.lnk
[2009/08/13 11:14:17 | 00,472,064 | ---- | M] ( ) -- C:\Users\The Snowdons\Desktop\RootRepeal.exe
[2009/08/12 22:35:43 | 00,123,416 | ---- | M] () -- C:\MGlogs.zip
[2009/08/12 22:28:16 | 00,000,902 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/08/11 22:35:59 | 00,007,592 | ---- | M] () -- C:\Users\The Snowdons\AppData\Local\d3d9caps.dat
[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/07/30 01:49:14 | 24,281,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mrt.exe
[2009/07/28 16:59:15 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2009/07/28 16:59:15 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2009/07/28 16:59:15 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2009/07/18 17:06:20 | 00,827,904 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll
[2009/07/18 17:06:05 | 01,166,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll
[2009/07/18 17:04:41 | 00,146,432 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\occache.dll
[2009/07/18 17:03:16 | 00,671,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2009/07/18 17:02:53 | 03,583,488 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2009/07/18 17:02:50 | 00,458,240 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2009/07/18 17:02:05 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2009/07/18 17:01:49 | 06,069,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll
[2009/07/18 17:01:49 | 00,270,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll
[2009/07/18 17:01:48 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2009/07/18 17:01:48 | 00,230,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2009/07/18 17:01:48 | 00,078,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll
[2009/07/18 11:16:01 | 00,389,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2009/07/18 10:46:14 | 00,026,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2009/07/18 10:45:19 | 01,383,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb

========== LOP Check ==========

[2009/08/12 22:29:25 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming
[2008/04/30 18:07:00 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\BT
[2009/02/12 18:05:28 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\CyberLink
[2009/06/25 19:38:16 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\EPSON
[2009/03/02 14:23:42 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\GetRightToGo
[2009/08/14 01:12:53 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\LimeWire
[2006/11/02 13:37:34 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\Media Center Programs
[2008/12/10 21:03:58 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\Motive
[2008/12/23 11:13:38 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\OpenOffice.org
[2008/12/22 20:18:52 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\OpenOffice.org2
[2009/06/08 10:52:23 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\Snapfish
[2009/07/03 20:31:46 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\Spotify
[2009/08/16 19:43:43 | 00,000,868 | ---- | M] () -- C:\Windows\Tasks\Google Software Updater.job
[2009/08/16 19:41:17 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT
[2009/08/16 19:40:05 | 00,032,644 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/08/16 17:17:27 | 00,000,432 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{503AD6C4-E33D-4F0D-9A98-6601BC6AF1EF}.job

========== Purity Check ==========

< End of report >

OTL Extras logfile created on: 16/08/2009 20:05:01 - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Users\The Snowdons\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 0.63 Gb Available Physical Memory | 31.66% Memory free
4.00 Gb Paging File | 2.70 Gb Available in Paging File | 67.40% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 410.19 Gb Free Space | 88.07% Space Free | Partition Type: NTFS
Drive D: | 83.13 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: THESNOWDONS-PC
Current User Name: The Snowdons
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3188036164-2254565855-3087354152-1000]
"EnableNotifications" = 1
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1CEAF944-7E3A-47BD-8E1E-4D439FEBE76D}" = protocol=17 | dir=in | app=c:\program files\ea games\battlefield 2\bf2.exe |
"{219DB089-D827-4C65-9A15-1C86053AEDE5}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{21AC4FE9-076F-4558-8374-ED4C7A8A158E}" = protocol=17 | dir=in | app=c:\program files\spotify\spotify.exe |
"{25A547BA-99D5-4963-8937-D8D1A3A5AB75}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{56CEA54E-4BA2-42AE-80C3-0CCB5D0F8AB0}" = protocol=17 | dir=in | app=c:\program files\electronic arts\battlefield 2142\bf2142.exe |
"{5EA0D9DA-E4F4-4A01-8A7C-2A430CAA1DBB}" = protocol=6 | dir=in | app=c:\program files\electronic arts\battlefield 2142\bf2142.exe |
"{6365E6D3-4AAC-4776-BE1B-ECD6BB8A6DB8}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{68EDB13D-55FA-4FAD-BC20-11BDC8C44849}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{6F2D15E3-5642-42B2-9BD7-A1A0914E5F8D}" = protocol=6 | dir=in | app=c:\program files\ea games\battlefield 2\bf2.exe |
"{716C83A0-25CC-425C-BA04-2A2D737D448C}" = dir=in | app=c:\program files\cyberlink\powercinema\powercinema.exe |
"{71C7E107-E1CF-4265-B619-2DE95CD57826}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{721B0B3F-7746-4452-9A9E-CCB6F66AC7CC}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{8B5A8E22-05AB-4DC0-AABF-DE647AF9C6A8}" = dir=in | app=c:\program files\avg\avg8\avgupd.exe |
"{9798BBC5-E88C-465C-A38E-08B186510FC9}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{9813F34A-5025-447B-B7EE-3CDFD0974FE5}" = dir=in | app=c:\program files\cyberlink\powercinema\pcmservice.exe |
"{9BBE6F3C-38AB-443B-9D6B-D662D12B456E}" = dir=in | app=c:\program files\cyberlink\powercinema\kernel\dms\clmsservice.exe |
"{A9E9F58C-5E3E-4A1A-BFF4-A7347FEC42A2}" = dir=in | app=c:\program files\avg\avg8\avgnsx.exe |
"{AD407AA1-7ABB-4615-827A-0B38E4766EA2}" = dir=in | app=c:\program files\cyberlink\powercinema\kernel\dmp\clbrowserengine.exe |
"{B5A3D751-363D-4DBB-B401-EE420DAB0ECA}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{E7EF44B8-3A81-4DF2-BBAF-D2097C2F01AE}" = protocol=6 | dir=in | app=c:\program files\spotify\spotify.exe |
"{F140A53D-01F0-4CC3-89C0-DED733A573E0}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{F49030BC-7E6A-4771-9328-DB2E2F9F8F6C}" = dir=in | app=c:\program files\avg\avg8\avgemc.exe |
"{FFF463A2-F558-40AE-A9AB-A59CE5B03199}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"TCP Query User{2F343A53-4F11-40C9-B34F-FA084B1D0B74}C:\program files\activision\call of duty 2\cod2mp_s.exe" = protocol=6 | dir=in | app=c:\program files\activision\call of duty 2\cod2mp_s.exe |
"TCP Query User{7CC2F55B-2B39-4C6F-997F-7EE3E9C145EC}C:\program files\real alternative\media player classic\mplayerc.exe" = protocol=6 | dir=in | app=c:\program files\real alternative\media player classic\mplayerc.exe |
"TCP Query User{DCE2FB4E-F9E6-4637-8D2E-B1127B2931FD}C:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe" = protocol=6 | dir=in | app=c:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe |
"TCP Query User{DEB03E3A-EF24-4208-B8A1-25BDCA49867D}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{DEF038C6-43F8-4689-B85D-F1C3FB7C1836}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{2B0B04DC-3671-4EC4-BBDA-38C0EFDD3DE3}C:\program files\activision\call of duty 2\cod2mp_s.exe" = protocol=17 | dir=in | app=c:\program files\activision\call of duty 2\cod2mp_s.exe |
"UDP Query User{A56CE644-C614-4E8D-9BE9-C6F6BEDB10D4}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{AC179E22-99A3-4121-8BBA-1B1AF801D1A4}C:\program files\real alternative\media player classic\mplayerc.exe" = protocol=17 | dir=in | app=c:\program files\real alternative\media player classic\mplayerc.exe |
"UDP Query User{AD228BD7-82A8-4920-8D5E-4D1BBF4E747A}C:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe" = protocol=17 | dir=in | app=c:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe |
"UDP Query User{E10CA6EE-A3E8-4150-B2B4-ACE5FBD870AC}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2™
"{062BFFA1-0CCC-400B-B840-F162328D8C00}" = winLAME prerelease4
"{10631C28-62E5-477C-9B40-40C5EA8219BE}" = Black & White® 2 Battle of the Gods
"{15D9EB74-998E-4A04-B468-51C2E7B32182}" = Microsoft Picture It! Publishing 2001
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2604C0F9-BFD3-4BA0-9EB5-22537C648F03}" = MobileMe Control Panel
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = PowerCinema
"{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}" = EPSON Scan Assistant
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{3F927DF0-D056-466F-B4B8-61804D5B6351}" = 913D Camera
"{42EDF895-158C-484E-A7F2-42B90759F281}" = Camera RAW Plug-In for EPSON Creativity Suite
"{46CBBDF8-55B5-40DB-B459-7B848394309C}" = EPSON File Manager
"{4D719053-5593-11D3-8F25-0060085C1758}" = Microsoft AutoRoute 2001
"{50D4CB89-AF34-4978-96DC-C3034062E901}" = Battlefield 2: Special Forces
"{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
"{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}" = Microsoft Works Suite Add-in for Microsoft Word
"{626F32D6-007C-41D5-8157-9509AB1428BE}" = Unreal II
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}" = Power Tab Editor 1.7
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8A8F8391-4C2C-4BE1-A984-CD4A5A546467}" = EPSON Easy Photo Print
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D70666B2-7E6B-46F0-85E2-06C30C1269C0}" = ASUS MyCinema Series
"{D9E52CD1-9DF1-4A8A-9BDC-1E5E53982F2B}" = Black & White® 2
"{E0DF9B8E-0D6D-45C6-B3C8-5CBD30C0F1CC}" = Sensible Soccer 2006
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}" = Battlefield 2142
"{FC4F90EC-B1DA-11D9-9D77-000129760D75}" = PowerCinema MakeDisc Module
"7-Zip" = 7-Zip 4.57
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Audacity_is1" = Audacity 1.2.6
"AVG8Uninstall" = AVG 8.5
"BT Broadband Desktop Help" = BT Broadband Desktop Help
"BT Broadband Talk Softphone Frontier_is1" = BT Broadband Talk Softphone 3.1
"BT Wireless Connection Manager" = BT Wireless Connection Manager
"BTHomeHub" = BTHomeHub
"CCleaner" = CCleaner (remove only)
"Disney's Princess Fashion Boutique" = Disney's Princess Fashion Boutique
"EPSON Scanner" = EPSON Scan
"EPSON Stylus SX200 Series" = EPSON Stylus SX200 Series Printer Uninstall
"EPSON Stylus SX200_SX400_TX200_TX400 User’s Guide" = EPSON Stylus SX200_SX400_TX200_TX400 Manual
"File Shredder_is1" = File Shredder 2.0
"FoneSync" = FoneSync
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.6.5 Full
"LimeWire" = LimeWire 5.1.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NVIDIA Drivers" = NVIDIA Drivers
"PhoTagsExpress" = PhoTags Express
"RealAlt_is1" = Real Alternative 1.7.5
"Shockwave" = Shockwave
"Spotify" = Spotify
"SystemRequirementsLab" = System Requirements Lab
"Warblade_is1" = Warblade
"WinRAR archiver" = WinRAR archiver
"Works2001Setup" = Microsoft Works 2001 Setup Launcher
"Yahoo! Applications" = BT Yahoo! Applications
"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 15/08/2009 14:13:35 | Computer Name = TheSnowdons-PC | Source = System Restore | ID = 8193
Description =

Error - 15/08/2009 14:13:35 | Computer Name = TheSnowdons-PC | Source = System Restore | ID = 8210
Description =

Error - 15/08/2009 15:08:56 | Computer Name = TheSnowdons-PC | Source = SPP | ID = 16387
Description =

Error - 15/08/2009 15:08:56 | Computer Name = TheSnowdons-PC | Source = System Restore | ID = 8193
Description =

Error - 15/08/2009 15:08:56 | Computer Name = TheSnowdons-PC | Source = System Restore | ID = 8210
Description =

Error - 16/08/2009 12:19:09 | Computer Name = TheSnowdons-PC | Source = SPP | ID = 16387
Description =

Error - 16/08/2009 12:19:09 | Computer Name = TheSnowdons-PC | Source = System Restore | ID = 8193
Description =

Error - 16/08/2009 13:22:31 | Computer Name = TheSnowdons-PC | Source = Application Hang | ID = 1002
Description = The program mbam.exe version 1.40.0.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Problem Reports and Solutions control panel. Process
ID: 184 Start Time: 01ca1e93b233f376 Termination Time: 60000

Error - 16/08/2009 13:23:13 | Computer Name = TheSnowdons-PC | Source = Application Hang | ID = 1002
Description = The program Explorer.EXE version 6.0.6001.18164 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: e88 Start Time: 01ca1e929401b9ac Termination Time: 17875

Error - 16/08/2009 13:50:51 | Computer Name = TheSnowdons-PC | Source = Application Hang | ID = 1002
Description = The program mbam.exe version 1.40.0.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Problem Reports and Solutions control panel. Process
ID: 970 Start Time: 01ca1e992531995f Termination Time: 60000

[ Media Center Events ]
Error - 15/08/2009 04:43:27 | Computer Name = TheSnowdons-PC | Source = ehRecvr | ID = 4
Description =

Error - 15/08/2009 12:38:29 | Computer Name = TheSnowdons-PC | Source = ehRecvr | ID = 4
Description =

Error - 15/08/2009 13:29:35 | Computer Name = TheSnowdons-PC | Source = ehRecvr | ID = 4
Description =

Error - 15/08/2009 14:43:20 | Computer Name = TheSnowdons-PC | Source = ehRecvr | ID = 4
Description =

Error - 16/08/2009 12:18:05 | Computer Name = TheSnowdons-PC | Source = ehRecvr | ID = 4
Description =

Error - 16/08/2009 12:40:15 | Computer Name = TheSnowdons-PC | Source = ehRecvr | ID = 4
Description =

Error - 16/08/2009 12:46:56 | Computer Name = TheSnowdons-PC | Source = ehRecvr | ID = 4
Description =

Error - 16/08/2009 12:59:49 | Computer Name = TheSnowdons-PC | Source = ehRecvr | ID = 4
Description =

Error - 16/08/2009 13:31:04 | Computer Name = TheSnowdons-PC | Source = ehRecvr | ID = 4
Description =

Error - 16/08/2009 14:01:12 | Computer Name = TheSnowdons-PC | Source = ehRecvr | ID = 4
Description =

[ System Events ]
Error - 16/08/2009 13:27:32 | Computer Name = TheSnowdons-PC | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6
Description =

Error - 16/08/2009 13:27:49 | Computer Name = TheSnowdons-PC | Source = HTTP | ID = 15016
Description =

Error - 16/08/2009 13:28:08 | Computer Name = TheSnowdons-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 16/08/2009 13:56:21 | Computer Name = TheSnowdons-PC | Source = DCOM | ID = 10010
Description =

Error - 16/08/2009 13:57:39 | Computer Name = TheSnowdons-PC | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6
Description =

Error - 16/08/2009 13:57:56 | Computer Name = TheSnowdons-PC | Source = HTTP | ID = 15016
Description =

Error - 16/08/2009 13:58:14 | Computer Name = TheSnowdons-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 16/08/2009 14:41:01 | Computer Name = TheSnowdons-PC | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6
Description =

Error - 16/08/2009 14:41:17 | Computer Name = TheSnowdons-PC | Source = HTTP | ID = 15016
Description =

Error - 16/08/2009 14:41:32 | Computer Name = TheSnowdons-PC | Source = Service Control Manager | ID = 7026
Description =

< End of report >

snodes

Aug 16 2009, 07:23 PM

Hi Maurice,

Only OTL would run - Rootrepeal froze when scanning and Security check wouldn't because an error message relating to the malware kept spooling. I took screen prints of where root repeal got to and the error message on Security check - root repeal one attached here and I'll see if I can get the size of the securoity check one down so that can be attached.

Maurice Naggar

Aug 16 2009, 08:40 PM

Howdy,

That was a handy screen capture you made. Let's see if we can quash just enough of the SKYNET rootkit so we can go forward.

Download The Avenger by Swandog46 from here.

Unzip/extract it to a folder on your desktop.
RIGHT-click on avenger.exe and select Run As Administrator to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
CODE
Files to delete:
C:\Windows\System32\drivers\SKYNETpfnobsxb.sys
C:\Windows\System32\SKYNETitmhrfex.dat
C:\Windows\System32\SKYNETriwdkeye.dll
C:\Windows\System32\SKYNETvpjedeqn.dll
C:\Windows\System32\SKYNETxpoiqjup.dat
C:\Windows\Temp\ReadyBoot.etl

Drivers to delete:
SKYNETserv
SKYNET
SKYNETpfnobsxb.sys
tdss
tdssserv
TDSSserv.SYS

Folders to delete:
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler
In the avenger window, click the Paste Script from Clipboard icon, button.
:!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
=

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

RIGHT-click gmer.exe and select Run As Administrator. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click Yes.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop.

=

Reply with copy of C:\Avenger.txt
and the Gmer.txt

snodes

Aug 17 2009, 09:34 PM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "a285ucso" found!
Could not open driver a285ucso for rootkit scan. Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Rootkit scan completed.

<Edited to remove items not found. ~ Maurice

Completed script processing.

*******************

Finished! Terminate.

snodes

Aug 17 2009, 09:35 PM

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-17 22:29:36
Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.15 ----

INT 0x52 ? 84C69F00
INT 0x62 ? 84C69F00
INT 0x72 ? 84C69F00
INT 0x82 ? 84C69F00
INT 0x82 ? 84C69F00
INT 0x82 ? 84C69F00
INT 0x82 ? 84C69F00
INT 0xA2 ? 83C5ABF8
INT 0xB2 ? 83C5ABF8
INT 0xB2 ? 83C5ABF8
INT 0xB2 ? 84C69F00
INT 0xB2 ? 83C5ABF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spls.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8813A46F 5 Bytes JMP 84C694E0
.text a9vh0ccg.SYS 881A3000 22 Bytes [26, E2, 1C, 82, 10, E1, 1C, ...]
.text a9vh0ccg.SYS 881A3017 78 Bytes [00, 32, 67, B9, 87, 3D, 65, ...]
.text a9vh0ccg.SYS 881A3066 66 Bytes [E1, 81, C8, 4B, E6, 81, 30, ...]
.text a9vh0ccg.SYS 881A30A9 35 Bytes [10, E6, 81, A0, 07, E6, 81, ...]
.text a9vh0ccg.SYS 881A30CE 10 Bytes [00, 00, 00, 00, 00, 00, 6D, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; INSD ; POPF ; SCASB ; DEC EAX}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [87A8D6D2] \SystemRoot\System32\Drivers\spls.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [87A8D040] \SystemRoot\System32\Drivers\spls.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [87A8D7FC] \SystemRoot\System32\Drivers\spls.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [87A8D0BE] \SystemRoot\System32\Drivers\spls.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [87A8D13C] \SystemRoot\System32\Drivers\spls.sys
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortNotification] 009E840F
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortWritePortUchar] 8B660000
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortWritePortUlong] 89662448
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 4D8BE84D
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 02C183E8
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortGetScatterGatherList] EA4D8966
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortReadPortUchar] 0320488B
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortStallExecution] 08458DC8
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortGetParentBusType] 8D575750
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortRequestCallback] 6850F045
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortWritePortBufferUshort] B0020000
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 50E8458D
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortCompleteRequest] 8FBC35FF
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortMoveMemory] 4D89881C
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 45C757EC
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 000001F0
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] E5FEE800
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortReadPortUshort] C73B0001
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C8A14675
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortInitialize] 6A881C8F
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortGetDeviceBase] 9A888D52
IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortDeviceStateChange] 83000000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84A1E1F8
Device \Driver\volmgr \Device\VolMgrControl 83C5C1F8
Device \Driver\usbuhci \Device\USBPDO-0 84E3D1F8
Device \Driver\usbuhci \Device\USBPDO-1 84E3D1F8
Device \Driver\usbuhci \Device\USBPDO-2 84E3D1F8
Device \Driver\PCI_PNP1904 \Device\00000046 spls.sys
Device \Driver\usbuhci \Device\USBPDO-3 84E3D1F8
Device \Driver\USBSTOR \Device\00000061 84D1D1F8
Device \Driver\usbehci \Device\USBPDO-4 84D293A0
Device \Driver\USBSTOR \Device\00000062 84D1D1F8
Device \Driver\usbuhci \Device\USBPDO-5 84E3D1F8
Device \Driver\USBSTOR \Device\00000063 84D1D1F8
Device \Driver\usbuhci \Device\USBPDO-6 84E3D1F8
Device \Driver\volmgr \Device\HarddiskVolume1 83C5C1F8
Device \Driver\USBSTOR \Device\00000064 84D1D1F8
Device \Driver\usbehci \Device\USBPDO-7 84D293A0
Device \Driver\cdrom \Device\CdRom0 84DAC1F8
Device \Driver\volmgr \Device\HarddiskVolume2 83C5C1F8
Device \Driver\USBSTOR \Device\00000065 84D1D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84A1D1F8
Device \Driver\atapi \Device\Ide\IdePort0 84A1D1F8
Device \Driver\atapi \Device\Ide\IdePort1 84A1D1F8
Device \Driver\atapi \Device\Ide\IdePort2 84A1D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 84A1D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-1 84A1D1F8
Device \Driver\cdrom \Device\CdRom1 84DAC1F8
Device \Driver\volmgr \Device\HarddiskVolume3 83C5C1F8
Device \Driver\cdrom \Device\CdRom2 84DAC1F8
Device \Driver\volmgr \Device\HarddiskVolume4 83C5C1F8
Device \Driver\volmgr \Device\HarddiskVolume5 83C5C1F8
Device \Driver\volmgr \Device\HarddiskVolume6 83C5C1F8
Device \Driver\iScsiPrt \Device\RaidPort0 84DB21F8
Device \Driver\USBSTOR \Device\0000006a 84D1D1F8
Device \Driver\usbuhci \Device\USBFDO-0 84E3D1F8
Device \Driver\USBSTOR \Device\0000006c 84D1D1F8
Device \Driver\usbuhci \Device\USBFDO-1 84E3D1F8
Device \Driver\usbuhci \Device\USBFDO-2 84E3D1F8
Device \Driver\usbuhci \Device\USBFDO-3 84E3D1F8
Device \Driver\usbehci \Device\USBFDO-4 84D293A0
Device \Driver\sptd \Device\2960055654 spls.sys
Device \Driver\usbuhci \Device\USBFDO-5 84E3D1F8
Device \Driver\usbuhci \Device\USBFDO-6 84E3D1F8
Device \Driver\usbehci \Device\USBFDO-7 84D293A0
Device \Driver\a9vh0ccg \Device\Scsi\a9vh0ccg1 84DAD1F8
Device \Driver\a9vh0ccg \Device\Scsi\a9vh0ccg1Port4Path0Target0Lun0 84DAD1F8
Device \FileSystem\cdfs \Cdfs 8509B500

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\SKYNETpfnobsxb.sys (*** hidden *** ) [SYSTEM] SKYNETstglbkdq <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq@imagepath \systemroot\system32\drivers\SKYNETpfnobsxb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main@sid 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpfnobsxb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\modules@SKYNETcmd.dll \systemroot\system32\SKYNETriwdkeye.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\modules@SKYNETlog.dat \systemroot\system32\SKYNETitmhrfex.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\modules@SKYNETwsp.dll \systemroot\system32\SKYNETvpjedeqn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\modules@SKYNET.dat \systemroot\system32\SKYNETxpoiqjup.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x03 0x7A 0x2A 0x1D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x42 0x31 0xE8 0xE5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x10 0x4C 0xF9 0x01 ...
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq@imagepath \systemroot\system32\drivers\SKYNETpfnobsxb.sys
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main@aid 10002
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main@sid 1
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpfnobsxb.sys
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\modules@SKYNETcmd.dll \systemroot\system32\SKYNETriwdkeye.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\modules@SKYNETlog.dat \systemroot\system32\SKYNETitmhrfex.dat
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\modules@SKYNETwsp.dll \systemroot\system32\SKYNETvpjedeqn.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\modules@SKYNET.dat \systemroot\system32\SKYNETxpoiqjup.dat
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x03 0x7A 0x2A 0x1D ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x42 0x31 0xE8 0xE5 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x10 0x4C 0xF9 0x01 ...

---- EOF - GMER 1.0.15 ----

snodes

Aug 17 2009, 09:37 PM

Thanks or your ongoing help Maurice.

As some supplementary info, the first time I rebooted after running Avenger I still had the same messages about Skynet coming up from Windows and my AVG resident shield. I then ran GMER which had a blue screen error and crashed, my PC restarted and I chose safe mode, ran it again to get the above txt and the the SKYNET messages seem to have gone now I've rebooted normally.

Maurice Naggar

Aug 18 2009, 03:23 AM

You've done well. That is good information from the Gmer log and you recovered well.
I want to follow up with a bit more cleaning for this rootkit.

RIGHT-click on avenger.exe and select Run As Administrator to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
CODE
Files to delete:
C:\Windows\system32\drivers\SKYNETpfnobsxb.sys
C:\Windows\system32\SKYNETriwdkeye.dll
C:\Windows\system32\SKYNETitmhrfex.dat
C:\Windows\system32\SKYNETvpjedeqn.dll
C:\Windows\system32\SKYNETxpoiqjup.dat
C:\Windows\system32\SKYNETwsp.dll
C:\Windows\System32\drivers\a285ucso.sys

Drivers to delete:
SKYNETstglbkdq
a285ucso
In the avenger window, click the Paste Script from Clipboard icon, button.
:!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
=

Next, a new run of Gmer

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

RIGHT-click gmer.exe and select Run As Administrator. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click Yes.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop.

=

Reply with copy of C:\Avenger.txt
and the Gmer.txt

snodes

Aug 18 2009, 06:17 PM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Windows\system32\drivers\SKYNETpfnobsxb.sys" deleted successfully.
File "C:\Windows\system32\SKYNETriwdkeye.dll" deleted successfully.
File "C:\Windows\system32\SKYNETitmhrfex.dat" deleted successfully.
File "C:\Windows\system32\SKYNETvpjedeqn.dll" deleted successfully.
File "C:\Windows\system32\SKYNETxpoiqjup.dat" deleted successfully.

Error: file "C:\Windows\system32\SKYNETwsp.dll" not found!
Deletion of file "C:\Windows\system32\SKYNETwsp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\System32\drivers\a285ucso.sys" not found!
Deletion of file "C:\Windows\System32\drivers\a285ucso.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "SKYNETstglbkdq" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\a285ucso" not found!
Deletion of driver "a285ucso" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-18 19:16:05
Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.15 ----

INT 0x52 ? 86025BF8
INT 0x62 ? 86025BF8
INT 0x62 ? 86025BF8
INT 0x62 ? 86025BF8
INT 0x62 ? 86025BF8
INT 0x82 ? 86025BF8
INT 0xA2 ? 8428DBF8
INT 0xA3 ? 86025BF8
INT 0xB2 ? 8428DBF8
INT 0xB2 ? 8428DBF8
INT 0xB2 ? 86025BF8
INT 0xB2 ? 8428DBF8
INT 0xB3 ? 86025BF8

---- Kernel code sections - GMER 1.0.15 ----

? system32\drivers\qtlt.sys The system cannot find the path specified. !
? System32\Drivers\spxq.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8814446F 5 Bytes JMP 860251D8
.text akvuxe3p.SYS 8CD75000 22 Bytes [26, E2, E0, 81, 10, E1, E0, ...]
.text akvuxe3p.SYS 8CD75017 67 Bytes [00, 32, 17, 7A, 80, 3D, 15, ...]
.text akvuxe3p.SYS 8CD7505B 77 Bytes [82, A9, E4, 02, 82, F0, C2, ...]
.text akvuxe3p.SYS 8CD750A9 35 Bytes CALL 759EF12F
.text akvuxe3p.SYS 8CD750CE 10 Bytes [00, 00, 00, 00, 00, 00, 6D, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; INSD ; POPF ; SCASB ; DEC EAX}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!DialogBoxIndirectParamW 76DCBD25 5 Bytes JMP 6D290696 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!DialogBoxParamW 76DE1FD5 5 Bytes JMP 6D290620 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!DialogBoxParamA 76E080B2 5 Bytes JMP 6D29065B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!DialogBoxIndirectParamA 76E083DD 5 Bytes JMP 6D2906D1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!MessageBoxIndirectA 76E1D471 5 Bytes JMP 6D2905DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!MessageBoxIndirectW 76E1D56B 5 Bytes JMP 6D290598 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!MessageBoxExA 76E1D5D1 5 Bytes JMP 6D29055E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!MessageBoxExW 76E1D5F5 5 Bytes JMP 6D290524 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3660] ole32.dll!OleLoadFromStream 760A9726 5 Bytes JMP 6D290893 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806986D2] \SystemRoot\System32\Drivers\spxq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80698040] \SystemRoot\System32\Drivers\spxq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [806987FC] \SystemRoot\System32\Drivers\spxq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806980BE] \SystemRoot\System32\Drivers\spxq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069813C] \SystemRoot\System32\Drivers\spxq.sys
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortNotification] 009E840F
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortWritePortUchar] 8B660000
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortWritePortUlong] 89662448
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 4D8BE84D
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 02C183E8
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortGetScatterGatherList] EA4D8966
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortReadPortUchar] 0320488B
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortStallExecution] 08458DC8
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortGetParentBusType] [8D575750] \SystemRoot\system32\drivers\luafv.sys (LUA File Virtualization Filter Driver/Microsoft Corporation)
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortRequestCallback] 6850F045
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortWritePortBufferUshort] B0020000
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 50E8458D
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortCompleteRequest] AFBC35FF
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortMoveMemory] 4D898CD9
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 45C757EC
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 000001F0
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] E5FEE800
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortReadPortUshort] C73B0001
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C8A14675
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortInitialize] 6A8CD9AF
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortGetDeviceBase] 9A888D52
IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortDeviceStateChange] 83000000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84C1B1F8
Device \Driver\volmgr \Device\VolMgrControl 8428F1F8
Device \Driver\usbuhci \Device\USBPDO-0 85EDF1F8
Device \Driver\usbuhci \Device\USBPDO-1 85EDF1F8
Device \Driver\usbuhci \Device\USBPDO-2 85EDF1F8
Device \Driver\usbuhci \Device\USBPDO-3 85EDF1F8
Device \Driver\PCI_PNP9696 \Device\00000047 spxq.sys
Device \Driver\usbehci \Device\USBPDO-4 85EE01F8

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 85EDF1F8
Device \Driver\usbuhci \Device\USBPDO-6 85EDF1F8
Device \Driver\USBSTOR \Device\00000063 8647F1F8
Device \Driver\volmgr \Device\HarddiskVolume1 8428F1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{7E145A8F-A9BB-460D-BBBF-60406E8A32F3} 864241F8
Device \Driver\USBSTOR \Device\00000064 8647F1F8
Device \Driver\usbehci \Device\USBPDO-7 85EE01F8
Device \Driver\volmgr \Device\HarddiskVolume2 8428F1F8
Device \Driver\cdrom \Device\CdRom0 8614C1F8
Device \Driver\USBSTOR \Device\00000065 8647F1F8
Device \Driver\volmgr \Device\HarddiskVolume3 8428F1F8
Device \Driver\cdrom \Device\CdRom1 8614C1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84C1A1F8
Device \Driver\atapi \Device\Ide\IdePort0 84C1A1F8
Device \Driver\atapi \Device\Ide\IdePort1 84C1A1F8
Device \Driver\atapi \Device\Ide\IdePort2 84C1A1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 84C1A1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 84C1A1F8
Device \Driver\USBSTOR \Device\00000066 8647F1F8
Device \Driver\volmgr \Device\HarddiskVolume4 8428F1F8
Device \Driver\cdrom \Device\CdRom2 8614C1F8
Device \Driver\USBSTOR \Device\00000067 8647F1F8
Device \Driver\USBSTOR \Device\00000074 8647F1F8
Device \Driver\volmgr \Device\HarddiskVolume5 8428F1F8
Device \Driver\volmgr \Device\HarddiskVolume6 8428F1F8
Device \Driver\USBSTOR \Device\00000076 8647F1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 864241F8
Device \Driver\Smb \Device\NetbiosSmb 864011F8
Device \Driver\iScsiPrt \Device\RaidPort0 85ECF1F8

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\sptd \Device\3328369696 spxq.sys
Device \Driver\usbuhci \Device\USBFDO-0 85EDF1F8
Device \Driver\usbuhci \Device\USBFDO-1 85EDF1F8
Device \Driver\usbuhci \Device\USBFDO-2 85EDF1F8
Device \Driver\usbuhci \Device\USBFDO-3 85EDF1F8
Device \Driver\usbehci \Device\USBFDO-4 85EE01F8
Device \Driver\usbuhci \Device\USBFDO-5 85EDF1F8
Device \Driver\usbuhci \Device\USBFDO-6 85EDF1F8
Device \Driver\usbehci \Device\USBFDO-7 85EE01F8
Device \Driver\akvuxe3p \Device\Scsi\akvuxe3p1Port4Path0Target0Lun0 85ECD1F8
Device \Driver\akvuxe3p \Device\Scsi\akvuxe3p1 85ECD1F8
Device \FileSystem\cdfs \Cdfs 847B41F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x03 0x7A 0x2A 0x1D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x42 0x31 0xE8 0xE5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x10 0x4C 0xF9 0x01 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x03 0x7A 0x2A 0x1D ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x42 0x31 0xE8 0xE5 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x10 0x4C 0xF9 0x01 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x77 0xF6 0x4D 0x43 ...

---- EOF - GMER 1.0.15 ----

snodes

Aug 18 2009, 09:54 PM

2nd Avenger and GMER reports attached Maurice

Thanks

Maurice Naggar

Aug 19 2009, 01:34 AM

Hello, please go forward & run the following:

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!
If you are not snodes and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator

At the command-prompt window, type in the following to begin Combofix

QUOTE

C:\Users\The Snowdons\Desktop\Combo-Fix.exe

and press Enter key

A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once without asking me first.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.
Note:
Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.
=
RE-Enable your AntiVirus and AntiSpyware applications.

snodes

Aug 19 2009, 07:17 PM

ComboFix 09-08-18.04 - The Snowdons 19/08/2009 20:03.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2047.1356 [GMT 1:00]
Running from: c:\users\The Snowdons\Desktop\Combo-Fix.exe
Command switches used :: Combo-Fix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\windows\Cursors\aero_link.cur

.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-16 17:50 . 2009-08-16 17:50 -------- d-----w- c:\program files\Trend Micro
2009-08-14 08:06 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-14 08:06 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-14 08:06 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-14 08:06 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-14 08:06 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-14 08:06 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-14 08:06 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-14 08:06 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-14 00:07 . 2009-07-28 15:59 2061592 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-08-14 00:07 . 2009-07-28 15:59 2000152 ----a-w- c:\programdata\avg8\update\backup\avgtray.exe
2009-08-14 00:07 . 2009-07-28 15:59 1213720 ----a-w- c:\programdata\avg8\update\backup\avgfrw.exe
2009-08-14 00:07 . 2009-07-28 15:58 1471768 ----a-w- c:\programdata\avg8\update\backup\avgupd.dll
2009-08-14 00:07 . 2009-07-28 15:58 1126168 ----a-w- c:\programdata\avg8\update\backup\avgupd.exe
2009-08-14 00:07 . 2009-07-28 15:58 758040 ----a-w- c:\programdata\avg8\update\backup\avginet.dll
2009-08-12 21:31 . 2009-08-12 21:35 123416 ----a-w- C:\MGlogs.zip
2009-08-12 21:31 . 2009-08-12 21:35 -------- d-----w- C:\MGtools
2009-08-12 21:29 . 2009-08-12 21:29 -------- d-----w- c:\users\The Snowdons\AppData\Roaming\Malwarebytes
2009-08-12 21:29 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 21:29 . 2009-08-12 21:29 -------- d-----w- c:\programdata\Malwarebytes
2009-08-12 21:29 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 21:29 . 2009-08-16 17:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 21:29 . 2009-08-19 18:46 117760 ----a-w- c:\users\The Snowdons\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-12 21:28 . 2009-08-12 21:28 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-08-12 21:28 . 2009-08-12 21:28 -------- d-----w- c:\users\The Snowdons\AppData\Roaming\SUPERAntiSpyware.com
2009-08-12 21:28 . 2009-08-12 21:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-12 21:27 . 2009-08-12 21:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-12 17:56 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 17:56 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 17:56 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 17:56 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-12 17:56 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 17:56 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 17:56 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 17:56 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-07 16:47 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-08-07 16:47 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-07 16:47 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-08-07 16:47 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-08-07 16:47 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-08-07 16:47 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-08-07 16:47 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-08-07 16:41 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-08-07 16:41 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-08-07 16:41 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-08-07 16:40 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-08-07 16:40 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 18:48 . 2008-07-01 22:36 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-18 20:03 . 2009-01-02 20:04 -------- d-----w- c:\programdata\Google Updater
2009-08-17 21:26 . 2008-01-16 18:20 8268 ----a-w- c:\users\The Snowdons\AppData\Local\d3d9caps.dat
2009-08-16 16:43 . 2008-07-16 19:59 -------- d-----w- c:\programdata\avg8
2009-08-14 00:12 . 2008-03-20 19:31 -------- d-----w- c:\users\The Snowdons\AppData\Roaming\LimeWire
2009-08-12 22:37 . 2008-07-01 22:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 15:59 . 2008-07-16 19:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-28 15:59 . 2008-07-16 19:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-28 15:59 . 2008-07-16 19:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-28 15:59 . 2009-07-15 15:59 3476760 ----a-w- c:\programdata\avg8\update\backup\avgui.exe
2009-07-18 16:06 . 2009-07-29 15:52 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-07-29 15:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-07-29 15:52 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-13 18:10 . 2009-07-13 18:10 114848 ----a-w- c:\users\Charlotte\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-03 19:31 . 2009-03-13 15:38 -------- d-----w- c:\users\The Snowdons\AppData\Roaming\Spotify
2009-06-25 18:38 . 2009-06-25 18:38 -------- d-----w- c:\users\The Snowdons\AppData\Roaming\EPSON
2009-06-24 14:46 . 2008-01-16 20:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 14:43 . 2009-06-24 14:43 -------- d-----w- c:\programdata\UDL
2009-06-24 14:42 . 2009-06-24 14:35 -------- d-----w- c:\program files\epson
2009-06-24 14:41 . 2009-06-24 14:41 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint
2009-06-24 14:39 . 2009-06-24 14:36 -------- d-----w- c:\programdata\EPSON
2009-06-18 07:22 . 2008-01-16 18:22 114848 ----a-w- c:\users\The Snowdons\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-15 15:24 . 2009-07-14 19:48 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-14 19:48 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-14 19:48 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-14 19:48 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-02 12:38 . 2009-06-09 08:11 1004800 ----a-w- c:\programdata\AVG Security Toolbar\IEToolbar.dll
2009-05-28 13:24 . 2009-05-28 13:24 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-16 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-16 08:29 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-16 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-16 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BTAgile"="c:\program files\BT Broadband Talk Softphone\BTAgile.exe" [2007-06-18 61440]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-02 203928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-14 2007832]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3188036164-2254565855-3087354152-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{71C7E107-E1CF-4265-B619-2DE95CD57826}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9798BBC5-E88C-465C-A38E-08B186510FC9}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{5EA0D9DA-E4F4-4A01-8A7C-2A430CAA1DBB}"= UDP:c:\program files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{56CEA54E-4BA2-42AE-80C3-0CCB5D0F8AB0}"= TCP:c:\program files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"TCP Query User{DEF038C6-43F8-4689-B85D-F1C3FB7C1836}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{E10CA6EE-A3E8-4150-B2B4-ACE5FBD870AC}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{7CC2F55B-2B39-4C6F-997F-7EE3E9C145EC}c:\\program files\\real alternative\\media player classic\\mplayerc.exe"= UDP:c:\program files\real alternative\media player classic\mplayerc.exe:Media Player Classic
"UDP Query User{AC179E22-99A3-4121-8BBA-1B1AF801D1A4}c:\\program files\\real alternative\\media player classic\\mplayerc.exe"= TCP:c:\program files\real alternative\media player classic\mplayerc.exe:Media Player Classic
"{219DB089-D827-4C65-9A15-1C86053AEDE5}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{68EDB13D-55FA-4FAD-BC20-11BDC8C44849}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{6365E6D3-4AAC-4776-BE1B-ECD6BB8A6DB8}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{25A547BA-99D5-4963-8937-D8D1A3A5AB75}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{8B5A8E22-05AB-4DC0-AABF-DE647AF9C6A8}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{F49030BC-7E6A-4771-9328-DB2E2F9F8F6C}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{A9E9F58C-5E3E-4A1A-BFF4-A7347FEC42A2}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{DCE2FB4E-F9E6-4637-8D2E-B1127B2931FD}c:\\program files\\bt broadband desktop help\\btbb\\bthelpbrowser.exe"= UDP:c:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe:mcci+McciBrowser
"UDP Query User{AD228BD7-82A8-4920-8D5E-4D1BBF4E747A}c:\\program files\\bt broadband desktop help\\btbb\\bthelpbrowser.exe"= TCP:c:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe:mcci+McciBrowser
"{716C83A0-25CC-425C-BA04-2A2D737D448C}"= c:\program files\CyberLink\PowerCinema\PowerCinema.exe:CyberLink PowerCinema
"{9813F34A-5025-447B-B7EE-3CDFD0974FE5}"= c:\program files\CyberLink\PowerCinema\PCMService.exe:CyberLink PowerCinema Resident Program
"{AD407AA1-7ABB-4615-827A-0B38E4766EA2}"= c:\program files\CyberLink\PowerCinema\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{9BBE6F3C-38AB-443B-9D6B-D662D12B456E}"= c:\program files\CyberLink\PowerCinema\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{E7EF44B8-3A81-4DF2-BBAF-D2097C2F01AE}"= UDP:c:\program files\Spotify\spotify.exe:Spotify
"{21AC4FE9-076F-4558-8374-ED4C7A8A158E}"= TCP:c:\program files\Spotify\spotify.exe:Spotify
"{721B0B3F-7746-4452-9A9E-CCB6F66AC7CC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F140A53D-01F0-4CC3-89C0-DED733A573E0}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{2F343A53-4F11-40C9-B34F-FA084B1D0B74}c:\\program files\\activision\\call of duty 2\\cod2mp_s.exe"= UDP:c:\program files\activision\call of duty 2\cod2mp_s.exe:CoD2MP_s
"UDP Query User{2B0B04DC-3671-4EC4-BBDA-38C0EFDD3DE3}c:\\program files\\activision\\call of duty 2\\cod2mp_s.exe"= TCP:c:\program files\activision\call of duty 2\cod2mp_s.exe:CoD2MP_s
"{FFF463A2-F558-40AE-A9AB-A59CE5B03199}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{B5A3D751-363D-4DBB-B401-EE420DAB0ECA}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{6F2D15E3-5642-42B2-9BD7-A1A0914E5F8D}"= UDP:c:\program files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"{1CEAF944-7E3A-47BD-8E1E-4D439FEBE76D}"= TCP:c:\program files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 1 (0x1)

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [16/07/2008 20:59 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [16/07/2008 20:59 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [23/10/2008 15:02 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/01/2009 12:26 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/01/2009 12:26 297752]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [01/07/2008 23:36 1153368]
R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\System32\drivers\3xHybrid.sys [12/02/2009 17:35 2831232]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [12/08/2009 22:29 38160]
S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\System32\drivers\Ph3xIB32.sys [03/04/2007 11:43 1131136]
S3 SQTECH913D;913D Camera;c:\windows\System32\drivers\Capt913D.sys [03/11/2008 19:20 29696]
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-02 09:43]

2009-08-18 c:\windows\Tasks\User_Feed_Synchronization-{503AD6C4-E33D-4F0D-9A98-6601BC6AF1EF}.job
- c:\windows\system32\msfeedssync.exe [2008-05-21 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/mail?&.s...ntl=uk&rl=1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 20:07
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-08-19 20:09
ComboFix-quarantined-files.txt 2009-08-19 19:09

Pre-Run: 430,977,728,512 bytes free
Post-Run: 430,956,703,744 bytes free

217 --- E O F --- 2009-08-17 15:52

Maurice Naggar

Aug 19 2009, 09:15 PM

I highly suggest you de-install LimeWire and any other filesharing peer-to-peer program.
Downloading from such apps very very often leads to malware infections.

The result from Combofix is very encouraging. The rootkit is past history.
We need to check your system thru MBAM and then a virus check.

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Please download and SAVE Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

Trend Micro Damage Cleanup Engine

Make sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1st
Basically there are 3 parts that need to be downloaded from these links:

Create a brand new folder to copy these files to.
As an example: C:\DCE
Then open each of the zipped archive files and copy their contents to C:\DCE
Copy the file sysclean.com to the new folder C:\DCE as well.

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator

At the command-prompt window, type in the following to start Sysclean
QUOTE
C:\DCE\sysclean.com

and press ENTER
and follow the on-screen instructions.

After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

Next, start HijackThis. Do a Scan and save log.

Reply with copy of the latest MBAM scan log
the Sysclean log
and the new HJT log

and tell me, How is your system now?

snodes

Aug 21 2009, 08:08 AM

Thanks again Maurice, I won't be able to do this for a few days but will run at the end of next week.

Maurice Naggar

Aug 21 2009, 05:09 PM

Then let me add, if you have other people that use this system, advise all not to do web surfing or anything online until after we determine that the malwares are taken care of.

snodes

Aug 29 2009, 12:21 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:18:43, on 29/08/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?&.s...ntl=uk&rl=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6324 bytes

Malwarebytes' Anti-Malware 1.40
Database version: 2712
Windows 6.0.6001 Service Pack 1

29/08/2009 13:17:52
mbam-log-2009-08-29 (13-17-52).txt

Scan type: Quick Scan
Objects scanned: 90770
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2009-2010, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/

2009-08-28, 19:48:33, Auto-clean mode specified.
2009-08-28, 19:48:33, Running scanner "C:\DCE\TSC.BIN"...
2009-08-28, 19:48:44, Scanner "C:\DCE\TSC.BIN" has finished running.
2009-08-28, 19:48:44, TSC Log:

ÿþD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 1 ( B u i l d 1 0 2 7 ) ( R C M : D r i v e r n o t r e a d y ! )

W i n d o w s V i s t a ( B u i l d 6 0 0 1 : S e r v i c e P a c k 1 )

S t a r t t i m e : F r i A u g 2 8 2 0 0 9 1 9 : 4 8 : 3 4

L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]

L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ t s c . p t n " ( v e r s i o n 1 0 5 8 ) [ s u c c e s s ]

C o m p l e t e t i m e : F r i A u g 2 8 2 0 0 9 1 9 : 4 8 : 4 4

E x e c u t e p a t t e r n c o u n t ( 3 0 6 0 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )

2009-08-28, 19:48:44, Running scanner "C:\DCE\VSCANTM.BIN"...
2009-08-28, 21:06:54, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2009-08-28, 21:06:54, VSCANTM Log:

2009-08-28, 21:06:54, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 8/28/2009 19:48:44
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 401 (465217/465217 Patterns) (2009/08/27) (640100)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.401

145119 files have been read.
145119 files have been checked.
145048 files have been scanned.
418425 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 8/28/2009 21:06:54 1 hour 18 minutes 9 seconds (4689.17 seconds) has elapsed.(32.313 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-08-28, 21:06:54, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 8/28/2009 19:48:44
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 401 (465217/465217 Patterns) (2009/08/27) (640100)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.401

145119 files have been read.
145119 files have been checked.
145048 files have been scanned.
418425 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 8/28/2009 21:06:54 1 hour 18 minutes 9 seconds (4689.17 seconds) has elapsed.(32.313 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-08-28, 21:06:54, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 8/28/2009 19:48:44
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 401 (465217/465217 Patterns) (2009/08/27) (640100)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.401

145119 files have been read.
145119 files have been checked.
145048 files have been scanned.
418425 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 8/28/2009 21:06:54 1 hour 18 minutes 9 seconds (4689.17 seconds) has elapsed.(32.313 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-08-28, 21:06:54, Running SSAPI scanner ""...
2009-08-29, 00:17:11, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 8.15
SSAPI Anti-Rootkit Version: <Failed>

Spyware Scan Started: 08/28/2009 23:33:44

SSAPI requires the system to reboot.
Detected Items:
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:the snowdons@server.iad.liveperson.net/,C:\Users\The Snowdons\AppData\Roaming\Microsoft\Windows\Cookies\the_snowdons@server.iad.liveperson[2].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:the snowdons@server.iad.liveperson.net/hc/19452074,C:\Users\The Snowdons\AppData\Roaming\Microsoft\Windows\Cookies\the_snowdons@server.iad.liveperson[3].txt
Detected: 2 items.
Cleaned Success: 2 items.
Clean Failed: 0 items.

Spyware Scan Ended: 08/29/2009 00:17:11
Scan Complete. Time=11418.377930.

Maurice Naggar

Aug 30 2009, 09:02 PM

See this topic in the AumHa Security forum and get the latest Java run-time
http://aumha.net/viewtopic.php?f=26&t=41698

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should to un-install it.

De-install your Adobe Reader. Get the latest version from http://www.adobe.com/products/acrobat/readstep2.html

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders.

The "/u" in the command line below is to start Combofix for it's cleanup & removal function.
Note the space after exe and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
Enter (or Copy & Paste) the following in the command prompt window

CODE

c:\users\The Snowdons\Desktop\Combo-Fix.exe /u

and press ENTER key

Close /exit command prompt.

Please RIGHT-click OTL.exe and select Run as Administrator to start it.
Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
This step removes the files, folders, and shortcuts created by the tools I had you download and run.

You may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" }
Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
Check in at Windows Update and install any Critical Updates offered.
Download and Install Windows Defender by Microsoft (free) if you do not already have it:
http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
Make certain that Automatic Updates is enabled.
Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
That would help to keep your browser away from known spyware/malware sites.
Make regular backups of your system to removable media: DVD, USB external hard drive, etc.

On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
Kaspersky Webscan Online Virus Scanner

ESET Online Scanner

Panda ActiveScan

Trend Micro Housecall

F-Secure Online Scanner
Read Tony Klein's article How Did I Get Infected In The First Place
Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !

Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.html

We are finished here. Best regards.

snodes

Aug 30 2009, 10:16 PM

Maurice, thank you so much for your help - I'll get on with the clean-up work.

Snodes

Maurice Naggar

Aug 30 2009, 11:05 PM

You are welcome. Stay safe.
I am closing this thread. If you run into a hitch, or need this re-opened, send me a PM.

For all casual viewers with similar issues, start your own New topic. The procedures used here are only for this system. Do NOT use them on any other.