Perutom

Can't Get Rid of Anti-Malware Doctor

98 posts in this topic

Hi,

I somehow picked up the Antimalware doctor infection. I tried to run malwarebytes following various instructions I found in other forums, but the infection seems to have wiped out my ability to get onto the internet, in addition to being persistent and not being wiped out after running MWB several times.

I managed to download MWB from another computer on a flash, and after cleaning out various infections and restarting, the infection still reappears. I couldn't get it to work in normal mode, so I've tried to run in safe mode. But the database version that I have still appears to be a bit out of date - 4052. With no internet connection, how do I update it? I've also tried to start in safe mode with networking, and still have no wireless, and plugging the computer directly to the internet doesn't work either?

Thanks,

T

Share this post


Link to post
Share on other sites

Hello Perutom

Welcome to Malwarebytes.

=====================

  • Please download OTH.scr to your desktop.
  • Download OTL to your desktop.
  • Double click the OTH file and select Kill All Processes, your desktop will go blank
    OTH_Main.jpg
    Then select Start OTL OTL will now run
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    netsvcs

    %SYSTEMDRIVE%\*.*

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\drivers\*.sys /90


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Share this post


Link to post
Share on other sites
Hello Perutom

Welcome to Malwarebytes.

=====================

  • Please download OTH.scr to your desktop.
  • Download OTL to your desktop.
  • Double click the OTH file and select Kill All Processes, your desktop will go blank
    OTH_Main.jpg
    Then select Start OTL OTL will now run
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    netsvcs

    %SYSTEMDRIVE%\*.*

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\drivers\*.sys /90


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Share this post


Link to post
Share on other sites

Remember, I don't have internet connection so I'm loading all the files you suggest from a flash drive, after downloading them from another computer. Once the OTL scan is done, how do I get back from the blank screen to my flash drive to open up the GMER scanner?

Thanks,

Tom

Hello Perutom

Welcome to Malwarebytes.

=====================

  • Please download OTH.scr to your desktop.
  • Download OTL to your desktop.
  • Double click the OTH file and select Kill All Processes, your desktop will go blank
    OTH_Main.jpg
    Then select Start OTL OTL will now run
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    netsvcs

    %SYSTEMDRIVE%\*.*

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\drivers\*.sys /90


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Share this post


Link to post
Share on other sites

I am pasting the OTL and Extras text below. I tried to run the GMER scanner but had problems. I used the Open Misc. tab to open it from my flash. The first time I ran it as directed, it crashed. The second time, not only did it crash but the system re-booted. Now what?

I'll try to download a new copy and try it again.

Tom

------

OTL text:

OTL logfile created on: 5/20/2010 10:35:37 AM - Run 1

OTL by OldTimer - Version 3.2.5.0 Folder = G:\

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 337.00 Mb Available Physical Memory | 33.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free

Paging file location(s): C:\pagefile.sys 1512 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 35.26 Gb Total Space | 13.95 Gb Free Space | 39.57% Space Free | Partition Type: NTFS

Drive D: | 2.00 Gb Total Space | 0.45 Gb Free Space | 22.57% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

Drive G: | 1.87 Gb Total Space | 1.85 Gb Free Space | 99.08% Space Free | Partition Type: FAT

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: LIFEBOOK

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - G:\OTL.exe (OldTimer Tools)

PRC - G:\OTH.scr (OldTimer Tools)

PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - G:\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\iphlpapi.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (MSIU-f36decbb) -- C:\WINDOWS\system32\-f36decbb.exe ()

SRV - (MSIU-81dbeb3f) -- C:\WINDOWS\system32\-81dbeb3f.exe ()

SRV - (sdCoreService) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)

SRV - (sdAuxService) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)

SRV - (Browser Defender Update Service) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe (Threat Expert Ltd.)

SRV - (vvdsvc) -- C:\WINDOWS\system32\nagasoft\vjocx.dll (NanJing Nagasoft Co, LTD.)

SRV - (avg8wd) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

SRV - (W3SVC) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)

SRV - (SMTPSVC) Simple Mail Transfer Protocol (SMTP) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)

SRV - (IISADMIN) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)

SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)

========== Driver Services (SafeList) ==========

DRV - (PCTCore) -- C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools)

DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (Wpsnuio) -- C:\WINDOWS\system32\drivers\wpsnuio.sys (Skyhook Wireless)

DRV - (PCASp50) -- C:\WINDOWS\system32\drivers\PCASp50.sys (Printing Communications Assoc., Inc. (PCAUSA))

DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)

DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)

DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)

DRV - (mcdbus) -- C:\WINDOWS\system32\drivers\mcdbus.sys (MagicISO, Inc.)

DRV - (TdxMrMINI) -- C:\WINDOWS\system32\drivers\TdxMrMini.sys (Generic Provider.)

DRV - (TdxVGAMINI) -- C:\WINDOWS\system32\drivers\TdxVgaMini.sys (Generic Provider.)

DRV - (TdxVGAUSB) TARGUS USB2.0 VGA DOCK DEVICE(USB) -- C:\WINDOWS\system32\drivers\TdxVGAUSB.SYS (Generic Provider.)

DRV - (CO_Mon) -- C:\WINDOWS\system32\drivers\CO_Mon.sys ()

DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)

DRV - (cmudau) -- C:\WINDOWS\system32\drivers\cmudaxu.sys (C-Media Inc)

DRV - (U2SP) OEM USB to Serial Converter Driver(Philips) -- C:\WINDOWS\system32\drivers\U2S2KXP.sys (Magic Control Technology Corp.)

DRV - (SunkFilt62) -- C:\WINDOWS\system32\drivers\sunkfilt62.sys (Alcor Micro, Corp.)

DRV - (ADM851X) -- C:\WINDOWS\system32\drivers\adm851x.sys (ADMtek Incorporated)

DRV - (CONAN) -- C:\WINDOWS\system32\drivers\o2mmb.sys (O2 Micro )

DRV - (MbxStby) -- C:\WINDOWS\system32\drivers\MbxStby.sys (O2 Micro)

DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)

DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)

DRV - ({E2B953A6-195A-44F9-9BA3-3D5F4E32BB55}) -- C:\WINDOWS\system32\drivers\wA301a.sys (Intel Corporation)

DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)

DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)

DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)

DRV - (Ser2pl) -- C:\WINDOWS\system32\drivers\ser2pl.sys (Prolific Technology Inc.)

DRV - (gv3) -- C:\WINDOWS\system32\drivers\gv3.sys (Microsoft Corporation)

DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )

DRV - (ASPI) -- C:\WINDOWS\system32\drivers\aspi32.sys (Adaptec)

DRV - (FUJ02B1) -- C:\WINDOWS\system32\drivers\fuj02b1.sys (FUJITSU LIMITED)

DRV - (MASPINT) -- C:\WINDOWS\system32\drivers\MASPINT.SYS (MicroStaff Co.,Ltd.)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toast.net/start/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"

FF - prefs.js..browser.search.defaultenginename: "Ask.com"

FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="

FF - prefs.js..browser.search.order.1: "Ask.com"

FF - prefs.js..browser.search.selectedEngine: "Google"

FF - prefs.js..browser.search.update: false

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "http://www.nytimes.com"

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429

FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005

FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:6.1.20091119W

FF - prefs.js..extensions.enabledItems: staff@hide-my-ip.com:1.0

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1

FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:2.2.0.2

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.9

FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="

FF - prefs.js..network.proxy.share_proxy_settings: true

FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/12/22 10:37:05 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/14 10:00:13 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/12/29 17:24:21 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 09:25:51 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/07 19:24:06 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/07 19:24:06 | 000,000,000 | ---D | M]

[2008/07/08 16:05:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions

[2008/07/08 16:05:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2010/03/21 23:18:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\extensions

[2009/09/11 09:28:52 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2009/12/09 07:42:51 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2009/06/09 10:36:14 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}

[2009/03/16 09:33:36 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2009/07/22 15:37:40 | 000,002,237 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\searchplugins\askcom.xml

[2010/02/27 12:11:31 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2006/11/13 14:03:34 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2010/05/07 19:24:06 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2006/11/13 14:03:53 | 000,000,000 | ---D | M] (SDI_Integrator) -- C:\Program Files\Mozilla Firefox\extensions\{9d613b03-9b7c-4fa0-b2f8-32f7cc24873f}

[2008/11/27 08:04:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

[2009/03/14 10:00:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

[2009/07/01 12:51:59 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

[2008/10/26 21:34:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\staff@hide-my-ip.com

[2010/05/07 19:23:57 | 000,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll

[2010/05/07 19:23:57 | 000,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll

[2009/05/01 17:02:48 | 001,044,480 | ---- | M] (The OpenSSL Project, http://www.openssl.org/) -- C:\Program Files\Mozilla Firefox\plugins\libdivx.dll

[2007/08/15 20:05:00 | 000,049,152 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll

[2009/03/09 05:19:09 | 000,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll

[2009/05/12 14:46:20 | 001,650,992 | ---- | M] (DivX,Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll

[2007/12/11 15:44:44 | 000,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll

[2009/08/24 22:33:20 | 000,072,960 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

[2005/11/29 19:28:10 | 000,626,688 | ---- | M] (ebrary) -- C:\Program Files\Mozilla Firefox\plugins\NPInfotl.dll

[2010/05/07 19:24:02 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll

[2007/03/22 20:23:30 | 000,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL

[2008/10/14 22:33:29 | 000,095,600 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll

[2006/10/01 21:50:19 | 000,144,872 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll

[2009/12/26 19:19:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll

[2009/12/26 19:19:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll

[2009/12/26 19:19:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll

[2009/12/26 19:19:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll

[2009/12/26 19:19:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll

[2009/12/26 19:19:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll

[2009/12/26 19:19:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

[2005/04/27 16:10:49 | 000,102,400 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npracplug.dll

[2006/10/01 21:50:37 | 000,024,621 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll

[2006/10/01 21:50:10 | 000,081,967 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll

[2005/08/28 00:01:35 | 000,176,176 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint_03000F10.dll

[2009/05/01 17:02:48 | 000,200,704 | ---- | M] (The OpenSSL Project, http://www.openssl.org/) -- C:\Program Files\Mozilla Firefox\plugins\ssldivx.dll

[2010/02/04 06:40:24 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml

[2010/02/04 06:40:24 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml

[2009/07/02 11:37:13 | 000,001,490 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml

[2010/02/04 06:40:24 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml

[2010/02/04 06:40:24 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml

[2010/02/04 06:40:24 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml

[2010/02/04 06:40:24 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml

[2010/02/04 06:40:24 | 000,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/05/20 10:34:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll (Google Inc.)

O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)

O2 - BHO: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (no name) - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No CLSID value found.

O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

O3 - HKLM\..\Toolbar: (Systran40premi.IEPlugIn) - {CFB25594-4D5F-11D6-AB7B-00B0D094B576} - C:\Program Files\Systran\4_0\Premium\IEPlugIn.dll (SYSTRAN)

O3 - HKLM\..\Toolbar: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

O3 - HKCU\..\Toolbar\WebBrowser: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)

O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)

O4 - HKLM..\Run: [AGRSMMSG] C:\WINDOWS\AGRSMMSG.exe (Agere Systems)

O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [boingo Wi-Fi] C:\Program Files\Boingo\Boingo Wi-Fi\Boingo.lnk ()

O4 - HKLM..\Run: [CmUsbSound] File not found

O4 - HKLM..\Run: [DisableWinXPWZCS] C:\Program Files\Atheros\DisableWinXPWZCS.exe File not found

O4 - HKLM..\Run: [ehqdwmto] C:\WINDOWS\System32\ehqdwmto.exe File not found

O4 - HKLM..\Run: [indicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe (FUJITSU LIMITED)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)

O4 - HKLM..\Run: [TDxVGAUTIL] C:\WINDOWS\system32\Tdxvgautil.exe (Generic Provider)

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

O4 - HKCU..\Run: [ehqdwmto] C:\Documents and Settings\Administrator\ehqdwmto.exe File not found

O4 - HKCU..\Run: [gotnewupdate000.exe] C:\Documents and Settings\Administrator\Application Data\E598DE6242B331FC4697A9B7D87903A5\gotnewupdate000.exe (MS)

O4 - HKCU..\Run: [M5T8QL3YW3] C:\Documents and Settings\Administrator\Local Settings\Temp\Atr.exe ()

O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: rtw9ws = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jo2lej.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Save As Scholar's Aid WebNote - {74FD513B-2A58-4A42-9151-7551BFB6FCD7} - C:\Program Files\Scholar's Aid 4 AE\SAExplorerButton.dll (Scholar's Aid)

O9 - Extra 'Tools' menuitem : Save As Scholar's Aid WebNote - {74FD513B-2A58-4A42-9151-7551BFB6FCD7} - C:\Program Files\Scholar's Aid 4 AE\SAExplorerButton.dll (Scholar's Aid)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra Button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe (PlotSoft LLC)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O15 - HKCU\..Trusted Domains: ([]msn in My Computer)

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6796.cab (Windows Live Safety Center Base Module)

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} http://ax.emsisoft.com/asquared.cab (a-squared Scanner)

O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} http://www.vexcast.com/download/vexcast.cab (VodClient Control Class)

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)

O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2003/09/03 13:25:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2009/09/13 09:39:04 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]

O32 - AutoRun File - [2009/09/13 09:39:06 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ FAT32 ]

O33 - MountPoints2\{10cacbe2-7022-11db-97dc-0090969b2637}\Shell\AutoRun\command - "" = 1.exe

O33 - MountPoints2\E\Shell - "" = AutoRun

O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\EzInst.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/05/15 08:18:47 | 000,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (11272609819787264)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/19 18:05:45 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/05/19 18:04:08 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW

[2010/05/19 15:58:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Downloads

[2010/05/19 15:58:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\GetRightToGo

[2010/05/19 12:48:04 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll

[2010/05/19 12:48:03 | 001,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll

[2010/05/19 12:48:03 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll

[2010/05/19 12:47:42 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys

[2010/05/19 12:47:25 | 000,207,280 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys

[2010/05/19 12:47:25 | 000,087,784 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys

[2010/05/19 12:47:08 | 000,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys

[2010/05/19 12:46:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools

[2010/05/19 12:46:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools

[2010/05/19 12:46:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\PC Tools

[2010/05/19 12:46:39 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor

[2010/05/19 12:45:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\TrojanHunter

[2010/05/19 11:30:56 | 000,000,000 | ---D | C] -- C:\Program Files\TrojanHunter 5.3

[2010/05/18 23:18:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore

[2010/05/18 23:14:17 | 000,000,000 | ---D | C] -- C:\82a5d4438523fbde003de8

[2010/05/18 22:51:01 | 000,000,000 | ---D | C] -- C:\spoolerlogs

[2010/05/18 22:48:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\jdhlmjfvq

[2010/05/18 22:45:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\ATManager

[2010/05/18 22:44:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\E598DE6242B331FC4697A9B7D87903A5

[2010/05/08 11:53:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\New Folder

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/20 10:33:32 | 000,000,304 | -H-- | M] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job

[2010/05/20 10:33:06 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/05/20 10:32:37 | 006,815,744 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat

[2010/05/20 10:32:37 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010/05/20 06:37:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/05/19 15:47:55 | 000,001,399 | ---- | M] () -- C:\WINDOWS\lsrslt.ini

[2010/05/19 12:59:02 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com

[2010/05/19 12:47:20 | 000,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk

[2010/05/19 11:31:14 | 000,059,392 | R--- | M] () -- C:\WINDOWS\System32\streamhlp.dll

[2010/05/18 22:46:04 | 000,001,020 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ATManager.lnk

[2010/05/18 22:43:53 | 000,185,856 | ---- | M] () -- C:\WINDOWS\Amodua.exe

[2010/05/18 22:43:49 | 000,070,656 | ---- | M] () -- C:\WINDOWS\System32\-f36decbb.exe

[2010/05/18 22:43:49 | 000,070,656 | ---- | M] () -- C:\WINDOWS\System32\-81dbeb3f.exe

[2010/05/18 06:53:36 | 060,116,395 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2010/05/10 09:41:50 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/05/08 10:03:05 | 008,092,212 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\FandE2010web-opt.pdf

[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/19 18:01:23 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com

[2010/05/19 15:47:54 | 000,001,399 | ---- | C] () -- C:\WINDOWS\lsrslt.ini

[2010/05/19 12:48:05 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll

[2010/05/19 12:48:04 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml

[2010/05/19 12:48:04 | 000,000,880 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml

[2010/05/19 12:48:04 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip

[2010/05/19 12:48:03 | 001,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip

[2010/05/19 12:47:42 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat

[2010/05/19 12:47:25 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat

[2010/05/19 12:47:25 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat

[2010/05/19 12:47:20 | 000,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk

[2010/05/19 12:47:08 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat

[2010/05/19 11:30:56 | 000,059,392 | R--- | C] () -- C:\WINDOWS\System32\streamhlp.dll

[2010/05/19 07:10:40 | 000,000,304 | -H-- | C] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job

[2010/05/19 07:05:33 | 000,070,656 | ---- | C] () -- C:\WINDOWS\System32\-f36decbb.exe

[2010/05/19 06:40:09 | 000,003,863 | ---- | C] () -- C:\Documents and Settings\Administrator\avgrep.txt

[2010/05/18 22:46:01 | 000,001,020 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ATManager.lnk

[2010/05/18 22:45:32 | 000,185,856 | ---- | C] () -- C:\WINDOWS\Amodua.exe

[2010/05/18 22:43:57 | 000,070,656 | ---- | C] () -- C:\WINDOWS\System32\-81dbeb3f.exe

[2010/05/08 10:02:55 | 008,092,212 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\FandE2010web-opt.pdf

[2010/03/06 11:38:54 | 000,565,248 | R--- | C] () -- C:\WINDOWS\System32\hpotscl.dll

[2009/07/01 12:23:24 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll

[2009/03/24 11:04:33 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini

[2009/03/24 11:04:33 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini

[2009/03/24 11:04:09 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini

[2009/03/24 11:04:09 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini

[2009/03/24 11:04:08 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini

[2008/10/26 21:34:49 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\securenet.dll

[2008/05/14 17:08:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI

[2008/01/25 12:27:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ka.ini

[2007/12/11 15:46:02 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2007/12/11 15:44:28 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest

[2007/12/11 15:44:28 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest

[2007/12/11 15:43:44 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll

[2007/11/11 11:08:41 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll

[2007/09/28 11:28:33 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\CmDrvRmU.DLL

[2007/09/28 11:28:33 | 000,001,091 | ---- | C] () -- C:\WINDOWS\System32\ACP50CFG.ini

[2007/04/28 23:49:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\drivers\CO_Mon.sys

[2006/02/28 20:17:30 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll

[2005/12/30 19:10:30 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2005/09/18 23:58:13 | 000,002,777 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2004/12/15 14:15:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI

[2004/09/05 21:36:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI

[2004/08/17 23:41:02 | 000,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini

[2004/08/15 23:22:20 | 000,000,767 | ---- | C] () -- C:\WINDOWS\maxlink.ini

[2004/07/17 00:35:32 | 000,000,488 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2003/12/09 18:25:17 | 000,000,067 | ---- | C] () -- C:\WINDOWS\NPinfotl.ini

[2003/11/16 05:48:02 | 000,909,312 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll

[2003/11/16 05:48:00 | 001,060,864 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll

[2003/11/15 12:54:18 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll

[2003/09/03 17:18:47 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2003/09/03 14:59:34 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini

[2003/09/03 14:57:30 | 000,000,659 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI

[2003/09/03 14:41:19 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll

[2003/09/03 14:23:57 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2003/09/03 14:03:00 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2003/09/03 13:18:47 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2003/09/03 13:06:11 | 000,000,410 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2002/10/06 18:42:58 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll

[2002/01/08 16:57:34 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

========== LOP Check ==========

[2009/02/07 12:19:34 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Administrator\Application Data\.#

[2010/05/19 17:27:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ATManager

[2009/07/01 11:16:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR

[2008/01/21 08:23:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BitTorrent

[2009/09/09 15:36:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\CiscoCAA

[2008/01/10 23:47:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\CoreCodec

[2010/05/20 08:58:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Dropbox

[2010/05/20 10:33:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\E598DE6242B331FC4697A9B7D87903A5

[2009/07/22 05:52:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit

[2004/08/17 23:58:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FUJIFILM

[2010/05/19 15:58:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GetRightToGo

[2009/12/03 05:57:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\gtk-2.0

[2004/07/24 16:07:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterVideo

[2010/03/20 10:45:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\NotMyIp

[2004/12/16 13:46:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OriginLab

[2004/08/16 11:21:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PPIMAGES

[2004/07/17 00:06:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Template

[2006/07/06 15:59:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Thunderbird

[2010/05/19 12:45:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TrojanHunter

[2009/08/03 15:39:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar

[2007/01/04 18:33:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData

[2009/08/06 06:02:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GoBoingo

[2007/10/12 18:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft

[2009/11/24 12:47:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlotSoft

[2004/08/16 11:21:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft

[2010/05/20 06:38:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2005/02/03 23:56:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

[2009/12/26 19:22:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2009/07/22 05:47:38 | 000,000,250 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

[2009/10/08 09:49:34 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

[2010/05/20 10:33:32 | 000,000,304 | -H-- | M] () -- C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2007/01/04 18:33:02 | 000,000,000 | ---- | M] () -- C:\AdobeDebug.txt

[2003/09/03 13:25:49 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT

[2009/10/09 13:55:31 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2003/09/03 13:25:49 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS

[2008/10/19 21:30:38 | 000,000,081 | ---- | M] () -- C:\DVDPATH.TXT

[2009/02/07 12:19:34 | 000,003,496 | ---- | M] () -- C:\hook.log

[2006/08/16 18:42:46 | 000,000,902 | ---- | M] () -- C:\hpcmerr.log

[2004/08/17 23:59:50 | 000,002,791 | ---- | M] () -- C:\INSTALL.LOG

[2003/09/03 13:25:49 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2003/09/03 13:25:49 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2004/11/30 20:46:12 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM

[2008/09/07 11:00:49 | 000,250,048 | RHS- | M] () -- C:\ntldr

[2010/05/20 06:36:50 | 1585,446,912 | -HS- | M] () -- C:\pagefile.sys

[2005/08/01 10:58:15 | 000,001,901 | ---- | M] () -- C:\Rescued document.txt

[2010/05/20 08:57:00 | 000,000,715 | ---- | M] () -- C:\rkill.log

[2009/02/07 12:19:34 | 000,000,256 | ---- | M] () -- C:\sccfg.sys

[1998/06/19 12:23:26 | 000,270,848 | ---- | M] () -- C:\UNWISE.EXE

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

[2003/09/03 06:10:28 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

[2003/09/03 06:10:28 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav

[2003/09/03 06:10:28 | 000,413,696 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys

[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys

[2010/02/24 09:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D2F2F703

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >

--------------------

Extras text:

OTL Extras logfile created on: 5/20/2010 10:35:37 AM - Run 1

OTL by OldTimer - Version 3.2.5.0 Folder = G:\

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 337.00 Mb Available Physical Memory | 33.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free

Paging file location(s): C:\pagefile.sys 1512 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 35.26 Gb Total Space | 13.95 Gb Free Space | 39.57% Space Free | Partition Type: NTFS

Drive D: | 2.00 Gb Total Space | 0.45 Gb Free Space | 22.57% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

Drive G: | 1.87 Gb Total Space | 1.85 Gb Free Space | 99.08% Space Free | Partition Type: FAT

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: LIFEBOOK

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJI PHOTO FILM CO.,LTD.)

Directory [FinePixPrint] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" /p "%1" (FUJI PHOTO FILM CO.,LTD.)

Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015

"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016

"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015

"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016

"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)

"C:\Program Files\Java\jre1.5.0_05\bin\javaw.exe" = C:\Program Files\Java\jre1.5.0_05\bin\javaw.exe:*:Enabled:Java 2 Platform Standard Edition binary -- (Sun Microsystems, Inc.)

"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- ()

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\Program Files\TVUPlayer\TVUPlayer.exe" = C:\Program Files\TVUPlayer\TVUPlayer.exe:*:Enabled:TVUPlayer Component -- File not found

"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- File not found

"C:\Documents and Settings\Administrator\Application Data\SopCast\adv\SopAdver.exe" = C:\Documents and Settings\Administrator\Application Data\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- File not found

"C:\Program Files\Grisoft\AVG7\avginet.exe" = C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe -- File not found

"C:\Program Files\Grisoft\AVG7\avgamsvr.exe" = C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe -- File not found

"C:\Program Files\Grisoft\AVG7\avgcc.exe" = C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe -- File not found

"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- (Skype Technologies)

"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)

"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)

"C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- File not found

"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath -- (Skype Technologies S.A.)

"C:\WINDOWS\system32\spoolsv.exe" = C:\WINDOWS\system32\spoolsv.exe:*:Enabled:spoolsv.exe -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{04010300-6D72-4D54-8686-91D884A27B5C}" = Cisco Clean Access Agent

"{04F13802-1C88-44F5-92E3-CC14B1123B7F}" = Targus USB Port Replicator with Video(ACP50) v7.1.2

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager

"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.5.3

"{1ACD8B8F-DD51-4BDF-B0C5-299F034249A8}" = Origin 7.5

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{235C31BC-BBAE-4932-9F17-15395C65907B}" = Boingo Wi-Fi

"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.4.2

"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java 6 Update 13

"{2CCBABCB-6427-4A55-B091-49864623C43F}" = Google Toolbar for Firefox

"{3248F0A8-6813-11D6-A77B-00B0D0150050}" = J2SE Runtime Environment 5.0 Update 5

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth

"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support

"{4CBD31CE-51DF-43C4-B3EC-7CCBAB0CD083}" = O2Micro MemoryCardBus Windows Driver

"{5490882C-6961-11D5-BAE5-00E0188E010B}" = FUJIFILM USB Driver

"{5FBAEFFA-F303-49AF-9A5D-750DA899F425}" = Atheros Install Program for Wireless Network Adapter Products

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6DE13770-01B7-4366-8DA6-48237793F445}" = VoiceOver Kit

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{7C1FBAC5-A5B0-4F5B-BF24-321983D65E76}" = Scholar's Aid 4 Academic Edition

"{7CF31609-270B-11D6-9445-000102308676}" = Java 2 Runtime Environment, SE v1.4.0_01

"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver

"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{934E9442-D305-4ACF-AD87-A6C11D677CB9}" = ImageMixer VCD2 for FinePix

"{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}" = Realtek RTL8139/810x Fast Ethernet NIC Driver Setup

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5

"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682

"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CA529363-D0F2-41EA-B44B-D7515A254645}" = Multimedia Card Reader

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype

Share this post


Link to post
Share on other sites

I tried to run GMER scanner again with a new copy, and it crashed again. Now what?

T

Share this post


Link to post
Share on other sites

Yes I understand you have no internet try to uncheck everything within gmer but for Sections and the C:\ drive setting.

If that still will not work then try it in Safe Mode.

If you do not know how to get into Safe Mode then please refer to these instructions:

http://www.computerhope.com/issues/chsafe.htm

Try it once more with those suggestions then we will begin.

Share this post


Link to post
Share on other sites

Hi,

Here's the ark.txt file from the GMER scan.

--------

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-21 11:29:28

Windows 5.1.2600 Service Pack 3

Running: 7gpcd94p.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxrdapow.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 108 804E2774 5 Bytes [DC, FC, 5C, F7, CE]

.text ntoskrnl.exe!_abnormal_termination + 10E 804E277A 2 Bytes [5C, F7]

init C:\WINDOWS\system32\drivers\o2mmb.sys entry point in "init" section [0xF745C320]

.rsrc C:\WINDOWS\System32\DRIVERS\kbdclass.sys entry point in ".rsrc" section [0xF79EEE14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[596] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A

.text C:\WINDOWS\System32\svchost.exe[596] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A

.text C:\WINDOWS\System32\svchost.exe[596] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C

.text C:\WINDOWS\System32\svchost.exe[596] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0195000A

.text C:\WINDOWS\System32\svchost.exe[596] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0158000A

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\kbdclass.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Yes I understand you have no internet try to uncheck everything within gmer but for Sections and the C:\ drive setting.

If that still will not work then try it in Safe Mode.

If you do not know how to get into Safe Mode then please refer to these instructions:

http://www.computerhope.com/issues/chsafe.htm

Try it once more with those suggestions then we will begin.

Share this post


Link to post
Share on other sites

Looking at your system now, one or more of the identified infections is a backdoor Trojan\Rootkit.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

===========

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

===========

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Share this post


Link to post
Share on other sites

I've run TDSS Killer. the log is below.

I tried to run Combofix but I get this error message:

"Windows cannot find grpconv...

In order to disable AVG I had to disable the shield and uncheck the AVG box in the start up.

What now? I'll try running Combofix again.

Tom

--------

15:58:23:276 2612 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17

15:58:23:276 2612 ================================================================================

15:58:23:276 2612 SystemInfo:

15:58:23:276 2612 OS Version: 5.1.2600 ServicePack: 3.0

15:58:23:276 2612 Product type: Workstation

15:58:23:276 2612 ComputerName: LIFEBOOK

15:58:23:276 2612 UserName: Administrator

15:58:23:276 2612 Windows directory: C:\WINDOWS

15:58:23:276 2612 Processor architecture: Intel x86

15:58:23:276 2612 Number of processors: 1

15:58:23:276 2612 Page size: 0x1000

15:58:23:276 2612 Boot type: Normal boot

15:58:23:276 2612 ================================================================================

15:58:23:386 2612 UnloadDriverW: NtUnloadDriver error 2

15:58:23:386 2612 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2

15:58:23:626 2612 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

15:58:23:626 2612 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

15:58:23:626 2612 wfopen_ex: Trying to KLMD file open

15:58:23:626 2612 wfopen_ex: File opened ok (Flags 2)

15:58:23:626 2612 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

15:58:23:626 2612 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

15:58:23:626 2612 wfopen_ex: Trying to KLMD file open

15:58:23:626 2612 wfopen_ex: File opened ok (Flags 2)

15:58:23:626 2612 KLAVA engine initialized

15:58:24:588 2612 Initialize success

15:58:24:588 2612

15:58:24:588 2612 Scanning Services ...

15:58:25:649 2612 Raw services enum returned 385 services

15:58:25:699 2612

15:58:25:699 2612 Scanning Drivers ...

15:58:27:372 2612 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

15:58:27:562 2612 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

15:58:27:772 2612 ADM851X (e8b85009b41a010ee95fe3fc5c7808ad) C:\WINDOWS\system32\DRIVERS\ADM851X.SYS

15:58:28:023 2612 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

15:58:28:213 2612 AegisP (91f3df93f40a74d222cd166fe95db633) C:\WINDOWS\system32\DRIVERS\AegisP.sys

15:58:28:453 2612 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

15:58:28:884 2612 AgereSoftModem (5a2a96b15fa7e766d0fd1ac08eff2acb) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

15:58:30:136 2612 ALCXWDM (49899bb0ccc162fe6e2368ee93992950) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

15:58:31:137 2612 AR5211 (d07ccc37476034ebf5de4608a8af4386) C:\WINDOWS\system32\DRIVERS\ar5211.sys

15:58:31:788 2612 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

15:58:32:189 2612 ASPI (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\System32\DRIVERS\ASPI32.sys

15:58:32:419 2612 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

15:58:32:639 2612 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

15:58:32:880 2612 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

15:58:33:050 2612 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

15:58:33:260 2612 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys

15:58:33:431 2612 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys

15:58:33:591 2612 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

15:58:33:761 2612 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys

15:58:33:781 2612 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys

15:58:33:941 2612 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

15:58:34:172 2612 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

15:58:34:632 2612 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

15:58:35:343 2612 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

15:58:35:614 2612 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

15:58:36:004 2612 cmudau (25cae5c2fec8c1b3d376ae9fd45278cd) C:\WINDOWS\system32\drivers\cmudaxu.sys

15:58:36:275 2612 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

15:58:36:916 2612 CONAN (f9ba9dd6dad716758a51ef40b011e71c) C:\WINDOWS\system32\drivers\o2mmb.sys

15:58:37:557 2612 CO_Mon (6be1d6403727bdd8a2b2568dbe6bfb8b) C:\WINDOWS\system32\Drivers\CO_Mon.sys

15:58:38:227 2612 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

15:58:38:999 2612 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

15:58:39:660 2612 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

15:58:39:870 2612 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

15:58:40:120 2612 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

15:58:40:351 2612 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys

15:58:40:601 2612 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys

15:58:40:781 2612 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys

15:58:41:152 2612 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

15:58:41:362 2612 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

15:58:41:582 2612 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

15:58:42:103 2612 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

15:58:42:283 2612 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

15:58:42:484 2612 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

15:58:42:654 2612 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

15:58:42:784 2612 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

15:58:42:954 2612 FUJ02B1 (00845dcd64fe6348ddf7890c310c17b9) C:\WINDOWS\system32\DRIVERS\FUJ02B1.sys

15:58:43:155 2612 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

15:58:43:345 2612 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

15:58:43:545 2612 gv3 (01cdb5b4649fae249e787a83be22916a) C:\WINDOWS\system32\DRIVERS\gv3.sys

15:58:43:755 2612 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

15:58:43:986 2612 HPZid412 (287a63bd8509bd78e7978823b38afa81) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

15:58:44:156 2612 HPZipr12 (0b4fda2657c3e0315eaa57f9c6d4fd1f) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

15:58:44:266 2612 HPZius12 (29559db25258b60510a60c4e470fce32) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

15:58:44:476 2612 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

15:58:44:897 2612 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

15:58:45:057 2612 ialm (1b49ec451363cbbf8d0549d4fd78072c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

15:58:45:248 2612 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

15:58:45:478 2612 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

15:58:45:638 2612 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

15:58:45:808 2612 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

15:58:45:979 2612 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

15:58:46:159 2612 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

15:58:46:349 2612 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

15:58:46:569 2612 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

15:58:46:760 2612 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

15:58:46:940 2612 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

15:58:47:130 2612 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

15:58:47:341 2612 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

15:58:47:511 2612 klmd23 (f736ee0d4da5b9bcc2c8539c8add06e2) C:\WINDOWS\system32\drivers\klmd.sys

15:58:47:641 2612 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

15:58:47:831 2612 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

15:58:48:042 2612 MASPINT (a2ae666cee860babe7fa6f1662b71737) C:\WINDOWS\system32\drivers\MASPINT.sys

15:58:48:212 2612 MbxStby (27ff21e081ad85d8b29811f66dd002e5) C:\WINDOWS\system32\drivers\MbxStby.sys

15:58:48:322 2612 mcdbus (f922b609524cf1ed66a1a109f3ce014f) C:\WINDOWS\system32\DRIVERS\mcdbus.sys

15:58:48:482 2612 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

15:58:48:612 2612 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

15:58:48:753 2612 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

15:58:48:883 2612 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

15:58:49:043 2612 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

15:58:49:303 2612 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

15:58:49:494 2612 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

15:58:49:644 2612 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

15:58:49:824 2612 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

15:58:49:994 2612 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

15:58:50:175 2612 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

15:58:50:355 2612 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

15:58:50:605 2612 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

15:58:50:876 2612 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

15:58:50:976 2612 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

15:58:51:166 2612 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

15:58:51:386 2612 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

15:58:51:577 2612 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

15:58:51:707 2612 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

15:58:51:887 2612 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

15:58:52:057 2612 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys

15:58:52:268 2612 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

15:58:53:560 2612 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

15:58:53:830 2612 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

15:58:53:990 2612 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

15:58:54:080 2612 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

15:58:54:241 2612 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys

15:58:54:671 2612 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys

15:58:54:861 2612 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys

15:58:55:052 2612 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys

15:58:55:232 2612 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

15:58:55:412 2612 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

15:58:55:653 2612 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

15:58:55:993 2612 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

15:58:56:273 2612 PCASp50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\WINDOWS\system32\Drivers\PCASp50.sys

15:58:56:484 2612 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

15:58:56:674 2612 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

15:58:57:055 2612 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

15:58:57:265 2612 PCTCore (167b2fea66dde6925766d1a81a1affc0) C:\WINDOWS\system32\drivers\PCTCore.sys

15:58:58:827 2612 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

15:58:59:087 2612 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

15:58:59:678 2612 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

15:59:00:229 2612 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

15:59:00:469 2612 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

15:59:01:211 2612 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

15:59:01:321 2612 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

15:59:01:491 2612 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

15:59:01:651 2612 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

15:59:01:841 2612 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

15:59:02:022 2612 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

15:59:02:222 2612 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

15:59:02:683 2612 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

15:59:02:883 2612 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

15:59:03:083 2612 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS

15:59:03:263 2612 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

15:59:03:454 2612 Ser2pl (fd245689004356aa2928b678736b9abd) C:\WINDOWS\system32\DRIVERS\ser2pl.sys

15:59:03:614 2612 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

15:59:03:794 2612 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

15:59:03:975 2612 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

15:59:04:325 2612 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

15:59:04:495 2612 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

15:59:04:686 2612 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

15:59:04:936 2612 SunkFilt62 (38cc705ff41cc49daed796cfb419bea2) C:\WINDOWS\System32\Drivers\sunkfilt62.sys

15:59:05:156 2612 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

15:59:05:417 2612 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

15:59:05:997 2612 SynTP (dd5c7b6dcc9cb03e1578cc3c9ef4bb99) C:\WINDOWS\system32\DRIVERS\SynTP.sys

15:59:06:698 2612 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

15:59:07:269 2612 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

15:59:07:540 2612 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

15:59:07:660 2612 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

15:59:08:671 2612 TdxMrMINI (8c2b6c0b7b2e09e03d7b3629a154400d) C:\WINDOWS\system32\DRIVERS\TdxMrMini.sys

15:59:08:912 2612 TdxVGAMINI (0cd2a6e2ac432e934ecdcbecb49f71f6) C:\WINDOWS\system32\DRIVERS\TdxVgaMini.sys

15:59:09:132 2612 TdxVGAUSB (8421ed8031af5d08a51b6346aff57fcc) C:\WINDOWS\system32\drivers\TdxVGAUSB.sys

15:59:09:302 2612 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

15:59:09:553 2612 U2SP (228d8e60bc9c5238587b0bf1654ec580) C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys

15:59:10:153 2612 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

15:59:10:784 2612 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

15:59:11:005 2612 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys

15:59:11:235 2612 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

15:59:11:435 2612 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

15:59:11:605 2612 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

15:59:11:786 2612 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

15:59:11:956 2612 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

15:59:12:106 2612 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

15:59:12:327 2612 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

15:59:12:507 2612 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

15:59:12:687 2612 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

15:59:12:937 2612 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

15:59:13:228 2612 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

15:59:13:678 2612 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

15:59:13:919 2612 Wpsnuio (904571ee28f8f7d98b3ef1635a77c6d4) C:\WINDOWS\system32\DRIVERS\wpsnuio.sys

15:59:14:099 2612 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

15:59:14:279 2612 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

15:59:14:480 2612 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

15:59:14:670 2612 {6080A529-897E-4629-A488-ABA0C29B635E} (a7ab6e6fcb5d9276160d9998593638e3) C:\WINDOWS\system32\drivers\ialmsbw.sys

15:59:14:770 2612 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d9c1c60a4e414052e30dbb2800f0893a) C:\WINDOWS\system32\drivers\ialmkchw.sys

15:59:14:870 2612 {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} (100b40ed254ed42ec179e24d890c973e) C:\WINDOWS\system32\drivers\wA301a.sys

15:59:14:870 2612

15:59:14:870 2612 Completed

15:59:14:870 2612

15:59:14:870 2612 Results:

15:59:14:870 2612 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

15:59:14:870 2612 File objects infected / cured / cured on reboot: 0 / 0 / 0

15:59:14:870 2612

15:59:14:870 2612 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

15:59:14:870 2612 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

15:59:14:880 2612 KLMD(ARK) unloaded successfully

Looking at your system now, one or more of the identified infections is a backdoor Trojan\Rootkit.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

===========

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

===========

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Share this post


Link to post
Share on other sites

The log for combofix is below. For some reason, the Windows Recovery Console didn't install, but then combofix ran anyway? Hopefully this didn't screw things up to much? I've been trying to find a downloadable version of the Windows Recovery Consolve without success.

T

---------

ComboFix 10-05-20.A4 - Administrator 05/21/2010 16:27:55.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.585 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Application Data\.#

c:\documents and settings\Administrator\Application Data\ATManager

c:\documents and settings\Administrator\Application Data\ATManager\languages\English.lng

c:\documents and settings\Administrator\Application Data\ATManager\languages\template.lng

c:\documents and settings\Administrator\Application Data\ATManager\metafiles\e7e2135bcdfc87179deacdb1cdac8b7a.torrent

c:\documents and settings\Administrator\Application Data\ATManager\settings.ini

c:\documents and settings\Administrator\Application Data\E598DE6242B331FC4697A9B7D87903A5

c:\documents and settings\Administrator\Application Data\E598DE6242B331FC4697A9B7D87903A5\enemies-names.txt

c:\documents and settings\Administrator\Application Data\E598DE6242B331FC4697A9B7D87903A5\gotnewupdate000.exe

c:\documents and settings\Administrator\Application Data\E598DE6242B331FC4697A9B7D87903A5\hookdll.dll

c:\documents and settings\Administrator\Application Data\E598DE6242B331FC4697A9B7D87903A5\lsrslt.ini

c:\documents and settings\Administrator\Start Menu\Programs\Antimalware Doctor

c:\documents and settings\Administrator\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk

c:\documents and settings\Administrator\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk

c:\windows\Amodua.exe

c:\windows\Fonts\GLECB.TTF

c:\windows\system32\-81dbeb3f.exe

c:\windows\system32\Cache

c:\windows\system32\grpconv.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MSIU-81dbeb3f

-------\Service_MSIU-81dbeb3f

((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))

.

2010-05-21 20:45 . 2010-05-19 02:43 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\aA31793.dll

2010-05-21 20:41 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe

2010-05-21 20:41 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe

2010-05-21 20:17 . 2010-05-21 20:18 -------- d-----w- C:\32788R22FWJFW

2010-05-21 19:54 . 2010-05-19 02:43 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\SK93g7.dll

2010-05-21 02:10 . 2010-05-19 02:43 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\q1wSKU79.dll

2010-05-20 16:14 . 2010-05-20 16:14 -------- d-----w- C:\temp

2010-05-20 15:15 . 2010-05-19 02:43 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\IQ1wS31sK.dll

2010-05-20 10:39 . 2010-05-19 02:43 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\cEI55.dll

2010-05-20 01:22 . 2010-05-19 02:43 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9i1qG317k.dll

2010-05-19 21:32 . 2010-05-19 02:43 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\93179g17a.dll

2010-05-19 19:58 . 2010-05-19 19:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo

2010-05-19 19:29 . 2010-05-19 02:43 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\c9sK7y3.dll

2010-05-19 16:48 . 2009-11-10 14:26 767952 ----a-w- c:\windows\BDTSupport.dll

2010-05-19 16:48 . 2009-11-10 14:28 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-05-19 16:48 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip

2010-05-19 16:48 . 2009-11-10 14:28 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-05-19 16:48 . 2009-11-10 14:28 1640400 ----a-w- c:\windows\PCTBDCore.dll

2010-05-19 16:48 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip

2010-05-19 16:47 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-05-19 16:47 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-05-19 16:47 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-05-19 16:47 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-05-19 16:46 . 2010-05-19 16:49 -------- d-----w- c:\program files\Common Files\PC Tools

2010-05-19 16:46 . 2010-05-19 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-05-19 16:46 . 2010-05-19 16:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2010-05-19 16:46 . 2010-05-19 16:52 -------- d-----w- c:\program files\Spyware Doctor

2010-05-19 16:45 . 2010-05-19 16:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\TrojanHunter

2010-05-19 15:30 . 2010-05-19 16:49 -------- d-----w- c:\program files\TrojanHunter 5.3

2010-05-19 11:23 . 2010-05-19 02:43 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\SKUOC7.dll

2010-05-19 11:05 . 2010-05-19 02:43 70656 ----a-w- c:\windows\system32\-f36decbb.exe

2010-05-19 03:18 . 2010-05-19 07:00 -------- d-----w- c:\windows\system32\MpEngineStore

2010-05-19 03:14 . 2010-05-19 11:01 -------- d-----w- C:\82a5d4438523fbde003de8

2010-05-19 02:51 . 2010-05-19 02:51 -------- d-----w- C:\spoolerlogs

2010-05-19 02:48 . 2010-05-19 21:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\jdhlmjfvq

2010-05-19 02:44 . 2010-05-19 02:43 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7gMY7c3.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-21 20:45 . 2008-02-09 00:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-21 15:55 . 2010-01-28 03:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2010-05-20 12:58 . 2010-03-13 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Dropbox

2010-05-19 19:59 . 2009-10-01 20:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-19 03:10 . 2004-07-16 18:54 90112 ----a-w- c:\windows\DUMP815d.tmp

2010-05-09 19:55 . 2005-10-29 15:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2010-05-09 13:57 . 2009-10-25 14:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2010-04-29 19:39 . 2009-10-01 20:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-10-01 20:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-20 14:45 . 2010-03-20 14:45 8704 ----a-w- c:\windows\system32\SpOrder.dll

2010-03-10 06:15 . 2003-09-03 17:04 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2004-08-24 01:32 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2003-09-03 17:04 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-08-20 08:15 . 2009-08-20 08:15 135630545 ----a-w- c:\program files\openofficeorg1.cab

2009-08-20 08:13 . 2009-08-20 08:13 9815040 ----a-w- c:\program files\openofficeorg31.msi

2009-08-19 08:31 . 2009-08-19 08:31 336 ----a-w- c:\program files\setup.ini

2008-03-22 13:23 . 2008-03-22 13:24 774144 -c--a-w- c:\program files\RngInterstitial.dll

2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe

2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

------- Sigcheck -------

[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys

c:\windows\System32\drivers\ndis.sys ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-04-02 23:50 809864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AGRSMMSG"="AGRSMMSG.exe" [2003-07-25 88363]

"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2003-08-21 81920]

"ACU"="c:\program files\Atheros\ACU.exe" [2006-04-12 336008]

"TDxVGAUTIL"="c:\windows\system32\TDxVGAUTIL.EXE" [2007-08-01 237568]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-25 16:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk

backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk

backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk

backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TOAST.net Accelerator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TOAST.net Accelerator.lnk

backup=c:\windows\pss\TOAST.net Accelerator.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlipStream

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

2010-03-19 19:59 2046816 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]

2007-09-07 23:01 43008 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boingo Wi-Fi]

2009-10-01 13:26 2179 ----a-w- c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2008-09-08 18:03 133104 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2003-03-27 07:34 53248 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

2003-02-13 08:01 155648 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]

2004-07-07 20:24 135168 ----a-w- c:\program files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-07-19 17:36 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2003-07-03 02:25 618496 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]

2003-07-03 02:27 110592 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDxVGAUTIL]

2007-08-01 14:41 237568 ------w- c:\windows\system32\Tdxvgautil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Schedule"=2 (0x2)

"mnmsrvc"=3 (0x3)

"iPodService"=3 (0x3)

"Fax"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaw.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/19/2010 12:47 PM 207280]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/1/2008 4:43 PM 335240]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/1/2008 4:43 PM 297752]

R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [9/3/2003 2:44 PM 190465]

R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [9/3/2003 2:44 PM 5817]

R3 TdxMrMINI;TdxMrMINI;c:\windows\system32\drivers\TdxMrMini.sys [9/28/2007 11:28 AM 249600]

R3 TdxVGAMINI;TdxVGAMINI;c:\windows\system32\drivers\TdxVgaMini.sys [9/28/2007 11:28 AM 252160]

S0 vrvbqg;vrvbqg; [x]

S1 gyrcynpk;gyrcynpk;\??\c:\windows\system32\drivers\gyrcynpk.sys --> c:\windows\system32\drivers\gyrcynpk.sys [?]

S1 zrhkbeuop1;zrhkbeuop1;c:\windows\system32\drivers\zrhkbeuop1.sys --> c:\windows\system32\drivers\zrhkbeuop1.sys [?]

S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [5/19/2010 12:48 PM 112592]

S2 MSIU-f36decbb;MSIU-f36decbb;c:\windows\system32\-f36decbb.exe [5/19/2010 7:05 AM 70656]

S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\adm851x.sys [9/28/2007 11:28 AM 27135]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [3/21/2010 11:13 PM 16512]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/19/2010 12:46 PM 365280]

S3 SunkFilt6;Alcor Micro Corp - 6360;\??\c:\windows\System32\Drivers\sunkfilt6.sys --> c:\windows\System32\Drivers\sunkfilt6.sys [?]

S3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 4:55 PM 46536]

S3 TdxVGAUSB;TARGUS USB2.0 VGA DOCK DEVICE(USB);c:\windows\system32\drivers\TdxVGAUSB.SYS [9/28/2007 11:28 AM 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

vvdsvc REG_MULTI_SZ vvdsvc

.

Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-753973301-2746587474-1836351941-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 18:03]

2009-07-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 23:50]

2009-10-08 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.nytimes.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: {{74FD513B-2A58-4A42-9151-7551BFB6FCD7} - {E9C7A4B7-B0EF-4F32-9F82-45DBED19BA1A} - c:\progra~1\SCHOLA~1\SAEXPL~1.DLL

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPInfotl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint_03000F10.dll

FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-ehqdwmto - c:\documents and settings\Administrator\ehqdwmto.exe

HKLM-Run-CmUsbSound - cmcnfgu.cpl

HKLM-Run-ehqdwmto - c:\windows\System32\ehqdwmto.exe

HKLM-Run-DisableWinXPWZCS - c:\program files\Atheros\DisableWinXPWZCS.exe

HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe

MSConfigStartUp-gotnewupdate000 - c:\documents and settings\Administrator\Application Data\E598DE6242B331FC4697A9B7D87903A5\gotnewupdate000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-21 16:52

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-753973301-2746587474-1836351941-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4f,b8,ed,4e,de,80,6a,41,97,a5,23,\

"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4f,b8,ed,4e,de,80,6a,41,97,a5,23,\

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e0,98,f1,46,39,38,12,4a,90,d5,44,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,ee,e7,68,2c,d5,c5,4f,97,35,11,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,ee,e7,68,2c,d5,c5,4f,97,35,11,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(304)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(364)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2032)

c:\windows\system32\WININET.dll

c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\inetsrv\inetinfo.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wscntfy.exe

c:\windows\AGRSMMSG.exe

c:\windows\system32\RunDll32.exe

.

**************************************************************************

.

Completion time: 2010-05-21 17:12:56 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-21 21:12

Pre-Run: 14,856,445,952 bytes free

Post-Run: 15,011,782,656 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 2A7A71E3354B32AA786E7AC54449762D

Share this post


Link to post
Share on other sites

1. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=50947

Collect::
c:\windows\system32\Spool\prtprocs\w32x86\aA31793.dll
c:\windows\system32\Spool\prtprocs\w32x86\SK93g7.dll
c:\windows\system32\Spool\prtprocs\w32x86\q1wSKU79.dll
c:\windows\system32\Spool\prtprocs\w32x86\IQ1wS31sK.dll
c:\windows\system32\Spool\prtprocs\w32x86\cEI55.dll
c:\windows\system32\Spool\prtprocs\w32x86\9i1qG317k.dll
c:\windows\system32\Spool\prtprocs\w32x86\93179g17a.dll
c:\windows\system32\Spool\prtprocs\w32x86\c9sK7y3.dll
c:\windows\system32\Spool\prtprocs\w32x86\SKUOC7.dll
c:\windows\system32\-f36decbb.exe
c:\windows\system32\Spool\prtprocs\w32x86\7gMY7c3.dll

TDL::
C:\WINDOWS\System32\DRIVERS\kbdclass.sys

Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\jdhlmjfvq

FCopy::
c:\windows\ServicePackFiles\i386\ndis.sys|c:\windows\System32\drivers\ndis.sys

Driver::
vrvbqg
zrhkbeuop1
gyrcynpk

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Reglock::
[HKEY_USERS\S-1-5-21-753973301-2746587474-1836351941-500\Software\Microsoft\Internet Explorer\User Preferences]

Save this as CFScript.txt

Drag CFScript.txt into ComboFix.exe

2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

4. During this run Combofix will collect and automatically upload some sample files.

You will see it say Combofix needs to upload some samples.

If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Share this post


Link to post
Share on other sites

While runing combofix, the program wanted to download Microsoft Windows Recovery Console from the internet. But I don't have a connection? Do I just continue with the scan?

T

Share this post


Link to post
Share on other sites

Let it try this time if it fails it will just continue on.

Share this post


Link to post
Share on other sites

Well, I don't know if it worked, but here's the log text of combofix:

ComboFix 10-05-20.A4 - Administrator 05/21/2010 23:25:45.2.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.800 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

file zipped: c:\windows\system32\-f36decbb.exe

file zipped: c:\windows\system32\Spool\prtprocs\w32x86\7gMY7c3.dll

file zipped: c:\windows\system32\Spool\prtprocs\w32x86\93179g17a.dll

file zipped: c:\windows\system32\Spool\prtprocs\w32x86\9i1qG317k.dll

file zipped: c:\windows\system32\Spool\prtprocs\w32x86\aA31793.dll

file zipped: c:\windows\system32\Spool\prtprocs\w32x86\c9sK7y3.dll

file zipped: c:\windows\system32\Spool\prtprocs\w32x86\cEI55.dll

file zipped: c:\windows\system32\Spool\prtprocs\w32x86\IQ1wS31sK.dll

file zipped: c:\windows\system32\Spool\prtprocs\w32x86\q1wSKU79.dll

file zipped: c:\windows\system32\Spool\prtprocs\w32x86\SK93g7.dll

file zipped: c:\windows\system32\Spool\prtprocs\w32x86\SKUOC7.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Local Settings\Application Data\jdhlmjfvq

c:\windows\system32\-f36decbb.exe

c:\windows\system32\Spool\prtprocs\w32x86\7gMY7c3.dll

c:\windows\system32\Spool\prtprocs\w32x86\93179g17a.dll

c:\windows\system32\Spool\prtprocs\w32x86\9i1qG317k.dll

c:\windows\system32\Spool\prtprocs\w32x86\aA31793.dll

c:\windows\system32\Spool\prtprocs\w32x86\c9sK7y3.dll

c:\windows\system32\Spool\prtprocs\w32x86\cEI55.dll

c:\windows\system32\Spool\prtprocs\w32x86\IQ1wS31sK.dll

c:\windows\system32\Spool\prtprocs\w32x86\q1wSKU79.dll

c:\windows\system32\Spool\prtprocs\w32x86\SK93g7.dll

c:\windows\system32\Spool\prtprocs\w32x86\SKUOC7.dll

.

--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\ndis.sys --> c:\windows\System32\drivers\ndis.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_gyrcynpk

-------\Service_vrvbqg

-------\Service_zrhkbeuop1

-------\Legacy_MSIU-f36decbb

-------\Service_MSIU-f36decbb

((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))

.

2010-05-22 01:11 . 2008-04-13 19:20 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys

2010-05-22 01:11 . 2008-04-13 19:20 182656 ----a-w- c:\windows\system32\drivers\ndis.sys

2010-05-21 21:51 . 2010-05-19 02:43 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\G5i55.dll

2010-05-21 21:34 . 2006-07-14 19:15 237637 ----a-w- c:\windows\system32\wsimd.dll

2010-05-21 21:34 . 2006-07-14 19:15 245831 ----a-w- c:\windows\system32\wsfwDS.dll

2010-05-21 21:34 . 2006-07-14 19:04 53248 ----a-w- c:\windows\system32\dsaNac.dll

2010-05-21 21:34 . 2006-07-14 19:04 1253432 ----a-w- c:\windows\system32\dsa.dll

2010-05-21 21:34 . 2006-06-02 16:52 54432 ----a-w- c:\windows\system32\wsimd.sys

2010-05-21 21:34 . 2006-06-02 16:52 54432 ----a-w- c:\windows\system32\drivers\wsimd.sys

2010-05-21 21:33 . 2006-06-13 15:27 507424 ----a-w- c:\windows\system32\ar5211.sys

2010-05-21 20:41 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe

2010-05-21 20:41 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe

2010-05-20 16:14 . 2010-05-21 21:34 -------- d-----w- C:\temp

2010-05-19 19:58 . 2010-05-19 19:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo

2010-05-19 16:48 . 2009-11-10 14:26 767952 ----a-w- c:\windows\BDTSupport.dll

2010-05-19 16:48 . 2009-11-10 14:28 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-05-19 16:48 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip

2010-05-19 16:48 . 2009-11-10 14:28 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-05-19 16:48 . 2009-11-10 14:28 1640400 ----a-w- c:\windows\PCTBDCore.dll

2010-05-19 16:48 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip

2010-05-19 16:47 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-05-19 16:47 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-05-19 16:47 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-05-19 16:47 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-05-19 16:46 . 2010-05-19 16:49 -------- d-----w- c:\program files\Common Files\PC Tools

2010-05-19 16:46 . 2010-05-19 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-05-19 16:46 . 2010-05-19 16:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2010-05-19 16:46 . 2010-05-19 16:52 -------- d-----w- c:\program files\Spyware Doctor

2010-05-19 16:45 . 2010-05-19 16:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\TrojanHunter

2010-05-19 15:30 . 2010-05-19 16:49 -------- d-----w- c:\program files\TrojanHunter 5.3

2010-05-19 03:18 . 2010-05-19 07:00 -------- d-----w- c:\windows\system32\MpEngineStore

2010-05-19 03:14 . 2010-05-19 11:01 -------- d-----w- C:\82a5d4438523fbde003de8

2010-05-19 02:51 . 2010-05-19 02:51 -------- d-----w- C:\spoolerlogs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-21 21:50 . 2008-02-09 00:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-21 21:39 . 2006-08-17 22:12 -------- d-----w- c:\program files\Atheros

2010-05-21 21:33 . 2003-09-03 17:42 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-21 15:55 . 2010-01-28 03:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2010-05-20 12:58 . 2010-03-13 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Dropbox

2010-05-19 19:59 . 2009-10-01 20:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-19 03:10 . 2004-07-16 18:54 90112 ----a-w- c:\windows\DUMP815d.tmp

2010-05-09 19:55 . 2005-10-29 15:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2010-05-09 13:57 . 2009-10-25 14:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2010-04-29 19:39 . 2009-10-01 20:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-10-01 20:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-20 14:45 . 2010-03-20 14:45 8704 ----a-w- c:\windows\system32\SpOrder.dll

2010-03-10 06:15 . 2003-09-03 17:04 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2004-08-24 01:32 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2003-09-03 17:04 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-08-20 08:15 . 2009-08-20 08:15 135630545 ----a-w- c:\program files\openofficeorg1.cab

2009-08-20 08:13 . 2009-08-20 08:13 9815040 ----a-w- c:\program files\openofficeorg31.msi

2009-08-19 08:31 . 2009-08-19 08:31 336 ----a-w- c:\program files\setup.ini

2008-03-22 13:23 . 2008-03-22 13:24 774144 -c--a-w- c:\program files\RngInterstitial.dll

2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe

2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-04-02 23:50 809864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AGRSMMSG"="AGRSMMSG.exe" [2003-07-25 88363]

"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2003-08-21 81920]

"ACU"="c:\program files\Atheros\ACU.exe" [2006-08-10 344187]

"TDxVGAUTIL"="c:\windows\system32\TDxVGAUTIL.EXE" [2007-08-01 237568]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-25 16:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk

backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk

backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk

backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TOAST.net Accelerator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TOAST.net Accelerator.lnk

backup=c:\windows\pss\TOAST.net Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

2010-03-19 19:59 2046816 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]

2007-09-07 23:01 43008 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boingo Wi-Fi]

2009-10-01 13:26 2179 ----a-w- c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2008-09-08 18:03 133104 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2003-03-27 07:34 53248 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

2003-02-13 08:01 155648 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]

2004-07-07 20:24 135168 ----a-w- c:\program files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-07-19 17:36 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2003-07-03 02:25 618496 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]

2003-07-03 02:27 110592 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDxVGAUTIL]

2007-08-01 14:41 237568 ------w- c:\windows\system32\Tdxvgautil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Schedule"=2 (0x2)

"mnmsrvc"=3 (0x3)

"iPodService"=3 (0x3)

"Fax"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaw.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/19/2010 12:47 PM 207280]

R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [9/3/2003 2:44 PM 190465]

R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [9/3/2003 2:44 PM 5817]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/1/2008 4:43 PM 335240]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/1/2008 4:43 PM 297752]

S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [5/19/2010 12:48 PM 112592]

S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\adm851x.sys [9/28/2007 11:28 AM 27135]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [3/21/2010 11:13 PM 16512]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/19/2010 12:46 PM 365280]

S3 SunkFilt6;Alcor Micro Corp - 6360;\??\c:\windows\System32\Drivers\sunkfilt6.sys --> c:\windows\System32\Drivers\sunkfilt6.sys [?]

S3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 4:55 PM 46536]

S3 TdxMrMINI;TdxMrMINI;c:\windows\system32\drivers\TdxMrMini.sys [9/28/2007 11:28 AM 249600]

S3 TdxVGAMINI;TdxVGAMINI;c:\windows\system32\drivers\TdxVgaMini.sys [9/28/2007 11:28 AM 252160]

S3 TdxVGAUSB;TARGUS USB2.0 VGA DOCK DEVICE(USB);c:\windows\system32\drivers\TdxVGAUSB.SYS [9/28/2007 11:28 AM 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

vvdsvc REG_MULTI_SZ vvdsvc

.

Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-753973301-2746587474-1836351941-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 18:03]

2009-07-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 23:50]

2009-10-08 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.nytimes.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: {{74FD513B-2A58-4A42-9151-7551BFB6FCD7} - {E9C7A4B7-B0EF-4F32-9F82-45DBED19BA1A} - c:\progra~1\SCHOLA~1\SAEXPL~1.DLL

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPInfotl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint_03000F10.dll

FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-21 23:44

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(260)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(320)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1328)

c:\windows\system32\WININET.dll

c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2010-05-21 23:58:29 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-22 03:58

ComboFix2.txt 2010-05-21 21:13

Pre-Run: 14,926,725,120 bytes free

Post-Run: 14,884,818,944 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - C1E117DACB2800DBF893BF0A2CBDEF1A

Let it try this time if it fails it will just continue on.

Share this post


Link to post
Share on other sites

Great see if you can now get online.

If you can please do the following.

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Let me know when that is completed and run gmer once more with everything unchecked but for sections and the c:\ drive then please post that log.

Share this post


Link to post
Share on other sites

I can't start windows normally. I actually had to run those last scans in safe mode. Everytime the computer begins to start, it quckly crashes?

T

Great see if you can now get online.

If you can please do the following.

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Let me know when that is completed and run gmer once more with everything unchecked but for sections and the c:\ drive then please post that log.

Share this post


Link to post
Share on other sites

Hi can you be more specific does it restart automatically or go to a blue screen?

If it is a blue screen please give me the details of the blue screen

Share this post


Link to post
Share on other sites

Hi,

Sorry, I was away for 2 days. Yes, it automatically goes to blue screen. But I can't get the blue screen to stay on screen to read the error message?

T

Hi can you be more specific does it restart automatically or go to a blue screen?

If it is a blue screen please give me the details of the blue screen

Share this post


Link to post
Share on other sites

To get the blue screen to show simply tap the F8 key at startup the same way you would do it as to get into Safe Mode.

Instead of choosing Safe Mode choose Disable restart on system failure then hit enter.

Then enter again then post the information that the blue screen provides.

Share this post


Link to post
Share on other sites

Here's the key information.

Technical Information:

***STOP: 0x0000007E (0xC0000005, 0x80599F19, 0xF7B61690, 0xF7B6138C)

To get the blue screen to show simply tap the F8 key at startup the same way you would do it as to get into Safe Mode.

Instead of choosing Safe Mode choose Disable restart on system failure then hit enter.

Then enter again then post the information that the blue screen provides.

Share this post


Link to post
Share on other sites

Ok at what point did the blue screen show up?

Share this post


Link to post
Share on other sites

A few seconds after start up, before Windows starts to load.

T

Ok at what point did the blue screen show up?

Share this post


Link to post
Share on other sites

Sorry I meant at what point did it start to happen was it during our fixes or prior to that?

Share this post


Link to post
Share on other sites

Only after the last fix. Before that, I couldn't get it to load regular windows, but I could load in safe mode. Before all the fixes, I could load windows, but I had no internet.

T

Sorry I meant at what point did it start to happen was it during our fixes or prior to that?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.