BleepingComputer.com: TDSS Rootkill

1. on 3/25/11 - several .exe program attempted to open on my computer. I stopped about 15 of them from being allowed, until I realized I was fighting a futile battle and shut the computer down. (No idea if that was a bad idea or not...I knew I was infected with something).

2. Ran "SuperAntiSpyware on 3/26, AM...found 5 problems that were removed. Norton Antivirus found nothing.

3. Still figured there was trouble, so I went looking into where the trouble files from the evening before were and found them in Temp folder under AppData. Scanned them with Norton...no problems. Scanned with MalwareBytes and most of them were BAD. TDSS Rootkill (about 35 files).

4. Been scanning ever since and coming up clean with all three of the above.

5. New problem: MalwareBytes completes ENTIRE scan in about 90 seconds. I know this cannot be accurate, as I have been using this program for 3-4 months now. I thought maybe the MalwareBytes program was corrupted by whatever I have got, so I uninstalled and redownloaded. Same problem today.

6. CPU usage has been consistently running at close 100% for the last 48 hours. This cannot be good for my computer but I'm not expert and suspect there is a problem.

7. Computer has been behind a firewall the entire time. Not entirely sure when or how I got infected.

8. Stopped CD Emulator with Defogger program. Ran DDS and GMER programs. Will attempt to zip files up and attach. I will wait to hear from someone before actually attaching, in case this is not the correct forum to attach them. I can include logs for AntiSpyware, but I was dumb and think I lost the logs from Malwarebytes, since I deleted and re-installed today.

9. I realize there is a high probability I have done something stupid among the things listed above. I'm not particularly technically savvy, so have mercy on my soul if I don't seem to terribly bright . I ran all scans SEPARATELY, but cannot swear I was not doing anything on the computer while scans were running, as I kind of need this computer for an awful lot.

10. Any suggestions or recommendations on how to proceed would be greatly appreciated. This site is awesome and even if you don't solve my particular issue, thanks for all you do.



DDS Log and GMER Below

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Tyson Brummer at 12:04:52.07 on Sat 03/26/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2814.1118 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Users\Tyson Brummer\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Tyson Brummer\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
TB: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Dwagepiguyoru] rundll32.exe "c:\users\tyson brummer\appdata\local\rsqobcic.dll",Startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\tysonb~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-20 365952]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-3-11 1153368]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-11-8 1839776]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-20 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-11-23 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-26 13:23:46 764 ----a-w- c:\users\tysonb~1\appdata\local\iyoloniz.dll
2011-03-26 13:19:17 764 ----a-w- c:\users\tysonb~1\appdata\local\inovilox.dll
2011-03-25 20:14:28 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{c5ba771e-2b80-4a6a-bb5a-b9b56b1c4719}\mpengine.dll
2011-03-24 15:20:47 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-24 15:20:47 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-24 15:20:46 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-12 16:56:21 -------- d-----w- c:\users\tysonb~1\appdata\roaming\SUPERAntiSpyware.com
2011-03-12 16:56:21 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-03-12 16:56:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-09 14:09:16 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 14:09:15 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 14:09:14 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 14:09:14 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 14:09:01 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 14:09:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-05 15:30:17 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
.
============= FINISH: 12:06:52.83 ===============


GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-27 12:54:12
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5 WDC_WD1600BEVT-60ZCT1 rev.13.01A13
Running: gmer.exe; Driver: C:\Users\TYSONB~1\AppData\Local\Temp\kgtcypog.sys


---- System - GMER 1.0.15 ----

SSDT 87973F90 ZwAlertResumeThread
SSDT 879740A8 ZwAlertThread
SSDT 8795ED78 ZwAllocateVirtualMemory
SSDT 8793FFB0 ZwConnectPort
SSDT 87973D40 ZwCreateMutant
SSDT 87963128 ZwCreateThread
SSDT 879733E8 ZwFreeVirtualMemory
SSDT 87973E10 ZwImpersonateAnonymousToken
SSDT 87973ED0 ZwImpersonateThread
SSDT 87973308 ZwMapViewOfSection
SSDT 87973C80 ZwOpenEvent
SSDT 87963068 ZwOpenProcessToken
SSDT 879730A8 ZwOpenThreadToken
SSDT 87973430 ZwResumeThread
SSDT 87974400 ZwSetContextThread
SSDT 87973178 ZwSetInformationProcess
SSDT 87974330 ZwSetInformationThread
SSDT 87973BC0 ZwSuspendProcess
SSDT 879741B0 ZwSuspendThread
SSDT 8795EAA0 ZwTerminateProcess
SSDT 87974270 ZwTerminateThread
SSDT 87973248 ZwUnmapViewOfSection
SSDT 8795ECA8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 81CEE8A0 8 Bytes [90, 3F, 97, 87, A8, 40, 97, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 81CEE8B4 4 Bytes [78, ED, 95, 87]
.text ntkrnlpa.exe!KeSetEvent + 1C1 81CEE944 4 Bytes JMP 15CE99CA
.text ntkrnlpa.exe!KeSetEvent + 1F5 81CEE978 4 Bytes [40, 3D, 97, 87]
.text ntkrnlpa.exe!KeSetEvent + 221 81CEE9A4 4 Bytes [28, 31, 96, 87]
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
  
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• In the custom scan box paste the following:
  

  msconfig
  safebootminimal
  activex
  drivers32
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  wininit.exe
  hlp.dat
  /md5stop

  
  
• Push the button.
  
• Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
    
  • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

Good afternoon,

No problem with the delay in response. I figured you were either really busy or I messed something up in my original post.

I have tinkered with the computer quite a bit since my original post (I can see you cringing from here) and do not seem to be currently having any issues. However, I am still fairly certain I am not clear of any infection. I am likely going to end up re-formatting and getting rid of Windows Vista and switching to Windows 7. I realize if I do that, then any work we do here will be for no good reason. But I haven’t completely decided to re-format, yet, and am wondering if I am still infected.

Here is what I have done since my original post:

1. Scanned numerous times with Norton Antivirus, MalwareBytes, SuperAntispyware, ran Kapersky’s TDSS Rootkit program, Ran an online scanner (forget which one, but it’ll likely show up in the log I send you) and finally gave up and downloaded AVG and have been tinkering around with that (I’ve not heard good things about that particular program, but I’ve gotten desperate).

2. Last week, I lost internet access and Internet Explorer completely stopped working. I reset Internet Explorer to default settings and it started working again. I found something suspicious in my tinkering but cannot remember what it was.

3. None of the scans above have found anything of note lately, other than what MalwareBytes found last week as I noted in my previous post. Again, I was dumb and lost the log of that scan because I uninstalled MalwareBytes and re-installed it, because I thought maybe it was malfunctioning.

4. No issues of note in the last few days. Just generally convinced my tinkering and the random scanning run could not have possibly solved the problem. If I run logs and you don’t see anything weird, I’ll actually trust that vs. my own uneducated opinion.

5. I’ve installed a lot of crap on my computer in the last week. Please forgive me for that, as I really was just grasping at straws. I realize I will have to do a lot of disabling and turning off of programs. I won’t do any of that until you tell me to do, though.

6. MalwareBytes scan FULL SCAN takes about 60-90 seconds now. That never used to be the case, so I have to figure something is messing with it. When I scan individual folders, it takes much longer to scan, so the only way I get it to scan suspicious things is to pick out individual folders. In other words, I don’t trust the MalwareBytes scan to pick anything up reliably.

7. Computer runs at 100% CPU usage at random points during usage. There is no real correlation between what I am doing at the time and when it suddenly starts to run like crazy. I can’t tell if there are any processes running that shouldn’t be, but this is definitely a new problem. The computer also shuts down with an audible “click” which is also a new problem that is obviously more likely to be hardware-related than anything else, but not sure if it is basically over-heating from having to work so hard. It feels warm to the touch but not hot when I shut down, so not certain this is a significant problem. Again, these just happen to be details that coincide with the original problem posted above.

Thank you for the time you have taken to reply. I realize I have not given many specifics, other than my computer is basically no longer acting right and it coincides very strongly with the timing of when I was suddenly infected with several .exe Rootkit files. Thanks very much for your help.

- tbrummer



OTL Extras logfile created on: 4/3/2011 11:35:19 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Tyson Brummer\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 48.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.69 Gb Total Space | 96.48 Gb Free Space | 69.56% Space Free | Partition Type: NTFS
Drive D: | 10.36 Gb Total Space | 1.78 Gb Free Space | 17.17% Space Free | Partition Type: NTFS

Computer Name: TYSONBRUMMER-PC | User Name: Tyson Brummer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{215F70DC-5398-4C4A-BA2D-04509B116306}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe |
"{2411CCA4-3A68-4CF5-80F5-8AF00C41ED53}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe |
"{2A273C57-005D-464F-8988-5C9CEDF97980}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"{42D8C77E-E47A-4DA2-A159-B555C3118C0A}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{48B6C630-1DF5-44ED-AD12-88ED7AAEE6F5}" = protocol=6 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
"{4BAFF3A0-8DD5-4696-A02D-860AF68E4B1E}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe |
"{4CC1EF65-1184-4309-A3E9-A4206B9B9FFE}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe |
"{6D5BDF54-B292-42DD-8FBC-BEAEA8123F81}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe |
"{74479465-BBFE-4EB5-8D33-805D7A2E2680}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{A112073A-7988-412E-B045-0BF4EFF172EA}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{A1DF4D89-6C98-4DDB-9F1A-AE1DA18D3887}" = protocol=17 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
"{A70DD455-0527-4683-A381-1B98BD68CEF2}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgdiagex.exe |
"{AB4DD038-476E-4F8B-9419-3615BD0AAE8D}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe |
"{B1AE504A-915F-40EB-8DBB-5A296D5FEB24}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe |
"{E6AF2DA9-26EE-41DE-A6D0-18C4D566446C}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe |
"{EC29BC54-42FA-447B-AA09-402CDE80AD2B}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgdiagex.exe |
"{ED5344BB-D7A2-47A4-9A76-BB7B8C2F6260}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{EED59F82-F238-4260-AB51-DA393F916824}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{F07A57A9-43C2-468D-82E2-BFCB5EE1ED5B}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"TCP Query User{8D96ABDE-2818-4CAD-9CD0-5A57AD34811A}C:\users\tyson brummer\appdata\local\google\chrome\application\chrome.exe" = protocol=6 | dir=in | app=c:\users\tyson brummer\appdata\local\google\chrome\application\chrome.exe |
"UDP Query User{79355902-6565-4349-B0F4-1DCBA046C342}C:\users\tyson brummer\appdata\local\google\chrome\application\chrome.exe" = protocol=17 | dir=in | app=c:\users\tyson brummer\appdata\local\google\chrome\application\chrome.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 24
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2
"{38058455-8C21-4C2F-B2F6-14ED166039CB}" = HP Total Care Setup
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Vista
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.7
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup 2011
"{57A5AEC1-97FC-474D-92C4-908FCC2253D4}" = HP Customer Experience Enhancements
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{665CBCA4-5AB0-414B-A288-3F8F99FEFC45}" = HP User Guides 0118
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{84B70C16-7032-41EE-965C-3C8D9D566CBB}" = Symantec Endpoint Protection
"{86B3F2D6-AC2B-0014-8AE1-F2F77F781B0C}" = EndNote X4
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{B3AEF776-7FFF-4C50-A402-9119E3849EE0}" = AVG 2011
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}" = HP Active Support Library
"{D4E53304-1F6C-4111-9872-1BCD2CF5B642}" = AVG 2011
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.10
"AVG" = AVG 2011
"CNXT_AUDIO_HDA" = Conexant HD Audio
"ESET Online Scanner" = ESET Online Scanner v3
"File Shredder_is1" = File Shredder 2.0
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"NVIDIA Drivers" = NVIDIA Drivers
"ResearchSoft Direct Export Helper" = ResearchSoft Direct Export Helper
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"XP Codec Pack" = XP Codec Pack

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-69092622-89767382-3679877709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"SEPVersion" = VT-SEPVersion checks for latest updates of Symantec Endpoint Protection

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/1/2011 5:17:30 PM | Computer Name = TysonBrummer-PC | Source = WinMgmt | ID = 10
Description =

Error - 4/2/2011 5:47:26 PM | Computer Name = TysonBrummer-PC | Source = WinMgmt | ID = 10
Description =

Error - 4/3/2011 11:12:29 AM | Computer Name = TysonBrummer-PC | Source = Perflib | ID = 1010
Description =

Error - 4/3/2011 11:12:31 AM | Computer Name = TysonBrummer-PC | Source = Perflib | ID = 1008
Description =

[ OSession Events ]
Error - 9/19/2010 11:50:55 AM | Computer Name = TysonBrummer-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 89 seconds with 60 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 4/1/2011 5:17:30 PM | Computer Name = TysonBrummer-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 4/2/2011 5:47:16 PM | Computer Name = TysonBrummer-PC | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 00242C759518. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 4/2/2011 5:47:17 PM | Computer Name = TysonBrummer-PC | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 00242C759518. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 4/2/2011 5:47:26 PM | Computer Name = TysonBrummer-PC | Source = Service Control Manager | ID = 7000
Description =


< End of report >


OTL logfile created on: 4/3/2011 11:35:19 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Tyson Brummer\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 48.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.69 Gb Total Space | 96.48 Gb Free Space | 69.56% Space Free | Partition Type: NTFS
Drive D: | 10.36 Gb Total Space | 1.78 Gb Free Space | 17.17% Space Free | Partition Type: NTFS

Computer Name: TYSONBRUMMER-PC | User Name: Tyson Brummer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/03 11:31:39 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Tyson Brummer\Desktop\OTL.exe
PRC - [2011/01/07 01:22:54 | 002,747,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2011/01/07 01:22:44 | 001,084,256 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2011/01/07 01:22:12 | 001,052,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgemcx.exe
PRC - [2011/01/06 15:23:20 | 000,737,872 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2011/01/06 15:23:18 | 006,128,720 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/12/05 16:26:40 | 000,654,176 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2010/12/05 16:26:12 | 000,650,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2010/11/30 17:26:12 | 000,749,384 | ---- | M] (AVG) -- C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
PRC - [2010/11/12 08:14:06 | 001,893,728 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2010/11/12 08:11:16 | 001,459,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2010/11/08 18:40:10 | 001,839,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2010/10/22 04:56:58 | 000,845,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
PRC - [2010/08/10 22:44:14 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2010/08/10 22:43:42 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/10/06 12:54:52 | 000,365,952 | ---- | M] () -- C:\Program Files\SMINST\BLService.exe


========== Modules (SafeList) ==========

MOD - [2011/04/03 11:31:39 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Tyson Brummer\Desktop\OTL.exe
MOD - [2010/08/31 11:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/01/06 15:23:18 | 006,128,720 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/11/17 21:42:54 | 000,357,744 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2010/11/12 08:14:06 | 001,893,728 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2010/11/08 18:40:10 | 001,839,776 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010/09/07 17:05:51 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2010/08/10 22:43:42 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2010/08/10 22:43:42 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/10/06 12:54:52 | 000,365,952 | ---- | M] () [Auto | Running] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/01/20 22:33:00 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2011/03/31 04:00:00 | 001,393,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20110402.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/03/31 04:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20110402.003\NAVENG.SYS -- (NAVENG)
DRV - [2011/01/22 10:54:58 | 000,125,488 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/12/08 04:12:38 | 000,251,728 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/11/12 13:19:38 | 000,299,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/17 14:10:28 | 000,320,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2010/09/17 14:10:28 | 000,284,720 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
DRV - [2010/09/17 14:10:28 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2010/09/13 15:27:40 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/09/07 03:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 03:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2010/08/19 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/08/19 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/08/03 15:23:58 | 000,027,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/08/03 15:23:54 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/03 15:23:52 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/18 15:42:12 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2009/09/03 16:03:48 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/09/03 16:03:48 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2009/07/23 21:01:00 | 009,791,072 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/07/14 12:51:12 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2008/12/20 03:01:46 | 001,093,120 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/06/05 12:58:42 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/05/09 15:17:32 | 000,043,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2008/04/24 18:51:46 | 000,014,848 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/01/29 09:55:00 | 001,042,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/01/20 22:32:45 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2007/10/17 19:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/18 20:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-69092622-89767382-3679877709-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
IE - HKU\S-1-5-21-69092622-89767382-3679877709-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2011/03/30 08:36:50 | 000,000,000 | ---D | M]

[2011/01/22 11:15:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Tyson Brummer\AppData\Roaming\mozilla\Extensions
[2009/09/25 18:25:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Tyson Brummer\AppData\Roaming\mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-69092622-89767382-3679877709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.31.248.34 172.31.248.66 172.31.248.98
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-69092622-89767382-3679877709-1000 Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Tyson Brummer\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Tyson Brummer\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin: AppMgmt - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: ccEvtMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootMin: ccSetMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: Symantec Antivirus - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SafeBootMin: Symantec Antvirus - Service
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.ac3filter - C:\Windows\System32\ac3filter.acm ()
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - C:\Windows\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.XVID - C:\Windows\System32\xvidvfw.dll ()

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/04/03 11:31:43 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Tyson Brummer\Desktop\OTL.exe
[2011/04/01 20:27:03 | 000,000,000 | ---D | C] -- C:\Users\Tyson Brummer\Desktop\kldetector13
[2011/03/31 14:32:08 | 000,000,000 | ---D | C] -- C:\Users\Tyson Brummer\AppData\Roaming\AVG
[2011/03/31 14:31:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC Tuneup 2011
[2011/03/31 14:30:36 | 007,592,248 | ---- | C] (AVG ) -- C:\Users\Tyson Brummer\Desktop\avg_pct_stf_all_2011_24_c5.exe
[2011/03/29 19:09:50 | 000,000,000 | ---D | C] -- C:\Users\Tyson Brummer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2011/03/29 19:08:59 | 000,000,000 | ---D | C] -- C:\Users\Tyson Brummer\AppData\Local\Google
[2011/03/29 19:08:46 | 000,000,000 | ---D | C] -- C:\Users\Tyson Brummer\AppData\Local\Deployment
[2011/03/29 14:46:32 | 000,000,000 | ---D | C] -- C:\Users\Tyson Brummer\AppData\Roaming\AVG10
[2011/03/29 14:44:51 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2011/03/29 14:43:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2011
[2011/03/29 14:39:28 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2011/03/29 14:39:28 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\AVG
[2011/03/29 14:36:09 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/03/29 14:31:12 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/03/29 14:30:58 | 004,738,888 | ---- | C] (AVG Technologies) -- C:\Users\Tyson Brummer\Desktop\avg_free_stb_all_2011_1209_htmlit.exe
[2011/03/29 14:23:09 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/03/29 14:13:32 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/03/29 14:13:31 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/03/29 14:13:31 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/03/29 14:11:35 | 000,885,024 | ---- | C] (Sun Microsystems, Inc.) -- C:\Users\Tyson Brummer\Desktop\JavaSetup6u24.exe
[2011/03/27 12:59:38 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Tyson Brummer\Desktop\mbam-setup.exe
[2011/03/26 15:13:39 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Tyson Brummer\Desktop\tdsskiller.exe
[2011/03/26 11:52:31 | 000,000,000 | ---D | C] -- C:\Users\Tyson Brummer\Desktop\gmer
[2011/03/26 10:01:17 | 000,000,000 | ---D | C] -- C:\Users\Tyson Brummer\Desktop\Spring 2011
[2011/03/24 11:20:47 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2011/03/24 11:20:46 | 000,288,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2011/03/12 12:56:21 | 000,000,000 | ---D | C] -- C:\Users\Tyson Brummer\AppData\Roaming\SUPERAntiSpyware.com
[2011/03/12 12:56:21 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2011/03/12 12:56:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2011/03/12 12:56:02 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/03/09 10:09:16 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/03/09 10:09:15 | 000,322,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbe.dll
[2011/03/09 10:09:14 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2011/03/09 10:09:14 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbeio.dll
[2004/11/24 14:25:52 | 000,335,872 | ---- | C] ( ) -- C:\Windows\System32\drvc.dll
[1 C:\Users\Tyson Brummer\Desktop\*.tmp files -> C:\Users\Tyson Brummer\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/03 11:31:39 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Tyson Brummer\Desktop\OTL.exe
[2011/04/03 11:14:00 | 000,000,940 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-69092622-89767382-3679877709-1000UA.job
[2011/04/03 11:06:51 | 111,284,821 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/04/03 11:02:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/02 19:47:05 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/02 19:47:05 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/02 19:14:00 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-69092622-89767382-3679877709-1000Core.job
[2011/04/02 18:22:38 | 000,050,688 | ---- | M] () -- C:\Users\Tyson Brummer\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/02 18:10:05 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/02 18:10:05 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/02 17:55:43 | 000,000,246 | ---- | M] () -- C:\ProgramData\hpqp.ini
[2011/04/01 20:26:21 | 000,038,030 | ---- | M] () -- C:\Users\Tyson Brummer\Desktop\kldetector13.zip
[2011/03/31 18:07:04 | 000,256,107 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjg.avm
[2011/03/31 14:31:12 | 000,000,930 | ---- | M] () -- C:\Users\Tyson Brummer\Desktop\AVG PC Tuneup 2011.lnk
[2011/03/31 14:30:35 | 007,592,248 | ---- | M] (AVG ) -- C:\Users\Tyson Brummer\Desktop\avg_pct_stf_all_2011_24_c5.exe
[2011/03/30 18:25:43 | 000,000,258 | ---- | M] () -- C:\Users\Tyson Brummer\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/03/30 08:36:51 | 000,000,790 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/03/29 19:09:55 | 000,002,082 | ---- | M] () -- C:\Users\Tyson Brummer\Desktop\Google Chrome.lnk
[2011/03/29 19:09:55 | 000,002,044 | ---- | M] () -- C:\Users\Tyson Brummer\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/29 14:31:05 | 004,738,888 | ---- | M] (AVG Technologies) -- C:\Users\Tyson Brummer\Desktop\avg_free_stb_all_2011_1209_htmlit.exe
[2011/03/29 14:11:42 | 000,885,024 | ---- | M] (Sun Microsystems, Inc.) -- C:\Users\Tyson Brummer\Desktop\JavaSetup6u24.exe
[2011/03/28 19:43:50 | 000,000,835 | ---- | M] () -- C:\Users\Tyson Brummer\Desktop\Internet Explorer.lnk
[2011/03/28 15:53:58 | 000,309,160 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/03/28 09:28:00 | 000,131,478 | ---- | M] () -- C:\Users\Tyson Brummer\Documents\Documents\cc_20110328_092745.reg
[2011/03/27 12:59:40 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Tyson Brummer\Desktop\mbam-setup.exe
[2011/03/26 15:13:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Tyson Brummer\Desktop\tdsskiller.exe
[2011/03/26 12:04:17 | 000,625,664 | ---- | M] () -- C:\Users\Tyson Brummer\Desktop\dds.scr
[2011/03/26 11:59:58 | 000,000,000 | ---- | M] () -- C:\Users\Tyson Brummer\defogger_reenable
[2011/03/26 11:58:30 | 000,050,477 | ---- | M] () -- C:\Users\Tyson Brummer\Desktop\Defogger.exe
[2011/03/26 11:51:35 | 000,293,019 | ---- | M] () -- C:\Users\Tyson Brummer\Desktop\gmer.zip
[2011/03/26 09:23:46 | 000,000,764 | ---- | M] () -- C:\Users\Tyson Brummer\AppData\Local\iyoloniz.dll
[2011/03/26 09:19:17 | 000,000,764 | ---- | M] () -- C:\Users\Tyson Brummer\AppData\Local\inovilox.dll
[2011/03/12 12:56:05 | 000,001,760 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/03/04 22:14:41 | 000,001,852 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[1 C:\Users\Tyson Brummer\Desktop\*.tmp files -> C:\Users\Tyson Brummer\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/03 11:06:51 | 111,284,821 | ---- | C] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/04/01 20:26:28 | 000,038,030 | ---- | C] () -- C:\Users\Tyson Brummer\Desktop\kldetector13.zip
[2011/03/31 18:07:03 | 000,256,107 | ---- | C] () -- C:\Windows\System32\drivers\AVG\iavichjg.avm
[2011/03/31 14:31:12 | 000,000,930 | ---- | C] () -- C:\Users\Tyson Brummer\Desktop\AVG PC Tuneup 2011.lnk
[2011/03/30 18:25:43 | 000,000,258 | ---- | C] () -- C:\Users\Tyson Brummer\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/03/29 19:09:55 | 000,002,082 | ---- | C] () -- C:\Users\Tyson Brummer\Desktop\Google Chrome.lnk
[2011/03/29 19:09:55 | 000,002,044 | ---- | C] () -- C:\Users\Tyson Brummer\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/29 19:09:07 | 000,000,940 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-69092622-89767382-3679877709-1000UA.job
[2011/03/29 19:09:04 | 000,000,888 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-69092622-89767382-3679877709-1000Core.job
[2011/03/29 14:43:20 | 000,000,790 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/03/28 09:27:47 | 000,131,478 | ---- | C] () -- C:\Users\Tyson Brummer\Documents\Documents\cc_20110328_092745.reg
[2011/03/26 12:04:12 | 000,625,664 | ---- | C] () -- C:\Users\Tyson Brummer\Desktop\dds.scr
[2011/03/26 11:59:58 | 000,000,000 | ---- | C] () -- C:\Users\Tyson Brummer\defogger_reenable
[2011/03/26 11:58:23 | 000,050,477 | ---- | C] () -- C:\Users\Tyson Brummer\Desktop\Defogger.exe
[2011/03/26 11:51:22 | 000,293,019 | ---- | C] () -- C:\Users\Tyson Brummer\Desktop\gmer.zip
[2011/03/26 09:23:46 | 000,000,764 | ---- | C] () -- C:\Users\Tyson Brummer\AppData\Local\iyoloniz.dll
[2011/03/26 09:19:17 | 000,000,764 | ---- | C] () -- C:\Users\Tyson Brummer\AppData\Local\inovilox.dll
[2011/03/12 12:56:05 | 000,001,760 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/02/06 14:37:21 | 000,098,304 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2011/01/23 16:50:46 | 000,819,200 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2011/01/23 16:50:43 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2010/04/03 13:02:11 | 000,001,356 | ---- | C] () -- C:\Users\Tyson Brummer\AppData\Local\d3d9caps.dat
[2009/11/08 13:20:51 | 000,050,688 | ---- | C] () -- C:\Users\Tyson Brummer\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/22 13:00:40 | 000,028,599 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/10/22 12:59:41 | 000,028,599 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/09/22 16:23:29 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/22 16:23:29 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/05/26 03:01:45 | 000,000,246 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2009/05/26 02:30:21 | 000,003,948 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2009/04/20 07:17:12 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/12/17 12:17:34 | 000,239,247 | ---- | C] () -- C:\Windows\System32\ff_theora.dll
[2008/10/31 10:51:58 | 001,314,816 | R--- | C] () -- C:\Windows\System32\PVSonyDll.dll
[2006/11/02 11:10:16 | 000,080,912 | ---- | C] () -- C:\Windows\System32\sherlock2.exe
[2006/11/02 08:53:49 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:44:53 | 000,309,160 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:33:01 | 000,604,502 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,104,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 05:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2004/10/03 12:50:54 | 000,129,024 | ---- | C] () -- C:\Windows\System32\ff_mpeg2enc.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2009/04/20 07:35:13 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2009/04/20 07:35:13 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2009/04/20 07:35:12 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2009/04/20 07:35:13 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008/01/20 22:34:05 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: WININIT.EXE >
[2008/01/20 22:33:13 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe
[2008/01/20 22:33:13 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe

< MD5 for: WINLOGON.EXE >
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008/01/20 22:34:38 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 196 bytes -> C:\ProgramData\Temp:0B4227B4
@Alternate Data Stream - 168 bytes -> C:\ProgramData\Temp:0B4227B4
@Alternate Data Stream - 104 bytes -> C:\ProgramData\Temp:D1B5B4F1

< End of report >

Hi,

have you had any detections since the initial scan?

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Norton.

regards myrti

Hi myrti,

No I have not had any additional scans turn anything up since the initial problem. Yeah, I realize that likely means I am being paranoid but probably not, since my computer simply is not acting the same as it was 10 days ago. That's kind of why I am leaning toward re-formatting.

I will turn off AVG, although Norton seems to let an awful lot slip by. Thanks for your help.

- tbrummer

Hi,

you are of course free to remove Norton instead of AVG. If you do so, please be sure to use their removal tool:
Download Nortonr Removal Tool here and follow the instructions in STEP 3 to download and run the norton removal tool.

Please also run the following scan:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Users\Tyson Brummer\AppData\Local\iyoloniz.dll
C:\Users\Tyson Brummer\AppData\Local\inovilox.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

regards myrti

Hi myrti,

Both files turned up nothing. No malware. Thanks.

- tbrummer

Hi,

I would still go through a couple of tests, if you want to hang around. If you think the PC is clean and are reassured, we can also break it off here.

regards myrti

Hi myrti,

I'll only be reassured when you are reassured. I'll run any tests you recommend. Thanks!

-tbrummer

Hi,

ok, I'd like to see a new scan with Malwarebytes. Please make sure to update the program and select quick scan and not flash scan.

regards myrti

Hi myrti,

Here's the scan ran below.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6260

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

4/3/2011 5:34:39 PM
mbam-log-2011-04-03 (17-34-39).txt

Scan type: Quick scan
Objects scanned: 142855
Time elapsed: 1 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi,

this is indeed very quick, however the number of files scanned match any average scan I see.

Please also run a scan with Eset, just to be safe:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go here then click on:
  

  Quote

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  
• Now click on Advanced Settings and select the following:

• Scan for potentially unwanted applications
  
• Scan for potentially unsafe applications
  
• Enable Anti-Stealth Technology


• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  
• When completed the Online Scan will begin automatically.
  
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

However I do believe your PC to be clean.

regards myrti

Hi myrti,

Everything turned up clear. Thanks for your help! You can close this topic.

-tbrummer

Hi,

since your software seems up to date, I think that all that is left to do is to remove the tools we used:

Read those last few lines, in order to keep your pc safe and clean:
Please do the following to clean up your PC:

• Delete the tools used during the disinfection:
  
  • Download OTC from the following mirrors and save it to your desktop:
    
    • Mirror
    
    
  • Double click on
    
  • Push the large "Cleanup" button.
    
  • Allow your system to reboot.
  
  
• If OTC faild to remove all programs from your Desktop, please delete the rest manually.
  
• Disable and Enable System Restore.
  You can find instructions on how to disable and reenable system restore here:
  Windows ME System Restore Guide
  Windows XP System Restore Guide
  Windows Vista System Restore Guide
  
  Note: You should only do this once, not on a regular basis!
  You will not be able to restore computer to any earlier than today!

Please read these advices, in order to prevent reinfecting your PC:

• Install and update the following programs regularly:
  
  • an outbound firewall
    A comprehensive tutorial and a list of possible firewalls can be found here.
    
  • an AntiVirus Software
    It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    
  • an Anti-Spyware program
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    
  • Spyware Blaster
    A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    
  • MVPs hosts file
    A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  
  
• Keep Windows (and your other Microsoft software) up to date!
  I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
  Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  
• Keep your other software up to date as well
  Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  
• Stay up to date!
  The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing .

Some more links you might find of interest:

• Miekies' prevention suggestions
  
• So How did I get infected?
  
• Microsoft - 'Securityat home'
  
• Calendar of Updates: See which updates have been released.
  
• How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail
  
• Commonly UsedFreeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.
  
• osalt: Find (free) open source alternatives to known commercial software.

Have a nice day
myrti

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.