Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer homepage changed to blogtq.blogspot.com


  • This topic is locked This topic is locked
17 replies to this topic

#1 berryhalley

berryhalley

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 07 January 2009 - 03:18 AM

Hi, I think my pc got infected with malware/virus from a flash disk. I noticed it after seeing our IE browser homepage was changed to blogtq.blogspot, not only that, I also found out that several pc functions were disabled like the Task Manager and Folder Option.
Also, how do I properly clean my flash disk? It seems like AVG doesn't recognize the virus or something. I need your help. Thanks!

Here are the DDS logs:

DDS.txt

DDS (Version 1.1.0) - FAT32x86
Run by Pc at 15:59:49.92 on Wed 01/07/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.406 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Chikka Messenger\Chikka v.4\ChikkaLauncher.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Documents and Settings\Pc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://blogtq.blogspot.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uWindow Title = Brought to you by TQ!
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [L09AXLRD_28804609] "c:\program files\microsoft student\microsoft student with encarta premium 2009 dvd\EDICT.EXE" -m
uRun: [PMCRemote]
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [winconfig] c:\windows\winconfig.dll.vbs
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pc\applic~1\mozilla\firefox\profiles\v3p7qal8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-31 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-31 26824]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-4 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-4 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-31 76040]

=============== Created Last 30 ================

2009-01-07 13:54 <DIR> --d----- c:\program files\DivX
2009-01-07 13:53 196,096 -------- c:\windows\system32\MACD32.DLL
2009-01-07 13:53 138,752 -------- c:\windows\system32\MASE32.DLL
2009-01-07 13:53 136,192 -------- c:\windows\system32\MAMC32.DLL
2009-01-07 13:53 57,856 -------- c:\windows\system32\MASD32.DLL
2009-01-07 13:53 27,648 -------- c:\windows\system32\MA32.DLL
2009-01-07 13:52 2,179,072 -------- c:\windows\system32\mfc71d.dll
2009-01-07 13:52 765,952 -------- c:\windows\system32\msvcp71d.dll
2009-01-07 13:52 737,280 -------- c:\windows\system32\msvcp70d.dll
2009-01-07 13:52 544,768 -------- c:\windows\system32\msvcr71d.dll
2009-01-07 13:52 536,576 -------- c:\windows\system32\msvcr70d.dll
2009-01-07 13:52 446,464 -------- c:\windows\system32\HHActiveX.dll
2009-01-07 13:52 385,100 -------- c:\windows\system32\MSVCRTD.DLL
2009-01-07 13:51 626,688 -------- c:\windows\system32\msvcr80.dll
2009-01-07 13:51 548,864 -------- c:\windows\system32\msvcp80.dll
2009-01-07 13:51 487,424 -------- c:\windows\system32\MSVCP70.DLL
2009-01-07 13:51 <DIR> --d----- c:\program files\Pinnacle
2009-01-07 13:07 <DIR> --d----- c:\program files\DRAWings
2009-01-07 12:39 <DIR> --d----- c:\program files\Sony
2009-01-07 12:30 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-07 11:48 <DIR> --d----- c:\program files\Sony Setup
2009-01-06 00:10 <DIR> --d----- c:\docume~1\pc\applic~1\Malwarebytes
2009-01-06 00:10 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-06 00:10 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 00:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 00:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-05 23:48 <DIR> --d----- c:\program files\CCleaner
2009-01-05 20:12 <DIR> --d----- c:\program files\uTorrent
2009-01-05 20:11 <DIR> --d----- c:\docume~1\pc\applic~1\uTorrent
2008-12-30 11:50 <DIR> --d----- c:\program files\Ulead Systems
2008-12-26 21:13 69 a------- c:\windows\NeroDigital.ini
2008-12-26 21:06 106,496 a------- c:\windows\system32\TwnLib20.dll
2008-12-26 21:06 476,320 -------- c:\windows\system32\ImagXpr7.dll
2008-12-26 21:06 471,040 -------- c:\windows\system32\ImagXRA7.dll
2008-12-26 21:06 262,144 -------- c:\windows\system32\ImagXR7.dll
2008-12-26 21:06 1,568,768 -------- c:\windows\system32\ImagX7.dll
2008-12-26 21:06 155,648 a------- c:\windows\system32\NeroCheck.exe
2008-12-26 20:57 <DIR> --dsh--- C:\FOUND.000
2008-12-26 14:07 <DIR> --d----- C:\VLCPortable
2008-12-26 13:26 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-11 16:19 9,530 a--shr-- c:\windows\winconfig.dll.vbs
2008-12-11 16:19 9,530 a--shr-- C:\winconfig.dll.vbs
2008-12-11 16:19 108 a--shr-- C:\autorun.inf

==================== Find3M ====================

2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-04 06:32 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-11-02 16:03 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-01 14:57 104,579 a------- c:\windows\hpoins04.dat
2008-10-31 09:19 306,432 a------- c:\windows\system32\TuneUpDefragService.exe
2008-10-30 02:01 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 16:00:18.15 ===============


Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/30/2008 2:13:34 AM
System Uptime: 1/7/2009 9:12:11 AM (7 hours ago)

Motherboard: ECS | | 945GCT-M2
Processor: Intel® Celeron® CPU 2.66GHz | CPU 1 | 2667/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 19 GiB total, 3.531 GiB free.
D: is FIXED (FAT32) - 19 GiB total, 11.053 GiB free.
E: is FIXED (FAT32) - 19 GiB total, 14.718 GiB free.
F: is FIXED (FAT32) - 19 GiB total, 7.387 GiB free.
G: is CDROM ()
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP69: 1/7/2009 12:27:38 AM - System Checkpoint
RP70: 1/7/2009 12:29:22 PM - Installed Windows XP WIC.
RP71: 1/7/2009 12:29:51 PM - Installed %1 %2.
RP72: 1/7/2009 12:29:55 PM - Printer Driver Microsoft XPS Document Writer Installed
RP73: 1/7/2009 12:39:53 PM - Installed Sony Vegas Pro 8.0
RP74: 1/7/2009 12:44:31 PM - Installed DVD Architect Pro 5.0
RP75: 1/7/2009 1:06:08 PM - Installed ISScript
RP76: 1/7/2009 1:07:21 PM - Installed DRAWings 2
RP77: 1/7/2009 1:44:17 PM - Installed CGS12_DRAWingsPatch
RP78: 1/7/2009 1:44:29 PM - Installed CGS12_DRAWingsPatch
RP79: 1/7/2009 1:51:54 PM - Installed TVCenter Pro
RP80: 1/7/2009 2:31:13 PM - Installed ISScript
RP81: 1/7/2009 2:31:30 PM - Installed CGS12_DRAWingsPatch

==== Installed Programs ======================

µTorrent
1310
1310_Help
1310Tour
1310Trb
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Stock Photos 1.0
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
AutoUpdate
AVG Free 8.0
Avidemux 2.4
Bejeweled 2 Deluxe 1.0
Bonjour
Bookworm Adventures Deluxe
BufferChm
CCleaner (remove only)
Chikka Messenger V4
Destinations
Director
DivX Codec
DRAWings 2
DVD Architect Pro 5.0
Fax
Gold Miner Vegas
Google Talk (remove only)
HangStan
High Definition Audio Driver Package - KB888111
HP Diagnostic Assistant
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HPSystemDiagnostics
IDT Audio
Intel® Graphics Media Accelerator Driver
iTunes
IZArc 3.81
Java™ 6 Update 11
LightScribe 1.4.39.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Math
Microsoft Office Professional Edition 2003
Microsoft Student with Encarta Premium 2009
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
Nero Suite
OLYMPUS Master 2
Overland
Pinnacle TVCenter Pro
ProductContext
QFolder
QuickTime
Readme
Registry Mechanic 8.0
SAMSUNG Mobile USB Modem 1.0 Software
Samsung PC Studio 2.0 PIM & File Manager
Samsung PC Studio PC Sync
Scan
SierraHome Print Artist 12.0
Sony Vegas Pro 8.0
TrayApp
Trickshot
TuneUp Utilities 2008
Ulead Photo Express 4.0 SE
Unload
WebFldrs XP
WebReg
Winamp (remove only)
Windows Communication Foundation
Windows Imaging Component
Windows Media Format Runtime
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
WinZip 11.1
WordWeb
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

1/3/2009 7:22:25 AM, error: Dhcp [1002] - The IP address lease 192.168.1.33 for the Network Card with network address 0021977077CC has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
1/3/2009 12:17:40 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -57517 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.33:123->207.46.232.182:123) is working properly.

==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 13 January 2009 - 05:35 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
If you already have a copy of DDS, there is not need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 berryhalley

berryhalley
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 14 January 2009 - 11:07 AM

Hello, Panda! I appreciate you helping me with my issue.
Here are the logs:

DDS


DDS (Version 1.1.0) - FAT32x86
Run by Pc at 23:27:46.73 on Wed 01/14/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.457 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WScript.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE
C:\Program Files\Chikka Messenger\Chikka v.4\ChikkaLauncher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Pc\Desktop\PC Security\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://blogtq.blogspot.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uWindow Title = Brought to you by TQ!
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [L09AXLRD_28804609] "c:\program files\microsoft student\microsoft student with encarta premium 2009 dvd\EDICT.EXE" -m
uRun: [PMCRemote]
mRun: [winconfig] c:\windows\winconfig.dll.vbs
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pc\applic~1\mozilla\firefox\profiles\v3p7qal8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-31 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-31 26824]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-4 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-4 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-31 76040]

=============== Created Last 30 ================

2009-01-11 18:16 <DIR> --dsh--- C:\FOUND.001
2009-01-09 15:36 <DIR> --d----- c:\windows\Internet Logs
2009-01-07 13:54 <DIR> --d----- c:\program files\DivX
2009-01-07 13:53 196,096 -------- c:\windows\system32\MACD32.DLL
2009-01-07 13:53 138,752 -------- c:\windows\system32\MASE32.DLL
2009-01-07 13:53 136,192 -------- c:\windows\system32\MAMC32.DLL
2009-01-07 13:53 57,856 -------- c:\windows\system32\MASD32.DLL
2009-01-07 13:53 27,648 -------- c:\windows\system32\MA32.DLL
2009-01-07 13:52 2,179,072 -------- c:\windows\system32\mfc71d.dll
2009-01-07 13:52 765,952 -------- c:\windows\system32\msvcp71d.dll
2009-01-07 13:52 737,280 -------- c:\windows\system32\msvcp70d.dll
2009-01-07 13:52 544,768 -------- c:\windows\system32\msvcr71d.dll
2009-01-07 13:52 536,576 -------- c:\windows\system32\msvcr70d.dll
2009-01-07 13:52 446,464 -------- c:\windows\system32\HHActiveX.dll
2009-01-07 13:52 385,100 -------- c:\windows\system32\MSVCRTD.DLL
2009-01-07 13:51 626,688 -------- c:\windows\system32\msvcr80.dll
2009-01-07 13:51 548,864 -------- c:\windows\system32\msvcp80.dll
2009-01-07 13:51 487,424 -------- c:\windows\system32\MSVCP70.DLL
2009-01-07 13:51 <DIR> --d----- c:\program files\Pinnacle
2009-01-07 13:07 <DIR> --d----- c:\program files\DRAWings
2009-01-07 12:39 <DIR> --d----- c:\program files\Sony
2009-01-07 12:30 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-07 11:48 <DIR> --d----- c:\program files\Sony Setup
2009-01-06 00:10 <DIR> --d----- c:\docume~1\pc\applic~1\Malwarebytes
2009-01-06 00:10 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-06 00:10 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 00:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 00:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-05 23:48 <DIR> --d----- c:\program files\CCleaner
2009-01-05 20:12 <DIR> --d----- c:\program files\uTorrent
2009-01-05 20:11 <DIR> --d----- c:\docume~1\pc\applic~1\uTorrent
2008-12-30 11:50 <DIR> --d----- c:\program files\Ulead Systems
2008-12-26 21:13 69 a------- c:\windows\NeroDigital.ini
2008-12-26 21:06 106,496 a------- c:\windows\system32\TwnLib20.dll
2008-12-26 21:06 476,320 -------- c:\windows\system32\ImagXpr7.dll
2008-12-26 21:06 471,040 -------- c:\windows\system32\ImagXRA7.dll
2008-12-26 21:06 262,144 -------- c:\windows\system32\ImagXR7.dll
2008-12-26 21:06 1,568,768 -------- c:\windows\system32\ImagX7.dll
2008-12-26 21:06 155,648 a------- c:\windows\system32\NeroCheck.exe
2008-12-26 20:57 <DIR> --dsh--- C:\FOUND.000
2008-12-26 14:07 <DIR> --d----- C:\VLCPortable
2008-12-26 13:26 221,184 a------- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2009-01-14 23:27 9,530 a--shr-- c:\windows\winconfig.dll.vbs
2009-01-14 23:27 9,530 a--shr-- C:\winconfig.dll.vbs
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-04 06:32 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-11-02 16:03 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-01 14:57 104,579 a------- c:\windows\hpoins04.dat
2008-10-31 09:19 306,432 a------- c:\windows\system32\TuneUpDefragService.exe
2008-10-30 02:01 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 23:28:18.31 ===============



Attach


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/30/2008 2:13:34 AM
System Uptime: 1/14/2009 1:04:17 PM (10 hours ago)

Motherboard: ECS | | 945GCT-M2
Processor: Intel® Celeron® CPU 2.66GHz | CPU 1 | 2667/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 19 GiB total, 2.773 GiB free.
D: is FIXED (FAT32) - 19 GiB total, 11.045 GiB free.
E: is FIXED (FAT32) - 19 GiB total, 14.716 GiB free.
F: is FIXED (FAT32) - 19 GiB total, 7.278 GiB free.
G: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP69: 1/7/2009 12:27:38 AM - System Checkpoint
RP70: 1/7/2009 12:29:22 PM - Installed Windows XP WIC.
RP71: 1/7/2009 12:29:51 PM - Installed %1 %2.
RP72: 1/7/2009 12:29:55 PM - Printer Driver Microsoft XPS Document Writer Installed
RP73: 1/7/2009 12:39:53 PM - Installed Sony Vegas Pro 8.0
RP74: 1/7/2009 12:44:31 PM - Installed DVD Architect Pro 5.0
RP75: 1/7/2009 1:06:08 PM - Installed ISScript
RP76: 1/7/2009 1:07:21 PM - Installed DRAWings 2
RP77: 1/7/2009 1:44:17 PM - Installed CGS12_DRAWingsPatch
RP78: 1/7/2009 1:44:29 PM - Installed CGS12_DRAWingsPatch
RP79: 1/7/2009 1:51:54 PM - Installed TVCenter Pro
RP80: 1/7/2009 2:31:13 PM - Installed ISScript
RP81: 1/7/2009 2:31:30 PM - Installed CGS12_DRAWingsPatch
RP82: 1/9/2009 12:28:00 PM - System Checkpoint
RP83: 1/10/2009 3:42:30 PM - System Checkpoint
RP84: 1/12/2009 12:56:25 PM - System Checkpoint
RP85: 1/14/2009 8:41:33 AM - System Checkpoint

==== Installed Programs ======================

µTorrent
1310
1310_Help
1310Tour
1310Trb
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Stock Photos 1.0
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
AutoUpdate
AVG Free 8.0
Avidemux 2.4
Bejeweled 2 Deluxe 1.0
Bonjour
Bookworm Adventures Deluxe
BufferChm
CCleaner (remove only)
Chikka Messenger V4
Destinations
Director
DivX Codec
DRAWings 2
DVD Architect Pro 5.0
Fax
Gold Miner Vegas
Google Talk (remove only)
HangStan
High Definition Audio Driver Package - KB888111
HP Diagnostic Assistant
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HPSystemDiagnostics
IDT Audio
Intel® Graphics Media Accelerator Driver
iTunes
IZArc 3.81
Java™ 6 Update 11
LightScribe 1.4.39.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Math
Microsoft Office Professional Edition 2003
Microsoft Student with Encarta Premium 2009
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
Nero Suite
OLYMPUS Master 2
Overland
Pinnacle TVCenter Pro
ProductContext
QFolder
QuickTime
Readme
Registry Mechanic 8.0
SAMSUNG Mobile USB Modem 1.0 Software
Samsung PC Studio 2.0 PIM & File Manager
Samsung PC Studio PC Sync
Scan
SierraHome Print Artist 12.0
Sony Vegas Pro 8.0
TrayApp
Trickshot
TuneUp Utilities 2008
Ulead Photo Express 4.0 SE
Unload
WebFldrs XP
WebReg
Winamp (remove only)
Windows Communication Foundation
Windows Imaging Component
Windows Media Format Runtime
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
WinZip 11.1
WordWeb
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

1/9/2009 7:35:00 AM, error: Dhcp [1002] - The IP address lease 192.168.1.33 for the Network Card with network address 0021977077CC has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
1/10/2009 12:16:40 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -57509 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.33:123->207.46.197.32:123) is working properly.

==== End Of File ===========================


GMER

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-14 23:44:19
Windows 5.1.2600 Service Pack 2


---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61138F3A] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61138F3A] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A1CE] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139723] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139723] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138E7D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61138E01] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61138E3F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61138F3A] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A1CE] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61138F78] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138E3F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61139723] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138E7D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139723] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61138F40] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2412] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138E01] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- EOF - GMER 1.0.14 ----

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 14 January 2009 - 12:12 PM

Hello.

Let's see what we can do about that.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.
To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :processes
    WScript.exe
    
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PMCRemote"=-
    "winconfig"=-
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Start Page"=-
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "NoFolderOptions"=-
    "DisableRegistryTools"=-
    "DisableTaskMg"=-
    
    :files
    c:\windows\winconfig.dll.vbs
    C:\winconfig.dll.vbs
    
    :commands
    [emptytemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the OTMoveIt log
-the F-Secure scan log
-a new DDS log (just DDS.txt is fine)

Are those symptoms gone?

With Regards,
The Panda

#5 berryhalley

berryhalley
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 14 January 2009 - 11:26 PM

Hello, the symptoms are still there. Here are the logs:

OTMoveIt

========== PROCESSES ==========
Process WScript.exe killed successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PMCRemote not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\winconfig deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoFolderOptions not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableRegistryTools deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMg not found.
========== FILES ==========
c:\windows\winconfig.dll.vbs moved successfully.
C:\winconfig.dll.vbs moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1d8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01152009_110103

Files moved on Reboot...
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_1d8.dat not found!


F-Secure scan

Scanning Report
Thursday, January 15, 2009 11:42:07 - 12:08:59
Computer name: TQ
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ E:\ F:\


--------------------------------------------------------------------------------

Result: 42 malware found
VBS/Solow.BC (virus)
C:\AUTORUN.INF (Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP86\A0016802.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP85\A0016706.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP85\A0016727.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP85\A0016770.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP84\A0016536.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP84\A0016572.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP84\A0016599.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP84\A0016633.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP84\A0016663.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP84\A0016690.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP83\A0015391.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP83\A0015407.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP83\A0015426.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP83\A0015451.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP83\A0015470.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP83\A0016470.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP83\A0016509.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP82\A0015218.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP82\A0015246.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP82\A0015270.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP82\A0015289.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP82\A0015338.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP82\A0015367.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP81\A0014951.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP81\A0015013.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP81\A0015075.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP81\A0015118.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP81\A0015160.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP81\A0015179.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP81\A0015202.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP79\A0014912.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP78\A0014896.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP77\A0014883.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP76\A0014857.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP75\A0014846.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP74\A0014833.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP73\A0014809.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP72\A0014651.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP69\A0013480.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP69\A0013503.INF

(Submitted)
C:\SYSTEM VOLUME

INFORMATION\_RESTORE{61CDB169-2C6B-40C2-9C1F-EB6D1A7512E5}\RP69\A0014503.INF

(Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 22196
System: 3071
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 42
Submitted: 42
Files not scanned:
C:\PAGEFILE.SYS
C:\DOCUMENTS AND SETTINGS\PC\LOCAL SETTINGS\TEMP\ETILQS_YJ1CRU6SOSN4HXA1CHEP
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2009-01-14
F-Secure AVP: 7.0.171, 2009-01-14
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD

DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD

MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD

JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP

MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics


DDS


DDS (Version 1.1.0) - FAT32x86
Run by Pc at 12:23:13.81 on Thu 01/15/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.519 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Pc\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\Pc\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\Pc\Desktop\PC Security\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uWindow Title = Brought to you by TQ!
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [L09AXLRD_28804609] "c:\program files\microsoft student\microsoft student with encarta premium 2009 dvd\EDICT.EXE" -m
uRun: [PMCRemote]
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\pc\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pc\applic~1\mozilla\firefox\profiles\v3p7qal8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-31 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-31 26824]
R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\pc\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2009-1-15 70144]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-4 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-4 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-31 76040]

=============== Created Last 30 ================

2009-01-15 11:10 <DIR> --d----- C:\fsaua.data
2009-01-15 11:01 <DIR> --d----- C:\_OTMoveIt
2009-01-14 23:30 250 a------- c:\windows\gmer.ini
2009-01-11 18:16 <DIR> --dsh--- C:\FOUND.001
2009-01-09 15:36 <DIR> --d----- c:\windows\Internet Logs
2009-01-07 13:54 <DIR> --d----- c:\program files\DivX
2009-01-07 13:53 196,096 -------- c:\windows\system32\MACD32.DLL
2009-01-07 13:53 138,752 -------- c:\windows\system32\MASE32.DLL
2009-01-07 13:53 136,192 -------- c:\windows\system32\MAMC32.DLL
2009-01-07 13:53 57,856 -------- c:\windows\system32\MASD32.DLL
2009-01-07 13:53 27,648 -------- c:\windows\system32\MA32.DLL
2009-01-07 13:52 2,179,072 -------- c:\windows\system32\mfc71d.dll
2009-01-07 13:52 765,952 -------- c:\windows\system32\msvcp71d.dll
2009-01-07 13:52 737,280 -------- c:\windows\system32\msvcp70d.dll
2009-01-07 13:52 544,768 -------- c:\windows\system32\msvcr71d.dll
2009-01-07 13:52 536,576 -------- c:\windows\system32\msvcr70d.dll
2009-01-07 13:52 446,464 -------- c:\windows\system32\HHActiveX.dll
2009-01-07 13:52 385,100 -------- c:\windows\system32\MSVCRTD.DLL
2009-01-07 13:51 626,688 -------- c:\windows\system32\msvcr80.dll
2009-01-07 13:51 548,864 -------- c:\windows\system32\msvcp80.dll
2009-01-07 13:51 487,424 -------- c:\windows\system32\MSVCP70.DLL
2009-01-07 13:51 <DIR> --d----- c:\program files\Pinnacle
2009-01-07 13:07 <DIR> --d----- c:\program files\DRAWings
2009-01-07 12:39 <DIR> --d----- c:\program files\Sony
2009-01-07 12:30 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-07 11:48 <DIR> --d----- c:\program files\Sony Setup
2009-01-06 00:10 <DIR> --d----- c:\docume~1\pc\applic~1\Malwarebytes
2009-01-06 00:10 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-06 00:10 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 00:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 00:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-05 23:48 <DIR> --d----- c:\program files\CCleaner
2009-01-05 20:12 <DIR> --d----- c:\program files\uTorrent
2009-01-05 20:11 <DIR> --d----- c:\docume~1\pc\applic~1\uTorrent
2008-12-30 11:50 <DIR> --d----- c:\program files\Ulead Systems
2008-12-26 21:13 69 a------- c:\windows\NeroDigital.ini
2008-12-26 21:06 106,496 a------- c:\windows\system32\TwnLib20.dll
2008-12-26 21:06 476,320 -------- c:\windows\system32\ImagXpr7.dll
2008-12-26 21:06 471,040 -------- c:\windows\system32\ImagXRA7.dll
2008-12-26 21:06 262,144 -------- c:\windows\system32\ImagXR7.dll
2008-12-26 21:06 1,568,768 -------- c:\windows\system32\ImagX7.dll
2008-12-26 21:06 155,648 a------- c:\windows\system32\NeroCheck.exe
2008-12-26 20:57 <DIR> --dsh--- C:\FOUND.000
2008-12-26 14:07 <DIR> --d----- C:\VLCPortable
2008-12-26 13:26 221,184 a------- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-04 06:32 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-11-02 16:03 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-01 14:57 104,579 a------- c:\windows\hpoins04.dat
2008-10-31 09:19 306,432 a------- c:\windows\system32\TuneUpDefragService.exe
2008-10-30 02:01 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 12:23:34.71 ===============


Attach


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/30/2008 2:13:34 AM
System Uptime: 1/15/2009 11:01:41 AM (1 hours ago)

Motherboard: ECS | | 945GCT-M2
Processor: Intel® Celeron® CPU 2.66GHz | CPU 1 | 2667/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 19 GiB total, 3.671 GiB free.
D: is FIXED (FAT32) - 19 GiB total, 11.036 GiB free.
E: is FIXED (FAT32) - 19 GiB total, 14.716 GiB free.
F: is FIXED (FAT32) - 19 GiB total, 7.279 GiB free.
G: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP69: 1/7/2009 12:27:38 AM - System Checkpoint
RP70: 1/7/2009 12:29:22 PM - Installed Windows XP WIC.
RP71: 1/7/2009 12:29:51 PM - Installed %1 %2.
RP72: 1/7/2009 12:29:55 PM - Printer Driver Microsoft XPS Document Writer Installed
RP73: 1/7/2009 12:39:53 PM - Installed Sony Vegas Pro 8.0
RP74: 1/7/2009 12:44:31 PM - Installed DVD Architect Pro 5.0
RP75: 1/7/2009 1:06:08 PM - Installed ISScript
RP76: 1/7/2009 1:07:21 PM - Installed DRAWings 2
RP77: 1/7/2009 1:44:17 PM - Installed CGS12_DRAWingsPatch
RP78: 1/7/2009 1:44:29 PM - Installed CGS12_DRAWingsPatch
RP79: 1/7/2009 1:51:54 PM - Installed TVCenter Pro
RP80: 1/7/2009 2:31:13 PM - Installed ISScript
RP81: 1/7/2009 2:31:30 PM - Installed CGS12_DRAWingsPatch
RP82: 1/9/2009 12:28:00 PM - System Checkpoint
RP83: 1/10/2009 3:42:30 PM - System Checkpoint
RP84: 1/12/2009 12:56:25 PM - System Checkpoint
RP85: 1/14/2009 8:41:33 AM - System Checkpoint
RP86: 1/15/2009 9:41:11 AM - System Checkpoint

==== Installed Programs ======================

µTorrent
1310
1310_Help
1310Tour
1310Trb
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Stock Photos 1.0
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
AutoUpdate
AVG Free 8.0
Avidemux 2.4
Bejeweled 2 Deluxe 1.0
Bonjour
Bookworm Adventures Deluxe
BufferChm
CCleaner (remove only)
Chikka Messenger V4
Destinations
Director
DivX Codec
DRAWings 2
DVD Architect Pro 5.0
ERUNT 1.1j
Fax
Gold Miner Vegas
Google Talk (remove only)
HangStan
High Definition Audio Driver Package - KB888111
HP Diagnostic Assistant
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HPSystemDiagnostics
IDT Audio
Intel® Graphics Media Accelerator Driver
iTunes
IZArc 3.81
Java™ 6 Update 11
LightScribe 1.4.39.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Math
Microsoft Office Professional Edition 2003
Microsoft Student with Encarta Premium 2009
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
Nero Suite
OLYMPUS Master 2
Overland
Pinnacle TVCenter Pro
ProductContext
QFolder
QuickTime
Readme
Registry Mechanic 8.0
SAMSUNG Mobile USB Modem 1.0 Software
Samsung PC Studio 2.0 PIM & File Manager
Samsung PC Studio PC Sync
Scan
SierraHome Print Artist 12.0
Sony Vegas Pro 8.0
TrayApp
Trickshot
TuneUp Utilities 2008
Ulead Photo Express 4.0 SE
Unload
WebFldrs XP
WebReg
Winamp (remove only)
Windows Communication Foundation
Windows Imaging Component
Windows Media Format Runtime
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
WinZip 11.1
WordWeb
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

1/9/2009 4:14:39 PM, error: Dhcp [1002] - The IP address lease 192.168.1.33 for the Network Card with network address 0021977077CC has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
1/10/2009 12:16:40 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -57509 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.33:123->207.46.197.32:123) is working properly.

==== End Of File ===========================

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 15 January 2009 - 08:30 AM

Hello.

Kindly tell me which symptoms are still present.

With Regards,
The Panda

#7 berryhalley

berryhalley
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 15 January 2009 - 09:38 AM

I still can't edit my IE homepage settings - though it was changed back to yahoo.com, the title in the title bar looks like this: Yahoo! - Brought to you by TQ!
Other than that, I can't find Folder Options, and Task Manager is disabled. Those are the only symptoms I've noticed so far. :thumbsup:

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 15 January 2009 - 12:02 PM

Hello.

Let's take care of those.

Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :processes
    explorer.exe
    
    :reg
    [HKET_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
    "NoFolderOptions"=-
    "DisableTaskMgr"=-
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Window Title"=-
    
    :commands
    [start explorer]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

That should take care of the IE title, the folder options, and the Task Manager.

Run MalwareBytes again (quick scan). I think it fixes the IE policies.

With Regards,
The Panda

#9 berryhalley

berryhalley
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 15 January 2009 - 10:43 PM

Hi! The title bar in IE has already been fixed, however, its homepage settings is still grayed out, so I can't edit it.
Task Manager is still disabled as well as Folder Options.

#10 berryhalley

berryhalley
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 15 January 2009 - 10:52 PM

Another symptom I forgot to tell you, I can't access our disk drives by the usual click/double click, it would say: Can not find script file "C:\winconfig.dll.vbs".

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 16 January 2009 - 08:11 AM

Hello.

Download and Run OTViewIt
  • Please download OTViewIt by OldTimer to your desktop.
  • Double click on the OTViewIt.exe icon on your desktop. If you are using Windows Vista, right click the icon and select Run as Administrator.
  • Check both the Scan All Users and Use Whitelist checkboxes. Set the File Age to 30 days.
  • Click on the Run Scan button. Two reports that are located in the same location as OTViewIt will open.OTViewIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized. A new Extra.txt will not be created if one exists already.
Only OTViewIt.txt is needed.
With Regards,
The Panda

#12 berryhalley

berryhalley
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 16 January 2009 - 09:26 AM

OTViewIt.txt

OTViewIt logfile created on: 1/16/2009 10:22:20 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Pc\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.23 Mb Total Physical Memory | 538.02 Mb Available Physical Memory | 52.99% Memory free
2.39 Gb Paging File | 1.90 Gb Available in Paging File | 79.67% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.63 Gb Total Space | 3.40 Gb Free Space | 18.25% Space Free | Partition Type: FAT32
Drive D: | 18.63 Gb Total Space | 11.01 Gb Free Space | 59.10% Space Free | Partition Type: FAT32
Drive E: | 18.63 Gb Total Space | 14.72 Gb Free Space | 79.00% Space Free | Partition Type: FAT32
Drive F: | 18.63 Gb Total Space | 7.28 Gb Free Space | 39.07% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TQ
Current User Name: Pc
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/11/27 17:24:04 | 01,261,336 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\avgtray.exe
[2008/06/03 01:05:38 | 00,351,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE
[2008/10/01 13:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2008/11/04 06:32:46 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
[2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2008/11/10 05:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
[2005/07/24 23:35:00 | 00,053,248 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
[2007/12/13 20:27:34 | 00,212,992 | ---- | M] (IDT, Inc.) -- c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
[2008/11/04 06:32:44 | 00,287,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\avgrsx.exe
[2008/11/04 06:32:44 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\avgemc.exe
[2007/08/28 17:11:36 | 00,036,864 | ---- | M] () -- C:\Program Files\Chikka Messenger\Chikka v.4\ChikkaLauncher.exe
[2004/08/03 08:56:58 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2004/08/03 08:56:52 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2008/11/04 06:32:50 | 00,540,440 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
[2008/12/17 23:11:56 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2008/10/17 00:39:50 | 02,810,880 | ---- | M] (mIRC Co. Ltd.) -- C:\Program Files\mIRC\mirc.exe
[2008/11/05 21:59:00 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
[2009/01/16 22:06:46 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pc\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/10/31 10:00:40 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
[2008/10/01 13:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/11/04 06:32:44 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
[2008/11/04 06:32:46 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
[2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2006/10/20 21:21:24 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2006/10/30 03:33:58 | 00,741,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2008/10/01 18:57:00 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
[2008/11/10 05:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2005/07/24 23:35:00 | 00,053,248 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
[2006/10/30 03:34:02 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2004/03/18 16:55:48 | 00,065,536 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [On_Demand | Stopped])
[2007/12/13 20:27:34 | 00,212,992 | ---- | M] (IDT, Inc.) -- c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe -- (STacSV [Auto | Running])
[2008/10/31 09:19:10 | 00,306,432 | ---- | M] (TuneUp Software GmbH) -- C:\WINDOWS\System32\TuneUpDefragService.exe -- (TuneUp.Defrag [On_Demand | Stopped])
[2004/08/11 01:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])

========== Driver Services ==========

[2008/11/04 06:32:44 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
[2008/11/04 06:32:44 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
[2008/11/04 06:32:54 | 00,076,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [Auto | Running])
[2009/01/15 11:39:08 | 00,070,144 | ---- | M] () -- C:\DOCUME~1\Pc\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys -- (F-Secure Standalone Minifilter [On_Demand | Stopped])
[2008/04/17 13:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2009/01/14 23:30:46 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\DRIVERS\gmer.sys -- (gmer [On_Demand | Stopped])
[2005/01/07 17:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
[2004/06/21 13:12:14 | 00,051,088 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
[2004/06/21 13:12:14 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
[2004/06/21 13:12:14 | 00,021,744 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
[2007/12/18 19:32:12 | 05,854,688 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Running])
[2001/08/22 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
[2003/10/28 02:02:00 | 00,020,016 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DRIVERS\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2007/07/11 19:49:16 | 00,096,384 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
[2004/08/03 22:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
[2004/07/17 03:36:38 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2001/08/17 13:48:00 | 00,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\sermouse.sys -- (sermouse [On_Demand | Stopped])
[2004/09/16 22:04:00 | 00,052,384 | R--- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\ss_bus.sys -- (ss_bus [On_Demand | Stopped])
[2004/09/16 22:05:00 | 00,006,064 | R--- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys -- (ss_mdfl [On_Demand | Stopped])
[2004/09/16 22:05:00 | 00,084,512 | R--- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\ss_mdm.sys -- (ss_mdm [On_Demand | Stopped])
[2007/12/13 20:28:20 | 01,270,872 | ---- | M] (IDT, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.yahoo.com/
"Default_Search_URL"=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
"Start Page"=http://www.yahoo.com/

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
"provider"=yaho

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
"provider"=yaho

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (HKLM) -- C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
{A057A204-BACC-4D26-9990-79A187E2698E} (HKLM) -- C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (AVG, Technologies CZ, s.r.o )
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (HKLM) -- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{A057A204-BACC-4D26-9990-79A187E2698E}" (HKLM) -- C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (AVG, Technologies CZ, s.r.o )

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}" (HKLM) -- C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (AVG, Technologies CZ, s.r.o )

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}" (HKLM) -- C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (AVG, Technologies CZ, s.r.o )

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"L09AXLRD_28804609"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE" -m (Microsoft Corporation)
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)
"PMCRemote"= File not found

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"L09AXLRD_28804609"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE" -m (Microsoft Corporation)
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)
"PMCRemote"= File not found

========== (O4) Startup Folders ==========

[2005/10/20 12:04:08 | 00,038,912 | ---- | M] () -- C:\Documents and Settings\Pc\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

========== (O6 & O7) Current Version Policies ==========

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Control Panel]
"HomePage"=1

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\policies\microsoft\internet explorer\Control Panel]
"HomePage"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=0
"NoFolderOptions"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=0
"NoFolderOptions"=1

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %SystemDrive%\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{B205A35E-1FC4-4CE3-818B-899DBBB3388C}: Button: Encarta Search Bar -- %CommonProgramFiles%\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL [2008/06/03 01:05:36 | 00,293,656 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 08:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 08:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 08:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 08:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 08:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 08:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab -- Reg Error: Value does not exist or could not be read.
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}: http://support.f-secure.com/ols/fscax.cab -- F-Secure Online Scanner 3.3
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11

========== (O17) DNS Name Servers ==========

{9E1124E4-3C21-42FF-A61D-A5C9CCD72548} (Servers: | Description: Realtek RTL8139/810x Family Fast Ethernet NIC)

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=avgrsstx.dll
>[2008/11/04 06:32:44 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\avgrsstx.dll

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/10/30 02:04:16 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ FAT32 ]

autorun.inf [[autorun] | shellexecute=wscript.exe winconfig.dll.vbs | ]
[2009/01/15 11:01:04 | 00,000,108 | RHS- | M] () -- C:\autorun.inf -- [ FAT32 ]

autorun.inf [[autorun] | shellexecute=wscript.exe winconfig.dll.vbs | ]
[2009/01/15 11:01:04 | 00,000,108 | RHS- | M] () -- D:\autorun.inf -- [ FAT32 ]

autorun.inf [[autorun] | shellexecute=wscript.exe winconfig.dll.vbs | ]
[2009/01/15 11:01:04 | 00,000,108 | RHS- | M] () -- E:\autorun.inf -- [ FAT32 ]

autorun.inf [[autorun] | shellexecute=wscript.exe winconfig.dll.vbs | ]
[2009/01/15 11:01:04 | 00,000,108 | RHS- | M] () -- F:\autorun.inf -- [ FAT32 ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{181c54d8-d38c-11dd-aaea-0021977077cc}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{181c54d8-d38c-11dd-aaea-0021977077cc}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{181c54d8-d38c-11dd-aaea-0021977077cc}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\Shell32.DLL -- [2005/09/22 19:05:30 | 08,450,560 | ---- | M] (Microsoft Corporation)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19f3d306-ad14-11dd-aa3e-0021977077cc}\Shell\AutoPlay\Command]
""=wscript.exe sowar.vbs


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19f3d306-ad14-11dd-aa3e-0021977077cc}\Shell\AutoRun\command]
""=wscript.exe sowar.vbs


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19f3d306-ad14-11dd-aa3e-0021977077cc}\Shell\Explore\Command]
""=wscript.exe sowar.vbs


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19f3d306-ad14-11dd-aa3e-0021977077cc}\Shell\Open\Command]
""=wscript.exe sowar.vbs


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{232ae9b0-b704-11dd-aa6a-0021977077cc}\Shell\AutoPlay\Command]
""=wscript.exe sowar.vbs


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{232ae9b0-b704-11dd-aa6a-0021977077cc}\Shell\AutoRun\command]
""=wscript.exe sowar.vbs


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{232ae9b0-b704-11dd-aa6a-0021977077cc}\Shell\Explore\Command]
""=wscript.exe sowar.vbs


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{232ae9b0-b704-11dd-aa6a-0021977077cc}\Shell\Open\Command]
""=wscript.exe sowar.vbs

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2e01319e-aaef-11dd-aa36-0021977077cc}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2e01319e-aaef-11dd-aa36-0021977077cc}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2e01319e-aaef-11dd-aa36-0021977077cc}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\Shell32.DLL -- [2005/09/22 19:05:30 | 08,450,560 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{50c22312-a7ae-11dd-aa28-0021977077cc}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{50c22312-a7ae-11dd-aa28-0021977077cc}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{50c22312-a7ae-11dd-aa28-0021977077cc}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\Shell32.DLL -- [2005/09/22 19:05:30 | 08,450,560 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{59d7e024-dbaf-11dd-ab04-0021977077cc}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{59d7e024-dbaf-11dd-ab04-0021977077cc}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{59d7e024-dbaf-11dd-ab04-0021977077cc}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\Shell32.DLL -- [2005/09/22 19:05:30 | 08,450,560 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{acc04ba3-a921-11dd-aa30-0021977077cc}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{acc04ba3-a921-11dd-aa30-0021977077cc}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{acc04ba3-a921-11dd-aa30-0021977077cc}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\Shell32.DLL -- [2005/09/22 19:05:30 | 08,450,560 | ---- | M] (Microsoft Corporation)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba2b4316-b342-11dd-aa5b-0021977077cc}\Shell\AutoPlay\Command]
""=wscript.exe sowar.vbs


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba2b4316-b342-11dd-aa5b-0021977077cc}\Shell\AutoRun\command]
""=wscript.exe sowar.vbs


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba2b4316-b342-11dd-aa5b-0021977077cc}\Shell\Explore\Command]
""=wscript.exe sowar.vbs


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba2b4316-b342-11dd-aa5b-0021977077cc}\Shell\Open\Command]
""=wscript.exe sowar.vbs

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cae34be4-a7ea-11dd-aa2a-0021977077cc}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cae34be4-a7ea-11dd-aa2a-0021977077cc}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cae34be4-a7ea-11dd-aa2a-0021977077cc}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\Shell32.DLL -- [2005/09/22 19:05:30 | 08,450,560 | ---- | M] (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/01/16 22:06:36 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Pc\Desktop\OTViewIt.exe
[2009/01/16 11:43:46 | 00,030,743 | ---- | C] () -- C:\Documents and Settings\Pc\Desktop\cool.jpg
[2009/01/15 11:10:05 | 00,000,000 | ---D | C] -- C:\fsaua.data
[2009/01/15 11:01:03 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2009/01/15 10:56:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/01/15 10:55:24 | 00,000,671 | ---- | C] () -- C:\Documents and Settings\Pc\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/01/15 10:55:11 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/01/14 23:30:45 | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2009/01/14 23:30:44 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2009/01/14 23:30:44 | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[2009/01/14 23:30:44 | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2009/01/14 23:30:44 | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[2009/01/14 15:58:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Local Settings\Application Data\Identities
[2009/01/13 05:00:22 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\LIST OF FAMILIES EVACUESS.doc
[2009/01/11 18:16:40 | 00,000,000 | -HSD | C] -- C:\FOUND.001
[2009/01/09 15:36:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2009/01/09 11:17:20 | 00,012,288 | ---- | C] () -- C:\Documents and Settings\Pc\Desktop\valuemeal.ppt
[2009/01/08 17:38:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\My Documents\brushes again
[2009/01/07 14:49:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\My Documents\stocks01
[2009/01/07 13:55:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Local Settings\Application Data\IsolatedStorage
[2009/01/07 13:55:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Local Settings\Application Data\Pinnacle
[2009/01/07 13:54:17 | 00,000,000 | ---D | C] -- C:\Program Files\DivX
[2009/01/07 13:53:10 | 00,196,096 | ---- | C] () -- C:\WINDOWS\System32\MACD32.DLL
[2009/01/07 13:53:10 | 00,138,752 | ---- | C] () -- C:\WINDOWS\System32\MASE32.DLL
[2009/01/07 13:53:10 | 00,136,192 | ---- | C] () -- C:\WINDOWS\System32\MAMC32.DLL
[2009/01/07 13:53:10 | 00,057,856 | ---- | C] () -- C:\WINDOWS\System32\MASD32.DLL
[2009/01/07 13:53:10 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\MA32.DLL
[2009/01/07 13:52:55 | 02,179,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mfc71d.dll
[2009/01/07 13:52:55 | 00,765,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp71d.dll
[2009/01/07 13:52:55 | 00,737,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp70d.dll
[2009/01/07 13:52:55 | 00,544,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71d.dll
[2009/01/07 13:52:55 | 00,536,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr70d.dll
[2009/01/07 13:52:55 | 00,446,464 | ---- | C] (eHelp Corporation.) -- C:\WINDOWS\System32\HHActiveX.dll
[2009/01/07 13:52:55 | 00,385,100 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSVCRTD.DLL
[2009/01/07 13:51:56 | 00,626,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr80.dll
[2009/01/07 13:51:56 | 00,548,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp80.dll
[2009/01/07 13:51:56 | 00,487,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSVCP70.DLL
[2009/01/07 13:51:55 | 00,000,000 | ---D | C] -- C:\Program Files\Pinnacle
[2009/01/07 13:51:41 | 00,000,349 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2009/01/07 13:48:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2009/01/07 13:07:23 | 00,000,000 | ---D | C] -- C:\Program Files\DRAWings
[2009/01/07 12:51:28 | 00,002,448 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\Register DVD Architect Pro.htm
[2009/01/07 12:40:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sony
[2009/01/07 12:39:56 | 00,000,000 | ---D | C] -- C:\Program Files\Sony
[2009/01/07 12:35:36 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/01/07 12:30:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/01/07 12:30:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2009/01/07 12:30:14 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/01/07 12:29:51 | 00,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll
[2009/01/07 12:29:23 | 00,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2009/01/07 11:48:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Application Data\Sony Setup
[2009/01/07 11:48:40 | 00,000,000 | ---D | C] -- C:\Program Files\Sony Setup
[2009/01/06 20:02:47 | 00,245,760 | ---- | C] (David Zhang) -- C:\Documents and Settings\Pc\My Documents\Youtube Grabber v31.exe
[2009/01/06 19:28:43 | 00,119,516 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\youtubegrabberv31.zip
[2009/01/06 18:38:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\My Documents\Downloads
[2009/01/06 09:10:41 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\PICK UP LINES 101.doc
[2009/01/06 01:30:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Desktop\PC Security
[2009/01/06 00:10:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Application Data\Malwarebytes
[2009/01/06 00:10:31 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/01/06 00:10:27 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/06 00:10:25 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/01/06 00:10:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/01/05 23:48:40 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/01/05 22:39:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Desktop\pictures
[2009/01/05 20:12:18 | 00,000,534 | ---- | C] () -- C:\Documents and Settings\Pc\Desktop\µTorrent.lnk
[2009/01/05 20:12:08 | 00,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2009/01/05 20:11:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Application Data\uTorrent
[2009/01/04 20:37:38 | 00,028,160 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\Average fixed cost is a per.doc
[2009/01/04 12:39:10 | 00,102,541 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\new-again.gif
[2009/01/03 20:15:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Application Data\Yahoo!
[2009/01/03 20:14:24 | 00,000,716 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/01/01 20:58:31 | 01,377,831 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\IMG_0055.JPG
[2009/01/01 13:04:46 | 00,262,793 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\new-one.gif
[2009/01/01 12:23:15 | 00,437,166 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\new-paola.gif
[2009/01/01 12:05:56 | 00,388,183 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\paola1.gif
[2008/12/30 14:34:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\My Documents\new brusheshes
[2008/12/30 11:51:48 | 00,001,765 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ulead Photo Express 4.0 SE.lnk
[2008/12/30 11:50:55 | 00,000,000 | ---D | C] -- C:\Program Files\Ulead Systems
[2008/12/29 17:35:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Local Settings\Application Data\Ahead
[2008/12/26 21:13:42 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/26 21:12:24 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2008/12/26 21:12:21 | 00,001,143 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Nero StartSmart.lnk
[2008/12/26 21:10:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\LightScribe
[2008/12/26 21:06:56 | 00,106,496 | ---- | C] (Pegasus Software) -- C:\WINDOWS\System32\TwnLib20.dll
[2008/12/26 21:06:39 | 00,476,320 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXpr7.dll
[2008/12/26 21:06:39 | 00,471,040 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXRA7.dll
[2008/12/26 21:06:39 | 00,262,144 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXR7.dll
[2008/12/26 21:06:38 | 01,568,768 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagX7.dll
[2008/12/26 21:06:30 | 00,155,648 | ---- | C] (Ahead Software Gmbh) -- C:\WINDOWS\System32\NeroCheck.exe
[2008/12/26 21:06:22 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Ahead
[2008/12/26 21:06:21 | 00,000,000 | ---D | C] -- C:\Program Files\Ahead
[2008/12/26 20:57:02 | 00,000,000 | -HSD | C] -- C:\FOUND.000
[2008/12/26 14:07:28 | 00,000,000 | ---D | C] -- C:\VLCPortable
[2008/12/26 13:26:38 | 00,221,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmpns.dll
[2008/12/26 12:59:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Application Data\Media Player Classic
[2008/12/24 13:29:11 | 01,267,862 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\js_scully7491_ChristmasOrnamentbrushes.abr
[2008/12/24 13:27:46 | 04,244,394 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\Christmas_Brushes_2_by_flina.abr
[2008/12/24 13:23:07 | 02,366,690 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\pine_brushes_by_hawksmont.abr
[2008/12/24 13:23:03 | 05,019,250 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\122 by IZ-Person.abr
[2008/12/24 13:18:36 | 00,247,138 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\Christmas_Eve_Brushes_by_Coby17.abr
[2008/12/24 13:16:37 | 00,547,030 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\christmas_brushes_by_Christy_Carrier.abr
[2008/12/21 23:30:12 | 00,146,989 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\200810110152.jpg
[2008/12/21 23:30:12 | 00,132,098 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\200810110153.jpg
[2008/12/21 16:05:24 | 03,917,529 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\Spongecola - Puso.mp3

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/01/16 22:06:46 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pc\Desktop\OTViewIt.exe
[2009/01/16 17:28:38 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/01/16 17:28:34 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/01/16 11:43:48 | 00,030,743 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\cool.jpg
[2009/01/16 11:41:36 | 00,102,256 | ---- | M] () -- C:\Documents and Settings\Pc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/01/15 12:26:18 | 00,380,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/01/15 11:01:04 | 00,000,108 | RHS- | M] () -- C:\autorun.inf
[2009/01/15 10:55:26 | 00,000,671 | ---- | M] () -- C:\Documents and Settings\Pc\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/01/14 23:30:46 | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[2009/01/14 23:30:46 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2009/01/14 23:30:46 | 00,000,250 | ---- | M] () -- C:\WINDOWS\gmer.ini
[2009/01/14 23:30:46 | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[2009/01/13 05:00:24 | 00,026,624 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\LIST OF FAMILIES EVACUESS.doc
[2009/01/13 04:33:00 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\Microsoft Office Word 2003.lnk
[2009/01/13 04:32:30 | 00,002,495 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\Microsoft Office Excel 2003.lnk
[2009/01/13 01:08:46 | 00,000,155 | ---- | M] () -- C:\WINDOWS\winamp.ini
[2009/01/12 13:48:04 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/01/09 19:54:26 | 00,503,818 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/01/09 19:54:26 | 00,430,496 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/01/09 19:54:26 | 00,067,220 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/01/09 13:15:04 | 00,012,288 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\valuemeal.ppt
[2009/01/08 15:41:38 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/01/08 02:08:32 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/01/08 02:08:30 | 00,000,645 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/01/08 02:08:30 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/01/07 14:31:54 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/01/07 13:55:18 | 00,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2009/01/07 13:21:12 | 00,063,488 | ---- | M] () -- C:\Documents and Settings\Pc\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/07 12:51:30 | 00,002,448 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\Register DVD Architect Pro.htm
[2009/01/06 19:29:26 | 00,119,516 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\youtubegrabberv31.zip
[2009/01/06 09:10:44 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\PICK UP LINES 101.doc
[2009/01/05 20:12:20 | 00,000,534 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\µTorrent.lnk
[2009/01/04 20:37:40 | 00,028,160 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\Average fixed cost is a per.doc
[2009/01/04 18:41:50 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/04 18:41:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/01/04 16:21:38 | 02,642,814 | -H-- | M] () -- C:\Documents and Settings\Pc\Local Settings\Application Data\IconCache.db
[2009/01/04 12:39:12 | 00,102,541 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\new-again.gif
[2009/01/03 20:14:26 | 00,000,716 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/01/02 17:15:02 | 00,000,370 | ---- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[2009/01/01 21:01:28 | 01,377,831 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\IMG_0055.JPG
[2009/01/01 13:04:48 | 00,262,793 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\new-one.gif
[2009/01/01 12:23:16 | 00,437,166 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\new-paola.gif
[2009/01/01 12:05:58 | 00,388,183 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\paola1.gif
[2008/12/30 11:51:50 | 00,001,765 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ulead Photo Express 4.0 SE.lnk
[2008/12/30 03:56:50 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/26 21:12:22 | 00,001,143 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Nero StartSmart.lnk
[2008/12/24 13:29:44 | 04,244,394 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\Christmas_Brushes_2_by_flina.abr
[2008/12/24 13:18:42 | 00,247,138 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\Christmas_Eve_Brushes_by_Coby17.abr
[2008/12/24 13:16:54 | 00,547,030 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\christmas_brushes_by_Christy_Carrier.abr
[2008/12/21 16:06:36 | 03,917,529 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\Spongecola - Puso.mp3
< End of report >

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 16 January 2009 - 11:48 AM

Hello.

Please run this script with OTMoveIt:
:reg
[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Control Panel]
"HomePage"=-
"HomePage"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoFolderOptions"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=-

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoFolderOptions"=-

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=-

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{181c54d8-d38c-11dd-aaea-0021977077cc}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19f3d306-ad14-11dd-aa3e-0021977077cc}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{232ae9b0-b704-11dd-aa6a-0021977077cc}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2e01319e-aaef-11dd-aa36-0021977077cc}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{50c22312-a7ae-11dd-aa28-0021977077cc}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{59d7e024-dbaf-11dd-ab04-0021977077cc}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{acc04ba3-a921-11dd-aa30-0021977077cc}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba2b4316-b342-11dd-aa5b-0021977077cc}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cae34be4-a7ea-11dd-aa2a-0021977077cc}]
Post back with the OTMoveIt log along with a fresh OTViewIt.

How is it now?

With Regards,
The Panda

#14 berryhalley

berryhalley
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 17 January 2009 - 12:18 AM

Hello! IE, Folder Options and Task Manager is already fixed. Thanks for that! I think the only problem left now is that I can't access our disk drives, it would say: Can not find script file "C:\winconfig.dll.vbs". For me to access it, I would choose explore instead.

OTMoveIT

========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Control Panel\\HomePage deleted successfully.
Registry value HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Control Panel\\HomePage not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions not found.
Registry value HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{181c54d8-d38c-11dd-aaea-0021977077cc}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19f3d306-ad14-11dd-aa3e-0021977077cc}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{232ae9b0-b704-11dd-aa6a-0021977077cc}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2e01319e-aaef-11dd-aa36-0021977077cc}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{50c22312-a7ae-11dd-aa28-0021977077cc}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{59d7e024-dbaf-11dd-ab04-0021977077cc}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{acc04ba3-a921-11dd-aa30-0021977077cc}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba2b4316-b342-11dd-aa5b-0021977077cc}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cae34be4-a7ea-11dd-aa2a-0021977077cc}\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01172009_130153


OTViewIt

OTViewIt logfile created on: 1/17/2009 1:04:48 PM - Run 2
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Pc\Desktop\PC Security
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.23 Mb Total Physical Memory | 548.75 Mb Available Physical Memory | 54.05% Memory free
2.39 Gb Paging File | 1.94 Gb Available in Paging File | 81.13% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.63 Gb Total Space | 3.13 Gb Free Space | 16.81% Space Free | Partition Type: FAT32
Drive D: | 18.63 Gb Total Space | 11.01 Gb Free Space | 59.10% Space Free | Partition Type: FAT32
Drive E: | 18.63 Gb Total Space | 14.72 Gb Free Space | 79.00% Space Free | Partition Type: FAT32
Drive F: | 18.63 Gb Total Space | 7.28 Gb Free Space | 39.07% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TQ
Current User Name: Pc
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/11/27 17:24:04 | 01,261,336 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\avgtray.exe
[2008/06/03 01:05:38 | 00,351,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE
[2008/10/01 13:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2008/11/04 06:32:46 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
[2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2008/11/10 05:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
[2005/07/24 23:35:00 | 00,053,248 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
[2007/12/13 20:27:34 | 00,212,992 | ---- | M] (IDT, Inc.) -- c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
[2008/11/04 06:32:44 | 00,287,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\avgrsx.exe
[2008/11/04 06:32:44 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\avgemc.exe
[2007/08/28 17:11:36 | 00,036,864 | ---- | M] () -- C:\Program Files\Chikka Messenger\Chikka v.4\ChikkaLauncher.exe
[2008/11/05 21:59:00 | 04,347,120 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[2004/08/03 08:56:58 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2008/12/17 23:11:56 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2008/10/17 00:39:50 | 02,810,880 | ---- | M] (mIRC Co. Ltd.) -- C:\Program Files\mIRC\mirc.exe
[2004/08/03 16:56:58 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
[2009/01/16 22:06:46 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pc\Desktop\PC Security\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/10/31 10:00:40 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
[2008/10/01 13:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/11/04 06:32:44 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
[2008/11/04 06:32:46 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
[2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2006/10/20 21:21:24 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2006/10/30 03:33:58 | 00,741,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2008/10/01 18:57:00 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
[2008/11/10 05:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2005/07/24 23:35:00 | 00,053,248 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
[2006/10/30 03:34:02 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2004/03/18 16:55:48 | 00,065,536 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [On_Demand | Stopped])
[2007/12/13 20:27:34 | 00,212,992 | ---- | M] (IDT, Inc.) -- c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe -- (STacSV [Auto | Running])
[2008/10/31 09:19:10 | 00,306,432 | ---- | M] (TuneUp Software GmbH) -- C:\WINDOWS\System32\TuneUpDefragService.exe -- (TuneUp.Defrag [On_Demand | Stopped])
[2004/08/11 01:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])

========== Driver Services ==========

[2008/11/04 06:32:44 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
[2008/11/04 06:32:44 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
[2008/11/04 06:32:54 | 00,076,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [Auto | Running])
[2009/01/15 11:39:08 | 00,070,144 | ---- | M] () -- C:\DOCUME~1\Pc\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys -- (F-Secure Standalone Minifilter [On_Demand | Stopped])
[2008/04/17 13:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2009/01/14 23:30:46 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\DRIVERS\gmer.sys -- (gmer [On_Demand | Stopped])
[2005/01/07 17:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
[2004/06/21 13:12:14 | 00,051,088 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
[2004/06/21 13:12:14 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
[2004/06/21 13:12:14 | 00,021,744 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
[2007/12/18 19:32:12 | 05,854,688 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Running])
[2001/08/22 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
[2003/10/28 02:02:00 | 00,020,016 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DRIVERS\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2007/07/11 19:49:16 | 00,096,384 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
[2004/08/03 22:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
[2004/07/17 03:36:38 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2001/08/17 13:48:00 | 00,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\sermouse.sys -- (sermouse [On_Demand | Stopped])
[2004/09/16 22:04:00 | 00,052,384 | R--- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\ss_bus.sys -- (ss_bus [On_Demand | Stopped])
[2004/09/16 22:05:00 | 00,006,064 | R--- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys -- (ss_mdfl [On_Demand | Stopped])
[2004/09/16 22:05:00 | 00,084,512 | R--- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\ss_mdm.sys -- (ss_mdm [On_Demand | Stopped])
[2007/12/13 20:28:20 | 01,270,872 | ---- | M] (IDT, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.yahoo.com/
"Default_Search_URL"=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
"Start Page"=http://www.yahoo.com/

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
"provider"=yaho

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
"provider"=yaho

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (HKLM) -- C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
{A057A204-BACC-4D26-9990-79A187E2698E} (HKLM) -- C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (AVG, Technologies CZ, s.r.o )
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (HKLM) -- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{A057A204-BACC-4D26-9990-79A187E2698E}" (HKLM) -- C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (AVG, Technologies CZ, s.r.o )

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}" (HKLM) -- C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (AVG, Technologies CZ, s.r.o )

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}" (HKLM) -- C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (AVG, Technologies CZ, s.r.o )

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"L09AXLRD_28804609"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE" -m (Microsoft Corporation)
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)
"PMCRemote"= File not found

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"L09AXLRD_28804609"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE" -m (Microsoft Corporation)
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)
"PMCRemote"= File not found

========== (O4) Startup Folders ==========

[2005/10/20 12:04:08 | 00,038,912 | ---- | M] () -- C:\Documents and Settings\Pc\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %SystemDrive%\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{B205A35E-1FC4-4CE3-818B-899DBBB3388C}: Button: Encarta Search Bar -- %CommonProgramFiles%\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL [2008/06/03 01:05:36 | 00,293,656 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 08:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 08:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 08:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 08:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 08:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-789336058-813497703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 08:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab -- Reg Error: Value does not exist or could not be read.
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}: http://support.f-secure.com/ols/fscax.cab -- F-Secure Online Scanner 3.3
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11

========== (O17) DNS Name Servers ==========

{9E1124E4-3C21-42FF-A61D-A5C9CCD72548} (Servers: | Description: Realtek RTL8139/810x Family Fast Ethernet NIC)

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=avgrsstx.dll
>[2008/11/04 06:32:44 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\avgrsstx.dll

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/10/30 02:04:16 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ FAT32 ]

autorun.inf [[autorun] | shellexecute=wscript.exe winconfig.dll.vbs | ]
[2009/01/15 11:01:04 | 00,000,108 | RHS- | M] () -- C:\autorun.inf -- [ FAT32 ]

autorun.inf [[autorun] | shellexecute=wscript.exe winconfig.dll.vbs | ]
[2009/01/15 11:01:04 | 00,000,108 | RHS- | M] () -- D:\autorun.inf -- [ FAT32 ]

autorun.inf [[autorun] | shellexecute=wscript.exe winconfig.dll.vbs | ]
[2009/01/15 11:01:04 | 00,000,108 | RHS- | M] () -- E:\autorun.inf -- [ FAT32 ]

autorun.inf [[autorun] | shellexecute=wscript.exe winconfig.dll.vbs | ]
[2009/01/15 11:01:04 | 00,000,108 | RHS- | M] () -- F:\autorun.inf -- [ FAT32 ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ed86a9-a624-11dd-bc1c-806d6172696f}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ed86a9-a624-11dd-bc1c-806d6172696f}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ed86a9-a624-11dd-bc1c-806d6172696f}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\Shell32.DLL -- [2005/09/22 19:05:30 | 08,450,560 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ed86aa-a624-11dd-bc1c-806d6172696f}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ed86aa-a624-11dd-bc1c-806d6172696f}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ed86aa-a624-11dd-bc1c-806d6172696f}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\Shell32.DLL -- [2005/09/22 19:05:30 | 08,450,560 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ed86ab-a624-11dd-bc1c-806d6172696f}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ed86ab-a624-11dd-bc1c-806d6172696f}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ed86ab-a624-11dd-bc1c-806d6172696f}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\Shell32.DLL -- [2005/09/22 19:05:30 | 08,450,560 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ed86ad-a624-11dd-bc1c-806d6172696f}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ed86ad-a624-11dd-bc1c-806d6172696f}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ed86ad-a624-11dd-bc1c-806d6172696f}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\Shell32.DLL -- [2005/09/22 19:05:30 | 08,450,560 | ---- | M] (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/01/17 12:31:02 | 00,200,484 | ---- | C] () -- C:\Documents and Settings\Pc\Desktop\1586691865_c3b1ca4585.jpg
[2009/01/16 11:43:46 | 00,030,743 | ---- | C] () -- C:\Documents and Settings\Pc\Desktop\cool.jpg
[2009/01/15 11:10:05 | 00,000,000 | ---D | C] -- C:\fsaua.data
[2009/01/15 11:01:03 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2009/01/15 10:56:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/01/15 10:55:24 | 00,000,671 | ---- | C] () -- C:\Documents and Settings\Pc\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/01/15 10:55:11 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/01/14 23:30:45 | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2009/01/14 23:30:44 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2009/01/14 23:30:44 | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[2009/01/14 23:30:44 | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2009/01/14 23:30:44 | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[2009/01/14 15:58:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Local Settings\Application Data\Identities
[2009/01/13 05:00:22 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\LIST OF FAMILIES EVACUESS.doc
[2009/01/11 18:16:40 | 00,000,000 | -HSD | C] -- C:\FOUND.001
[2009/01/09 15:36:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2009/01/09 11:17:20 | 00,012,288 | ---- | C] () -- C:\Documents and Settings\Pc\Desktop\valuemeal.ppt
[2009/01/08 17:38:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\My Documents\brushes again
[2009/01/07 14:49:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\My Documents\stocks01
[2009/01/07 13:55:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Local Settings\Application Data\IsolatedStorage
[2009/01/07 13:55:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Local Settings\Application Data\Pinnacle
[2009/01/07 13:54:17 | 00,000,000 | ---D | C] -- C:\Program Files\DivX
[2009/01/07 13:53:10 | 00,196,096 | ---- | C] () -- C:\WINDOWS\System32\MACD32.DLL
[2009/01/07 13:53:10 | 00,138,752 | ---- | C] () -- C:\WINDOWS\System32\MASE32.DLL
[2009/01/07 13:53:10 | 00,136,192 | ---- | C] () -- C:\WINDOWS\System32\MAMC32.DLL
[2009/01/07 13:53:10 | 00,057,856 | ---- | C] () -- C:\WINDOWS\System32\MASD32.DLL
[2009/01/07 13:53:10 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\MA32.DLL
[2009/01/07 13:52:55 | 02,179,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mfc71d.dll
[2009/01/07 13:52:55 | 00,765,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp71d.dll
[2009/01/07 13:52:55 | 00,737,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp70d.dll
[2009/01/07 13:52:55 | 00,544,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71d.dll
[2009/01/07 13:52:55 | 00,536,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr70d.dll
[2009/01/07 13:52:55 | 00,446,464 | ---- | C] (eHelp Corporation.) -- C:\WINDOWS\System32\HHActiveX.dll
[2009/01/07 13:52:55 | 00,385,100 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSVCRTD.DLL
[2009/01/07 13:51:56 | 00,626,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr80.dll
[2009/01/07 13:51:56 | 00,548,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp80.dll
[2009/01/07 13:51:56 | 00,487,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSVCP70.DLL
[2009/01/07 13:51:55 | 00,000,000 | ---D | C] -- C:\Program Files\Pinnacle
[2009/01/07 13:51:41 | 00,000,349 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2009/01/07 13:48:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2009/01/07 13:07:23 | 00,000,000 | ---D | C] -- C:\Program Files\DRAWings
[2009/01/07 12:51:28 | 00,002,448 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\Register DVD Architect Pro.htm
[2009/01/07 12:40:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sony
[2009/01/07 12:39:56 | 00,000,000 | ---D | C] -- C:\Program Files\Sony
[2009/01/07 12:35:36 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/01/07 12:30:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/01/07 12:30:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2009/01/07 12:30:14 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/01/07 12:29:51 | 00,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll
[2009/01/07 12:29:23 | 00,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2009/01/07 11:48:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Application Data\Sony Setup
[2009/01/07 11:48:40 | 00,000,000 | ---D | C] -- C:\Program Files\Sony Setup
[2009/01/06 20:02:47 | 00,245,760 | ---- | C] (David Zhang) -- C:\Documents and Settings\Pc\My Documents\Youtube Grabber v31.exe
[2009/01/06 19:28:43 | 00,119,516 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\youtubegrabberv31.zip
[2009/01/06 18:38:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\My Documents\Downloads
[2009/01/06 09:10:41 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\PICK UP LINES 101.doc
[2009/01/06 01:30:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Desktop\PC Security
[2009/01/06 00:10:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Application Data\Malwarebytes
[2009/01/06 00:10:31 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/01/06 00:10:27 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/06 00:10:25 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/01/06 00:10:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/01/05 23:48:40 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/01/05 22:39:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Desktop\pictures
[2009/01/05 20:12:18 | 00,000,534 | ---- | C] () -- C:\Documents and Settings\Pc\Desktop\µTorrent.lnk
[2009/01/05 20:12:08 | 00,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2009/01/05 20:11:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Application Data\uTorrent
[2009/01/04 20:37:38 | 00,028,160 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\Average fixed cost is a per.doc
[2009/01/04 12:39:10 | 00,102,541 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\new-again.gif
[2009/01/03 20:15:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Application Data\Yahoo!
[2009/01/03 20:14:24 | 00,000,716 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/01/01 20:58:31 | 01,377,831 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\IMG_0055.JPG
[2009/01/01 13:04:46 | 00,262,793 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\new-one.gif
[2009/01/01 12:23:15 | 00,437,166 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\new-paola.gif
[2009/01/01 12:05:56 | 00,388,183 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\paola1.gif
[2008/12/30 14:34:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\My Documents\new brusheshes
[2008/12/30 11:51:48 | 00,001,765 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ulead Photo Express 4.0 SE.lnk
[2008/12/30 11:50:55 | 00,000,000 | ---D | C] -- C:\Program Files\Ulead Systems
[2008/12/29 17:35:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Local Settings\Application Data\Ahead
[2008/12/26 21:13:42 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/26 21:12:24 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2008/12/26 21:12:21 | 00,001,143 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Nero StartSmart.lnk
[2008/12/26 21:10:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\LightScribe
[2008/12/26 21:06:56 | 00,106,496 | ---- | C] (Pegasus Software) -- C:\WINDOWS\System32\TwnLib20.dll
[2008/12/26 21:06:39 | 00,476,320 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXpr7.dll
[2008/12/26 21:06:39 | 00,471,040 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXRA7.dll
[2008/12/26 21:06:39 | 00,262,144 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXR7.dll
[2008/12/26 21:06:38 | 01,568,768 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagX7.dll
[2008/12/26 21:06:30 | 00,155,648 | ---- | C] (Ahead Software Gmbh) -- C:\WINDOWS\System32\NeroCheck.exe
[2008/12/26 21:06:22 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Ahead
[2008/12/26 21:06:21 | 00,000,000 | ---D | C] -- C:\Program Files\Ahead
[2008/12/26 20:57:02 | 00,000,000 | -HSD | C] -- C:\FOUND.000
[2008/12/26 14:07:28 | 00,000,000 | ---D | C] -- C:\VLCPortable
[2008/12/26 13:26:38 | 00,221,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmpns.dll
[2008/12/26 12:59:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Application Data\Media Player Classic
[2008/12/24 13:29:11 | 01,267,862 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\js_scully7491_ChristmasOrnamentbrushes.abr
[2008/12/24 13:27:46 | 04,244,394 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\Christmas_Brushes_2_by_flina.abr
[2008/12/24 13:23:07 | 02,366,690 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\pine_brushes_by_hawksmont.abr
[2008/12/24 13:23:03 | 05,019,250 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\122 by IZ-Person.abr
[2008/12/24 13:18:36 | 00,247,138 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\Christmas_Eve_Brushes_by_Coby17.abr
[2008/12/24 13:16:37 | 00,547,030 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\christmas_brushes_by_Christy_Carrier.abr
[2008/12/21 23:30:12 | 00,146,989 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\200810110152.jpg
[2008/12/21 23:30:12 | 00,132,098 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\200810110153.jpg
[2008/12/21 16:05:24 | 03,917,529 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\Spongecola - Puso.mp3

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/01/17 12:31:04 | 00,200,484 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\1586691865_c3b1ca4585.jpg
[2009/01/17 06:45:30 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/01/17 06:45:26 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/01/16 11:43:48 | 00,030,743 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\cool.jpg
[2009/01/16 11:41:36 | 00,102,256 | ---- | M] () -- C:\Documents and Settings\Pc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/01/15 12:26:18 | 00,380,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/01/15 11:01:04 | 00,000,108 | RHS- | M] () -- C:\autorun.inf
[2009/01/15 10:55:26 | 00,000,671 | ---- | M] () -- C:\Documents and Settings\Pc\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/01/14 23:30:46 | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[2009/01/14 23:30:46 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2009/01/14 23:30:46 | 00,000,250 | ---- | M] () -- C:\WINDOWS\gmer.ini
[2009/01/14 23:30:46 | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[2009/01/13 05:00:24 | 00,026,624 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\LIST OF FAMILIES EVACUESS.doc
[2009/01/13 04:33:00 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\Microsoft Office Word 2003.lnk
[2009/01/13 04:32:30 | 00,002,495 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\Microsoft Office Excel 2003.lnk
[2009/01/13 01:08:46 | 00,000,155 | ---- | M] () -- C:\WINDOWS\winamp.ini
[2009/01/12 13:48:04 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/01/09 19:54:26 | 00,503,818 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/01/09 19:54:26 | 00,430,496 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/01/09 19:54:26 | 00,067,220 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/01/09 13:15:04 | 00,012,288 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\valuemeal.ppt
[2009/01/08 15:41:38 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/01/08 02:08:32 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/01/08 02:08:30 | 00,000,645 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/01/08 02:08:30 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/01/07 14:31:54 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/01/07 13:55:18 | 00,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2009/01/07 13:21:12 | 00,063,488 | ---- | M] () -- C:\Documents and Settings\Pc\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/07 12:51:30 | 00,002,448 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\Register DVD Architect Pro.htm
[2009/01/06 19:29:26 | 00,119,516 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\youtubegrabberv31.zip
[2009/01/06 09:10:44 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\PICK UP LINES 101.doc
[2009/01/05 20:12:20 | 00,000,534 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\µTorrent.lnk
[2009/01/04 20:37:40 | 00,028,160 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\Average fixed cost is a per.doc
[2009/01/04 18:41:50 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/04 18:41:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/01/04 16:21:38 | 02,642,814 | -H-- | M] () -- C:\Documents and Settings\Pc\Local Settings\Application Data\IconCache.db
[2009/01/04 12:39:12 | 00,102,541 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\new-again.gif
[2009/01/03 20:14:26 | 00,000,716 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/01/02 17:15:02 | 00,000,370 | ---- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[2009/01/01 21:01:28 | 01,377,831 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\IMG_0055.JPG
[2009/01/01 13:04:48 | 00,262,793 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\new-one.gif
[2009/01/01 12:23:16 | 00,437,166 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\new-paola.gif
[2009/01/01 12:05:58 | 00,388,183 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\paola1.gif
[2008/12/30 11:51:50 | 00,001,765 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ulead Photo Express 4.0 SE.lnk
[2008/12/30 03:56:50 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/26 21:12:22 | 00,001,143 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Nero StartSmart.lnk
[2008/12/24 13:29:44 | 04,244,394 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\Christmas_Brushes_2_by_flina.abr
[2008/12/24 13:18:42 | 00,247,138 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\Christmas_Eve_Brushes_by_Coby17.abr
[2008/12/24 13:16:54 | 00,547,030 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\christmas_brushes_by_Christy_Carrier.abr
[2008/12/21 16:06:36 | 03,917,529 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\Spongecola - Puso.mp3
< End of report >

Edited by berryhalley, 17 January 2009 - 12:19 AM.


#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 17 January 2009 - 11:13 AM

Hello berryhalley.

Please run this script with OTMoveIt:
:files
C:\autorun.inf
D:\autorun.inf
E:\autorun.inf
F:\autorun.inf
Fixed?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users