Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help Diagnose HiJackThis Log


  • This topic is locked This topic is locked
25 replies to this topic

#1 dubblelznhell

dubblelznhell

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 26 April 2009 - 10:54 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:24 AM, on 4/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\igfxtray.exe
C:\Windows\system32\hkcmd.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Windows\system32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Windows\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Windows\vVX3000.exe
C:\Windows\vVX1000.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Windows\system32\wdfmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\SNDVOL32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
O1 - Hosts: 64.74.243.12 guru.avg.com # 64.74.243.12
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7AAF61F2-E9F2-41A8-BF38-6C9F52B250B3} - C:\Windows\system32\pmnoLdDw.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BC728C13-5691-4529-A1C2-E662A9AD1C87} - C:\Windows\system32\geBuRLDu.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: {8c712ef5-e5fe-c8cb-ef34-43c5ccff3ace} - {eca3ffcc-5c34-43fe-bc8c-ef5e5fe217c8} - C:\Windows\system32\rczjaw.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\Windows\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [VX3000] C:\Windows\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\Windows\vVX1000.exe
O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [cc2999a1] rundll32.exe "C:\Windows\system32\rbyspife.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187235365936
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\Windows\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: geBuRLDu - geBuRLDu.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O24 - Desktop Component 0: (no name) - http://clubfreedom.biz/images/vip_elite.jpg
O24 - Desktop Component 1: (no name) - http://pic1-us.wayn.com/photos/mugshot/838096.jpg
O24 - Desktop Component 2: (no name) - http://item.slide.com/r/1/182/i/GDB-o_XJzD...sPoOEtx5MJdl-qG
O24 - Desktop Component 3: (no name) - http://apps.rockyou.com/images/facebook/ap...stopping_by.jpg

--
End of file - 9601 bytes

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:17 PM

Posted 26 April 2009 - 02:37 PM

Hi dubblelznhell,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 dubblelznhell

dubblelznhell
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 26 April 2009 - 03:45 PM

alright cool, thanks...appreciate anything you can do for my computer.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:17 PM

Posted 27 April 2009 - 09:24 AM

Hi dubblelnzhell,

Your PC is infected and we need to deal with it but firstly...

You have a server which is pointing to this company, UkrTeleGroup. They are a Ukrainian-based host and you may or may not have requested their service. If you did not request their service then let me know. If you did you might want to read this . Please let me know what you want done with this entry either way.

Next...

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Finally...

Download and Run OTViewit
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Just to recap:
  • What you would like to do with the server pointing issue
  • The Gmer log
  • The two OTViewIt logs

Posted Image
m0le is a proud member of UNITE

#5 dubblelznhell

dubblelznhell
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 27 April 2009 - 11:41 AM

Hi Mole, thanks for responding, I did not request the UkrTeleGroup thing at all, so no i don't want it on the computer. So do I wait until you respond or go ahead and download what you asked me to?

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:17 PM

Posted 27 April 2009 - 01:02 PM

Go ahead with the instructions, dubblelnzhell.

We'll deal with that issue later :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 dubblelznhell

dubblelznhell
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 27 April 2009 - 05:20 PM

Alright Mole, this is the GMER Scan, and In a few hours i'll post the other 2 that you asked me to post when it's done.....so for now here is the GMER Scan, ok:



GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-27 16:18:08
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 82DECA30 ZwEnumerateKey
Code 82D02A08 ZwFlushInstructionCache
Code 82CFBCC0 ZwQueryValueKey
Code 82D7BCBE IofCallDriver
Code 82CCFE56 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 82D7BCC3
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 82CCFE5B
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 5 Bytes JMP 82CFBCC4
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 82DECA34
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 3 Bytes JMP 82D02A0C
PAGE ntoskrnl.exe!ZwFlushInstructionCache + 4 80577697 1 Byte [02]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[180] WININET.dll!HttpSendRequestA 771C6099 5 Bytes JMP 001847F7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[180] WININET.dll!HttpSendRequestW 77212F74 5 Bytes JMP 00184834
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[852] WININET.dll!HttpSendRequestA 771C6099 5 Bytes JMP 001847F7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[852] WININET.dll!HttpSendRequestW 77212F74 5 Bytes JMP 00184834

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\gaopdxdoyxubqa.sys (*** hidden *** ) ED68F000-ED6A7000 (98304 bytes)

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\gaopdxdoyxubqa.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxdoyxubqa.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxdoyxubqa.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxitqwuhhm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxdoyxubqa.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxdoyxubqa.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxitqwuhhm.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\gaopdxcounter 4 bytes
File C:\WINDOWS\system32\gaopdxitqwuhhm.dll 55808 bytes executable
File C:\WINDOWS\system32\drivers\gaopdxdoyxubqa.sys 83968 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\gaopdxxeivyscy.sys 83968 bytes executable

---- EOF - GMER 1.0.15 ----

#8 dubblelznhell

dubblelznhell
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 27 April 2009 - 05:28 PM

Ok the OTView It log was ALOT quicker than I expected..... ok so here is the first of the 2, the OTViewIt Log:



OTViewIt logfile created on: 4/27/2009 4:22:52 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.48 Mb Total Physical Memory | 86.61 Mb Available Physical Memory | 17.20% Memory free
1.20 Gb Paging File | 0.67 Gb Available in Paging File | 55.63% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 25.92 Gb Free Space | 69.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CPQ12541144462
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2009/04/08 09:25:06 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
[2002/01/24 17:59:18 | 00,512,000 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Compaq Management Agents\Cpqalert.exe
[2001/10/25 17:56:58 | 00,212,992 | ---- | M] (Compaq Computer Corporation) -- C:\WINDOWS\Cpqdiag\CPQDFWAG.EXE
[2002/01/24 18:09:16 | 00,024,576 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Compaq Management Agents\cpqWebDmi\Webdmi.exe
[2009/03/09 05:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
[2006/10/13 17:01:06 | 00,207,664 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
[2005/06/21 16:48:18 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
[2005/06/21 16:44:34 | 00,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
[2001/12/14 15:01:24 | 00,032,768 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Easy Access Button Support\STARTEAK.exe
[2002/01/30 18:01:54 | 00,081,920 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
[2002/03/25 11:36:58 | 00,073,728 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\PROMon.exe
[2002/01/24 18:03:32 | 00,081,920 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Compaq Management Agents\Chkadmin.exe
[2005/01/19 11:05:48 | 00,221,184 | ---- | M] (Labtec Inc.) -- C:\WINDOWS\system32\LVCOMSX.EXE
[2005/01/19 11:39:16 | 00,217,088 | ---- | M] (Labtec Inc.) -- C:\Program Files\Logitech\Video\LogiTray.exe
[2006/10/13 17:04:06 | 00,707,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\vVX3000.exe
[2006/10/13 17:04:02 | 00,707,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\vVX1000.exe
[2002/04/30 16:23:10 | 00,212,992 | ---- | M] () -- C:\Program Files\COMPAQ\Easy Access Button Support\CpqEAKSystemTray.exe
[2002/04/13 21:29:58 | 00,438,272 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Easy Access Button Support\CPQEADM.exe
[2002/07/24 16:47:04 | 00,090,112 | ---- | M] (Compaq) -- C:\Compaq\eakdrv\EAUSBKBD.exe
[2009/04/08 09:24:34 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
[2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2009/03/09 05:19:17 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
[2009/02/23 20:44:33 | 00,321,344 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
[2009/04/08 09:25:11 | 00,485,144 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
[2009/04/08 09:25:12 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
[2001/03/23 12:34:10 | 00,122,880 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Easy Access Button Support\BttnServ.exe
[2001/04/11 10:33:46 | 00,215,552 | ---- | M] (Intel) -- C:\Program Files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
[2009/04/08 09:24:19 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
[2002/01/24 18:03:48 | 00,020,480 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Compaq Management Agents\Cpqdmi.exe
[2009/04/08 09:25:11 | 00,691,992 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
[2005/01/19 11:21:48 | 00,192,512 | ---- | M] (Labtec Inc.) -- C:\Program Files\Logitech\Video\FxSvr2.exe
[2008/04/14 05:42:24 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2007/09/20 10:35:36 | 00,118,336 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
[2008/04/14 05:42:24 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2009/04/27 16:22:16 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007/04/13 03:20:52 | 00,033,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2009/04/08 09:24:19 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
[2009/04/08 09:25:06 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
[2007/04/13 03:21:18 | 00,068,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2002/01/24 17:59:18 | 00,512,000 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Compaq Management Agents\Cpqalert.exe -- (CPQALERT [Auto | Running])
[2001/10/25 17:56:58 | 00,212,992 | ---- | M] (Compaq Computer Corporation) -- C:\WINDOWS\Cpqdiag\CPQDFWAG.EXE -- (CpqDfwWebAgent [Auto | Running])
[2002/01/24 18:03:48 | 00,020,480 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Compaq Management Agents\Cpqdmi.exe -- (cpqdmi [Auto | Running])
[2002/01/24 18:09:16 | 00,024,576 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Compaq Management Agents\cpqWebDmi\Webdmi.exe -- (cpqWebDmi [Auto | Running])
[2009/03/09 05:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2006/10/13 17:01:06 | 00,207,664 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc [Auto | Running])
[2002/03/04 10:35:26 | 01,118,208 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\NMSSvc.Exe -- (NMSSvc [Auto | Stopped])
[2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
[2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
[2001/04/11 10:33:46 | 00,215,552 | ---- | M] (Intel) -- C:\Program Files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe -- (WIN32SL [Auto | Running])

========== Driver Services ==========

[2001/08/17 07:20:04 | 00,096,256 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc [On_Demand | Stopped])
[2003/03/13 18:34:48 | 00,100,224 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
[1999/09/10 12:06:00 | 00,025,244 | ---- | M] (Adaptec) -- C:\Windows\System32\drivers\ASPI32.SYS -- (ASPI32 [System | Running])
[2009/04/08 09:25:14 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
[2009/02/25 19:44:25 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
[2009/04/08 09:25:15 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX [System | Running])
[2002/01/16 14:48:54 | 00,054,222 | ---- | M] (Compaq Computer Corp) -- C:\WINDOWS\system32\drivers\Clntmgmt.sys -- (ClntMgmt [System | Running])
[2002/04/04 17:43:04 | 00,017,077 | ---- | M] () -- C:\WINDOWS\system32\drivers\Cpqdfw.sys -- (cpqdfw [Auto | Running])
[1998/09/30 07:36:06 | 00,154,436 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Cqcpu.sys -- (cqcpu [Auto | Running])
[1999/05/19 14:00:50 | 00,018,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\CQ_MEM.SYS -- (cq_mem [Auto | Running])
[2002/02/25 02:54:04 | 00,139,776 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Running])
[2001/12/28 09:55:46 | 00,024,035 | ---- | M] (Compaq Computer Corp.) -- C:\WINDOWS\system32\drivers\eaps2kbd.sys -- (eaps2kbd [On_Demand | Running])
[1999/10/29 10:35:08 | 00,024,348 | ---- | M] (Compaq Computer Corporation) -- C:\WINDOWS\system32\drivers\EAWDMFD.SYS -- (EAWDMFD [System | Running])
[2004/08/03 22:29:38 | 00,161,020 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x [On_Demand | Stopped])
[2004/08/03 22:29:38 | 00,012,415 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wadv01nt.sys -- (iAimFP0 [On_Demand | Stopped])
[2004/08/03 22:29:38 | 00,012,127 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wadv02nt.sys -- (iAimFP1 [On_Demand | Stopped])
[2004/08/03 22:29:38 | 00,011,775 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wadv05nt.sys -- (iAimFP2 [On_Demand | Stopped])
[2004/08/03 22:29:48 | 00,012,063 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wsiintxx.sys -- (iAimFP3 [On_Demand | Stopped])
[2004/08/03 22:29:50 | 00,019,455 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wvchntxx.sys -- (iAimFP4 [On_Demand | Stopped])
[2004/08/03 22:29:42 | 00,029,311 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\watv01nt.sys -- (iAimTV0 [On_Demand | Stopped])
[2004/08/03 22:29:44 | 00,019,551 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\watv02nt.sys -- (iAimTV1 [On_Demand | Stopped])
[2004/08/03 22:29:44 | 00,033,599 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\watv04nt.sys -- (iAimTV3 [On_Demand | Stopped])
[2004/08/03 22:29:46 | 00,023,615 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wch7xxnt.sys -- (iAimTV4 [On_Demand | Stopped])
[2005/06/21 17:12:34 | 00,807,998 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm [On_Demand | Running])
[2005/01/19 13:11:16 | 00,022,016 | R--- | M] (Labtec Inc.) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta [On_Demand | Stopped])
[2008/04/14 00:26:08 | 00,088,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx [Auto | Running])
[2001/08/17 13:54:20 | 00,063,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb [Auto | Running])
[2001/08/17 13:54:20 | 00,055,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx [Auto | Running])
[2008/04/14 00:04:14 | 00,163,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwrdr.sys -- (NWRDR [On_Demand | Running])
[2005/01/19 13:14:38 | 00,211,712 | R--- | M] (Labtec Inc.) -- C:\WINDOWS\system32\drivers\LV561AV.SYS -- (PID_0928 [On_Demand | Stopped])
[2001/08/17 13:49:58 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/03/07 17:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2003/05/27 17:05:42 | 00,578,304 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
[2001/08/17 14:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810 [Disabled | Stopped])
[2001/08/17 14:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx [Disabled | Stopped])
[2001/08/17 14:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi [Disabled | Stopped])
[2008/04/14 00:15:14 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
[2006/10/13 17:04:28 | 01,966,000 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000 [On_Demand | Stopped])
[2006/10/13 17:04:30 | 01,966,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\VX3000.sys -- (VX3000 [On_Demand | Stopped])
[2002/05/06 08:41:10 | 00,088,544 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [System | Stopped])
[2002/05/06 08:41:20 | 00,069,472 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.yahoo.com
"Default_Search_URL"=http://www.google.com/ie
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=
"Start Page"=http://ca.yahoo.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\Windows\system32\blank.htm
"Search Page"=http://www.google.com
"Start Page"=http://www.msn.ca/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"AutoSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/saautosearch.aspx
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://home.microsoft.com/access/autosearch.asp?p=%s
"provider"=gogl

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\Windows\system32\blank.htm
"Search Page"=http://www.google.com
"Start Page"=http://www.msn.ca/

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\SOFTWARE\Microsoft\Internet Explorer\Search]
"AutoSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/saautosearch.aspx
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\Software\Microsoft\Internet Explorer\SearchURL]
""=http://home.microsoft.com/access/autosearch.asp?p=%s
"provider"=gogl

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (749 bytes) - C:\Windows\System32\drivers\etc\Hosts
First 25 entries...
64.74.243.12 guru.avg.com # 64.74.243.12

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{201f27d4-3704-41d6-89c1-aa35e39143ed} (HKLM) -- C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (HKLM) -- C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
{7AAF61F2-E9F2-41A8-BF38-6C9F52B250B3} (HKLM) -- C:\Windows\system32\pmnoLdDw.dll File not found
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
{BC728C13-5691-4529-A1C2-E662A9AD1C87} (HKLM) -- C:\Windows\system32\geBuRLDu.dll File not found
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (HKLM) -- C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (HKLM) -- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
{eca3ffcc-5c34-43fe-bc8c-ef5e5fe217c8} (HKLM) -- C:\Windows\system32\rczjaw.dll File not found

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}" (HKLM) -- C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}" (HKLM) -- C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-8087-36EE87E26986}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}" (HKLM) -- C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-8087-36EE87E26986}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Autorun Eater"=C:\Program Files\Autorun Eater\oldmcdonald.exe (Old McDonald's Farm)
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
"cc2999a1"=rundll32.exe "C:\Windows\system32\rbyspife.dll",b File not found
"ChkAdmin"=C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE (Compaq Computer Corporation)
"CPQEASYACC"=C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe (Compaq Computer Corporation)
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe (Intel Corporation)
"IgfxTray"=C:\Windows\system32\igfxtray.exe (Intel Corporation)
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" (Microsoft Corporation)
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe (Labtec Inc.)
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe (Labtec Inc.)
"LVCOMSX"=C:\Windows\system32\LVCOMSX.EXE (Labtec Inc.)
"PROMon.exe"=PROMon.exe (Intel Corporation)
"Smapp"=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe (Analog Devices, Inc.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
"VX1000"=C:\Windows\vVX1000.exe (Microsoft Corporation)
"VX3000"=C:\Windows\vVX3000.exe (Microsoft Corporation)
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" (BitTorrent, Inc.)

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" (BitTorrent, Inc.)

========== (O4) RunServices Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"=C:\Windows\Cpqdiag\CpqDfwAg.exe (Compaq Computer Corporation)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
&Windows Live Search: C:\Program Files\Windows Live Toolbar\msntb.dll [2007/10/19 11:20:48 | 00,546,320 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\]
&Windows Live Search: C:\Program Files\Windows Live Toolbar\msntb.dll [2007/10/19 11:20:48 | 00,546,320 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\]
&Windows Live Search: C:\Program Files\Windows Live Toolbar\msntb.dll [2007/10/19 11:20:48 | 00,546,320 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\MenuExt\]
&Windows Live Search: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\MenuExt\]
&Windows Live Search: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\Software\Microsoft\Internet Explorer\MenuExt\]
&Windows Live Search: C:\Program Files\Windows Live Toolbar\msntb.dll [2007/10/19 11:20:48 | 00,546,320 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}: Button: Blog This -- %ProgramFiles%\Windows Live\Writer\WriterBrowserExtension.dll [2007/10/26 18:09:54 | 00,154,640 | ---- | M] (Microsoft Corporation)
{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}: Menu: &Blog This in Windows Live Writer -- %ProgramFiles%\Windows Live\Writer\WriterBrowserExtension.dll [2007/10/26 18:09:54 | 00,154,640 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/14 00:23:34 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} [HKLM] -> %ProgramFiles%\Windows Live\Writer\WriterBrowserExtension.dll [Blog This] -> [2007/10/26 18:09:54 | 00,154,640 | ---- | M] (Microsoft Corporation)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/14 00:23:34 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} [HKLM] -> %ProgramFiles%\Windows Live\Writer\WriterBrowserExtension.dll [Blog This] -> [2007/10/26 18:09:54 | 00,154,640 | ---- | M] (Microsoft Corporation)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/14 00:23:34 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} [HKLM] -> %ProgramFiles%\Windows Live\Writer\WriterBrowserExtension.dll [Blog This] -> [2007/10/26 18:09:54 | 00,154,640 | ---- | M] (Microsoft Corporation)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/14 00:23:34 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} [HKLM] -> %ProgramFiles%\Windows Live\Writer\WriterBrowserExtension.dll [Blog This] -> [2007/10/26 18:09:54 | 00,154,640 | ---- | M] (Microsoft Corporation)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/14 00:23:34 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
: msn in My Computer

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
: msn in My Computer

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_13
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_13
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_13
Microsoft XML Parser for Java: file://C:\Windows\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{4A26F0F4-7684-44E3-9C0A-5861489044C4} (Servers: | Description: Intel® PRO/100 VM Network Connection)
{936ABBDE-9A2A-4703-993D-384F29283869} (Servers: | Description: )

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
avgrsstarter: "DllName" = avgrsstx.dll -- C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
geBuRLDu: "DllName" = geBuRLDu.dll -- File not found
igfxcui: "DllName" = igfxsrvc.dll -- C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634f786f-37cd-48c5-8a99-a8c45d27ba19}" (HKLM) -- C:\Windows\system32\rczjaw.dll File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BC728C13-5691-4529-A1C2-E662A9AD1C87}" (HKLM) -- C:\Windows\system32\geBuRLDu.dll File not found

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=msv1_0,nwprovau,C:\Windows\system32\pmnoLdDw,
>[2008/04/14 05:42:04 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\nwprovau.dll
>File not found --

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Files/Folders - Created Within 30 Days ==========

[2009/04/27 16:22:14 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTViewIt.exe
[2009/04/27 13:31:54 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\9l57fl3b.exe
[2009/04/26 00:07:44 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2009/04/26 00:07:43 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/08 09:24:54 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/04/08 09:15:13 | 01,397,707 | -HS- | C] () -- C:\Windows\System32\efipsybr.ini

========== Files - Modified Within 30 Days ==========

[1 C:\Windows\System32\*.tmp files]
[5 C:\Windows\*.tmp files]
[2009/04/27 16:22:16 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTViewIt.exe
[2009/04/27 13:31:56 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\9l57fl3b.exe
[2009/04/27 08:05:05 | 35,477,808 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2009/04/26 00:07:44 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2009/04/25 17:40:52 | 00,001,158 | ---- | M] () -- C:\Windows\System32\wpa.dbl
[2009/04/25 17:39:53 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/04/25 17:39:52 | 00,002,048 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/04/25 17:39:51 | 52,801,1264 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/25 16:08:38 | 00,032,111 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2009/04/22 17:46:37 | 00,434,673 | ---- | M] () -- C:\Windows\System32\drivers\Avg\miniavi.avg
[2009/04/08 13:12:32 | 00,018,031 | -HS- | M] () -- C:\Windows\System32\wDdLonmp.ini
[2009/04/08 13:10:45 | 00,018,031 | -HS- | M] () -- C:\Windows\System32\wDdLonmp.ini2
[2009/04/08 09:52:32 | 01,397,707 | -HS- | M] () -- C:\Windows\System32\efipsybr.ini
[2009/04/08 09:25:15 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2009/04/08 09:25:14 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2009/04/08 09:24:54 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/04/08 09:24:53 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
< End of report >





Now here is the 2nd of the two...the Extras.Txt Log:



OTViewIt Extras logfile created on: 4/27/2009 4:22:52 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.48 Mb Total Physical Memory | 86.61 Mb Available Physical Memory | 17.20% Memory free
1.20 Gb Paging File | 0.67 Gb Available in Paging File | 55.63% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 25.92 Gb Free Space | 69.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CPQ12541144462
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/14 05:42:36 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/14 00:23:34 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/07/16 18:14:40 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 05:42:36 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2007/08/30 17:43:18 | 04,670,704 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2007/08/30 17:43:18 | 00,091,376 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
[2008/04/14 05:42:22 | 00,769,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice
[2006/10/13 17:01:18 | 00,277,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe
[2006/10/13 17:04:52 | 04,201,264 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe
File not found -- C:\Program Files\ooVoo\ooVoo.exe:*:Enabled:ooVoo
File not found -- C:\Nexon\MapleStory\MapleStory.exe:*:Enabled:MapleStory
[2008/04/14 00:23:34 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/07/16 18:14:40 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
File not found -- C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
File not found -- C:\Documents and Settings\Administrator\Local Settings\Temp\WZSE0.TMP\SymNRT.exe:*:Enabled:Norton Removal Tool
[2009/02/23 20:44:33 | 00,321,344 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe:*:Enabled:DNA
[2009/02/17 13:10:02 | 00,637,232 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
[2009/04/08 09:24:19 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
[2009/04/08 09:24:22 | 01,057,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2009/04/08 09:25:12 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [NWLink IPX/SPX/NetBIOS Compatible Transport Protocol] -- C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2008/04/14 05:42:00 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2009/04/08 09:24:51 | 00,079,128 | ---- | M] (AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG8\avgpp.dll (linkscanner:{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} (HKLM) [XPLPPFilter Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 11:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (livecall:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2008/04/14 05:42:00 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2008/04/14 05:42:00 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 11:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (msnim:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/23 12:14:52 | 00,858,136 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Mail\mailcomm.dll (wlmailhtml:{03C514A3-1EFB-4856-9F99-10D7BE1653C0} (HKLM) [Windows Live Mail HTML Asynchronous Pluggable Protocol Handler])

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01A4AEDE-F219-49A2-B855-16A016EAF9A4}"=Intel® PROSet II
"{0369E93A-46CE-4417-BFC2-4841F2C847F2}"=Compaq Help and Support Center
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}"=Windows Live Mail
"{1881AE03-2BD4-11D4-86BF-00508B10AA88}"=Compaq Diagnostics for Windows
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}"=Java™ 6 Update 13
"{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}"=Windows Live Photo Gallery
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}"=Windows Live Messenger
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{71A470E1-27E7-424E-803A-F9C0D41968D3}"=Compaq Remote Diagnostics Enabling Agent
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{8A62A068-3FD6-495A-9F66-26FE94F32EC9}"=Rhapsody Player Engine
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel® Extreme Graphics Driver
"{8CFC7570-DD90-486E-A239-E31D455BDE93}"=Microsoft LifeCam
"{9176251A-4CC1-4DDB-B343-B487195EB397}"=Windows Live Writer
"{93539D60-1817-11D1-9504-00805F26A89C}"=Easy Access Button Support
"{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}"=Windows Live Sign-in Assistant
"{BF45F502-D3F2-4E7C-91D8-9AA5A8141D08}"=Labtec WebCam Software
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}"=Windows Live Toolbar
"{F0A37341-D692-11D4-A984-009027EC0A9C}"=SoundMAX
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}"=Microsoft SQL Server 2005 Compact Edition [ENU]
"Adobe Flash Player ActiveX"=Adobe Flash Player 10 ActiveX
"ASIO4ALL"=ASIO4ALL
"Ask Toolbar_is1"=Ask Toolbar
"Autorun Eater_is1"=Autorun Eater v2.3
"AVG8Uninstall"=AVG 8.5
"Collab"=Collab
"Cool Edit Pro 2.1"=Cool Edit Pro 2.1
"FL Studio 8"=FL Studio 8
"HijackThis"=HijackThis 2.0.2
"IL Download Manager"=IL Download Manager
"IntMgmt"=Compaq Management Agents
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"PoiZone"=PoiZone
"PROSet"=Intel® PRO Ethernet Adapter and Software
"QcDrv"=LabtecŪ Camera Driver
"RealArcade 1.2"=RealArcade
"Setup Compaq Software"=Setup Compaq Software
"Toxic Biohazard"=Toxic Biohazard
"ToxicIII"=ToxicIII
"WIC"=Windows Imaging Component
"Winamp"=Winamp
"Windows Live Toolbar"=Windows Live Toolbar
"Windows Media Format Runtime"=Windows Media Format Runtime
"Windows XP Service Pack"=Windows XP Service Pack 3
"WinRAR archiver"=WinRAR archiver
"XviD & MP3 Codec Pack_is1"=XviD & MP3 Codec Pack (remove only)
"XviD_is1"=XviD MPEG-4 Video Codec

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent"=BitTorrent
"BitTorrent DNA"=DNA

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1567011825-334337264-2154702590-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent"=BitTorrent
"BitTorrent DNA"=DNA

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/24/2009 5:51:49 PM | Computer Name = CPQ12541144462 | Source = Application Hang | ID = 1002
Description = Hanging application Au_.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/24/2009 5:52:05 PM | Computer Name = CPQ12541144462 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/24/2009 5:52:09 PM | Computer Name = CPQ12541144462 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/24/2009 5:52:12 PM | Computer Name = CPQ12541144462 | Source = Application Hang | ID = 1001
Description = Fault bucket 724398357.

Error - 2/24/2009 5:52:13 PM | Computer Name = CPQ12541144462 | Source = Application Hang | ID = 1001
Description = Fault bucket 724398357.

Error - 2/24/2009 5:52:13 PM | Computer Name = CPQ12541144462 | Source = Application Hang | ID = 1001
Description = Fault bucket 217006815.

Error - 2/24/2009 5:52:13 PM | Computer Name = CPQ12541144462 | Source = Application Error | ID = 1001
Description = Fault bucket 753075125.

Error - 2/26/2009 12:01:49 AM | Computer Name = CPQ12541144462 | Source = MsiInstaller | ID = 10005
Description = Product: Windows Live Messenger -- The installer has encountered an
unexpected error installing this package. This may indicate a problem with this
package. The error code is 2771. The arguments are: MsgrFeat, ,

Error - 4/23/2009 11:57:45 AM | Computer Name = CPQ12541144462 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/26/2009 12:01:11 PM | Computer Name = CPQ12541144462 | Source = MsiInstaller | ID = 10005
Description = Product: Windows Live Messenger -- The installer has encountered an
unexpected error installing this package. This may indicate a problem with this
package. The error code is 2771. The arguments are: MsgrFeat, ,

[ System Events ]
Error - 4/15/2009 7:00:30 PM | Computer Name = CPQ12541144462 | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%2

Error - 4/15/2009 7:13:44 PM | Computer Name = CPQ12541144462 | Source = IPXRouterManager | ID = 20115
Description = IPX Routing requires an internal network number for correct operation.

Error - 4/16/2009 3:17:50 PM | Computer Name = CPQ12541144462 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 4/18/2009 3:17:51 PM | Computer Name = CPQ12541144462 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 4/20/2009 3:17:52 PM | Computer Name = CPQ12541144462 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 4/22/2009 3:17:53 PM | Computer Name = CPQ12541144462 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 4/25/2009 6:06:31 PM | Computer Name = CPQ12541144462 | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%2

Error - 4/25/2009 6:08:20 PM | Computer Name = CPQ12541144462 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 4/25/2009 7:40:24 PM | Computer Name = CPQ12541144462 | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%2

Error - 4/27/2009 6:08:23 PM | Computer Name = CPQ12541144462 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:17 PM

Posted 27 April 2009 - 07:57 PM

Hi dubblelnzhell,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Now to the fix...

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Next...

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Please post the Combofix and MBAM logs in the next reply. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 dubblelznhell

dubblelznhell
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 27 April 2009 - 09:44 PM

Alright Mole, got the ComboFix Log right here:

ComboFix 09-04-27.02 - Administrator 04/27/2009 20:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.260 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\gaopdxdoyxubqa.sys
c:\windows\system32\drivers\gaopdxxeivyscy.sys
c:\windows\system32\efipsybr.ini
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxitqwuhhm.dll
c:\windows\system32\jpekhybl.ini
c:\windows\system32\uwxknvyh.ini
c:\windows\system32\wDdLonmp.ini
c:\windows\system32\wDdLonmp.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-26 06:07 . 2009-04-26 06:07 -------- d-----w c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 02:34 . 2009-02-26 00:37 -------- d-----w c:\program files\Autorun Eater
2009-04-28 02:34 . 2009-02-24 02:44 -------- d-----w c:\program files\DNA
2009-04-15 22:05 . 2007-09-05 17:58 -------- d-----w c:\program files\Windows Live
2009-04-08 19:39 . 2008-08-14 22:41 -------- d-----w c:\program files\Java
2009-04-08 15:25 . 2009-02-26 01:44 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-08 15:25 . 2009-02-26 01:44 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-08 15:24 . 2009-02-26 01:44 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-09 11:19 . 2008-12-31 15:42 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-01 03:36 . 2009-03-01 03:32 -------- d-----w c:\program files\coolpro2
2007-09-15 20:51 . 2007-09-15 20:51 774144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 23:24 325000 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-24 321344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-01-31 81920]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2002-01-25 81920]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-01-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-01-19 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-01-19 217088]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"VX1000"="c:\windows\vVX1000.exe" [2006-10-13 707376]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2008-11-27 501768]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-08 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"PROMon.exe"="PROMon.exe" - c:\windows\system32\PROMon.exe [2002-03-25 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-08 15:24 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"MIDI2"= SYNCOR11.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-08 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-08 108552]
S1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\Drivers\ClntMgmt.sys [2002-01-16 54222]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-08 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-08 298264]
S2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\Cpqdfwag.exe [2001-10-25 212992]
S2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2002-01-25 24576]

.
- - - - ORPHANS REMOVED - - - -

BHO-{7AAF61F2-E9F2-41A8-BF38-6C9F52B250B3} - c:\windows\system32\pmnoLdDw.dll
BHO-{BC728C13-5691-4529-A1C2-E662A9AD1C87} - c:\windows\system32\geBuRLDu.dll
BHO-{eca3ffcc-5c34-43fe-bc8c-ef5e5fe217c8} - c:\windows\system32\rczjaw.dll
WebBrowser-{A057A204-BACC-4D26-8087-36EE87E26986} - (no file)
HKLM-Run-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-cc2999a1 - c:\windows\system32\rbyspife.dll
ShellExecuteHooks-{BC728C13-5691-4529-A1C2-E662A9AD1C87} - c:\windows\system32\geBuRLDu.dll
ShellExecuteHooks-{634f786f-37cd-48c5-8a99-a8c45d27ba19} - c:\windows\system32\rczjaw.dll
Notify-geBuRLDu - geBuRLDu.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.ca/
mStart Page = hxxp://ca.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 20:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMPAQ\Compaq Management Agents\Cpqalert.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
c:\progra~1\COMPAQ\COMPAQ~1\Cpqdmi.exe
c:\program files\COMPAQ\Easy Access Button Support\CpqEAKSystemTray.exe
c:\program files\COMPAQ\Easy Access Button Support\CPQEADM.exe
c:\compaq\eakdrv\EAUSBKBD.exe
c:\progra~1\COMPAQ\EASYAC~1\BttnServ.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-28 20:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 02:41

Pre-Run: 27,768,537,088 bytes free
Post-Run: 29,182,689,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\Windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

176 --- E O F --- 2009-02-25 09:01




will get you the malwarebytes log when it is finished.

#11 dubblelznhell

dubblelznhell
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 27 April 2009 - 09:47 PM

whoops my bad...didn't mean to make it like that...here disregard the top one. Here's the combofix log:



ComboFix 09-04-27.02 - Administrator 04/27/2009 20:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.260 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\gaopdxdoyxubqa.sys
c:\windows\system32\drivers\gaopdxxeivyscy.sys
c:\windows\system32\efipsybr.ini
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxitqwuhhm.dll
c:\windows\system32\jpekhybl.ini
c:\windows\system32\uwxknvyh.ini
c:\windows\system32\wDdLonmp.ini
c:\windows\system32\wDdLonmp.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-26 06:07 . 2009-04-26 06:07 -------- d-----w c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 02:34 . 2009-02-26 00:37 -------- d-----w c:\program files\Autorun Eater
2009-04-28 02:34 . 2009-02-24 02:44 -------- d-----w c:\program files\DNA
2009-04-15 22:05 . 2007-09-05 17:58 -------- d-----w c:\program files\Windows Live
2009-04-08 19:39 . 2008-08-14 22:41 -------- d-----w c:\program files\Java
2009-04-08 15:25 . 2009-02-26 01:44 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-08 15:25 . 2009-02-26 01:44 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-08 15:24 . 2009-02-26 01:44 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-09 11:19 . 2008-12-31 15:42 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-01 03:36 . 2009-03-01 03:32 -------- d-----w c:\program files\coolpro2
2007-09-15 20:51 . 2007-09-15 20:51 774144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 23:24 325000 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-24 321344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-01-31 81920]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2002-01-25 81920]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-01-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-01-19 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-01-19 217088]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"VX1000"="c:\windows\vVX1000.exe" [2006-10-13 707376]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2008-11-27 501768]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-08 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"PROMon.exe"="PROMon.exe" - c:\windows\system32\PROMon.exe [2002-03-25 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-08 15:24 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"MIDI2"= SYNCOR11.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-08 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-08 108552]
S1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\Drivers\ClntMgmt.sys [2002-01-16 54222]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-08 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-08 298264]
S2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\Cpqdfwag.exe [2001-10-25 212992]
S2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2002-01-25 24576]

.
- - - - ORPHANS REMOVED - - - -

BHO-{7AAF61F2-E9F2-41A8-BF38-6C9F52B250B3} - c:\windows\system32\pmnoLdDw.dll
BHO-{BC728C13-5691-4529-A1C2-E662A9AD1C87} - c:\windows\system32\geBuRLDu.dll
BHO-{eca3ffcc-5c34-43fe-bc8c-ef5e5fe217c8} - c:\windows\system32\rczjaw.dll
WebBrowser-{A057A204-BACC-4D26-8087-36EE87E26986} - (no file)
HKLM-Run-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-cc2999a1 - c:\windows\system32\rbyspife.dll
ShellExecuteHooks-{BC728C13-5691-4529-A1C2-E662A9AD1C87} - c:\windows\system32\geBuRLDu.dll
ShellExecuteHooks-{634f786f-37cd-48c5-8a99-a8c45d27ba19} - c:\windows\system32\rczjaw.dll
Notify-geBuRLDu - geBuRLDu.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.ca/
mStart Page = hxxp://ca.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 20:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMPAQ\Compaq Management Agents\Cpqalert.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
c:\progra~1\COMPAQ\COMPAQ~1\Cpqdmi.exe
c:\program files\COMPAQ\Easy Access Button Support\CpqEAKSystemTray.exe
c:\program files\COMPAQ\Easy Access Button Support\CPQEADM.exe
c:\compaq\eakdrv\EAUSBKBD.exe
c:\progra~1\COMPAQ\EASYAC~1\BttnServ.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-28 20:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 02:41

Pre-Run: 27,768,537,088 bytes free
Post-Run: 29,182,689,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\Windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

176 --- E O F --- 2009-02-25 09:01

#12 dubblelznhell

dubblelznhell
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 27 April 2009 - 11:21 PM

alright, here is the MBAM log:



Malwarebytes' Anti-Malware 1.36
Database version: 2051
Windows 5.1.2600 Service Pack 3

4/27/2009 10:16:30 PM
mbam-log-2009-04-27 (22-16-30).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 136570
Time elapsed: 1 hour(s), 18 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 dubblelznhell

dubblelznhell
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 27 April 2009 - 11:35 PM

Now what about that UKR ukraine thing?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:17 PM

Posted 28 April 2009 - 07:32 AM

The "UKR ukraine thing" has been fixed.

Can you post a new OTViewIt log so I can see what is left.

Thanks. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#15 dubblelznhell

dubblelznhell
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 28 April 2009 - 11:02 AM

yah ok, no problem.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users