Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 purplestarz929

purplestarz929

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 09 May 2009 - 07:44 AM

My computer is having problems with links generated by search engines. They are being redirected and im being barred access to search engines (google and yahoo so far). Both explorer and firefox have slow download speeds and take forever to load pages since infection. Ran Malwarebytes but it keeps trying to heal recurring infections "on reboot", but they're still there.


DDS (Ver_09-03-16.01) - FAT32x86
Run by Mwema at 8:06:42.70 on Sat 05/09/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.130 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\WINDOWS\system32\igfxext.exe
C:\DOCUME~1\Mwema\LOCALS~1\Temp\RtkBtMnt.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Acer\Empowering Technology\admServ.exe
SVCHOST.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\Documents and Settings\Mwema\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb126\SearchSettings.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: {C2BA40A1-74F3-42BD-F434-12345A2C8953} - No File
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [autochk] rundll32.exe c:\docume~1\mwema\protect.dll,_IWMPEvents@16
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [<NO NAME>]
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [autochk] rundll32.exe c:\windows\system32\config\system~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\docume~1\mwema\startm~1\programs\startup\memoni~1.lnk - c:\program files\verizon wireless\v cast music manager\MEMonitor.exe
StartupFolder: c:\documents and settings\mwema\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\mwema\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mwema\applic~1\mozilla\firefox\profiles\yhdubu2c.default\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-2 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-2 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-2 108552]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-15 12106]
R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2008-1-6 110304]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-2 298776]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-6-30 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-1-14 4010]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2008-1-6 1527900]
S3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2005-9-13 4392]
S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2008-1-6 544768]

=============== Created Last 30 ================

2009-05-09 07:38 24,064 a--sh--- c:\documents and settings\mwema\protect.dll
2009-05-09 07:38 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-05-07 22:14 27,648 a------- c:\windows\system32\lmn_setup.exe
2009-05-04 01:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-04 01:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 01:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 23:42 <DIR> --d----- c:\windows\system32\scripting
2009-05-03 23:42 <DIR> --d----- c:\windows\system32\en
2009-05-03 23:42 <DIR> --d----- c:\windows\l2schemas
2009-05-03 23:42 <DIR> --d----- c:\windows\system32\bits
2009-05-03 23:40 <DIR> --d----- c:\windows\ServicePackFiles
2009-05-03 23:38 <DIR> --d----- c:\windows\network diagnostic
2009-05-03 22:56 1,024,212 a------- c:\windows\system32\commonpriv.log.5
2009-05-03 22:56 1,024,206 a------- c:\windows\system32\commonpriv.log.1
2009-05-03 22:56 1,024,162 a------- c:\windows\system32\commonpriv.log.2
2009-05-03 22:56 1,024,158 a------- c:\windows\system32\commonpriv.log.4
2009-05-03 22:56 1,024,056 a------- c:\windows\system32\commonpriv.log.6
2009-05-03 22:56 1,024,054 a------- c:\windows\system32\commonpriv.log.3
2009-05-03 22:56 0 a------- c:\windows\system32\commonpriv.log.lock
2009-05-03 22:13 <DIR> --d----- c:\program files\RegCleaner
2009-05-03 07:36 118 a------- c:\windows\system32\MRT.INI
2009-05-02 22:33 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-02 22:25 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 22:25 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-02 22:25 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 22:25 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-02 22:25 <DIR> --d----- c:\docume~1\mwema\applic~1\AVGTOOLBAR
2009-05-02 22:25 <DIR> --d----- c:\program files\AVG
2009-05-02 22:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-27 19:25 <DIR> --d----- c:\docume~1\mwema\applic~1\Malwarebytes
2009-04-27 19:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-27 18:49 1 a------- c:\windows\system32\uniq.tll
2009-04-16 16:57 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 16:57 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 16:57 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 16:57 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 16:57 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 16:57 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 16:57 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 16:57 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 16:57 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 16:51 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 16:51 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-05-03 23:45 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2008-07-11 11:08 16 a---h--- c:\program files\common files\mxfilerelatedcache.mxc2
2008-07-11 11:08 16 a---h--- c:\program files\mxfilerelatedcache.mxc2
2009-05-09 08:07 24,064 a--sh--- c:\windows\system32\autochk.dll

============= FINISH: 8:07:15.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:55 AM

Posted 10 May 2009 - 11:46 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 purplestarz929

purplestarz929
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 15 May 2009 - 12:56 PM

Hi! Thanks for the help! Here are the logs you asked for:


OTListIt LOG:


OTListIt logfile created on: 5/15/2009 1:45:17 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Mwema\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.04 Mb Total Physical Memory | 122.50 Mb Available Physical Memory | 24.40% Memory free
1.20 Gb Paging File | 0.74 Gb Available in Paging File | 62.14% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.57 Gb Total Space | 13.53 Gb Free Space | 39.13% Space Free | Partition Type: FAT32
Drive D: | 35.06 Gb Total Space | 32.81 Gb Free Space | 93.58% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER-FCAFBFA90D
Current User Name: Mwema
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2005/10/24 16:40:52 | 01,314,816 | ---- | M] (Avocent Inc.) -- C:\Acer\Empowering Technology\admServ.exe
PRC - [2006/10/09 16:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe
PRC - [2005/08/05 13:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe
PRC - [2006/05/18 16:52:06 | 00,049,152 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2005/08/05 13:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe
PRC - [2008/04/13 17:12:42 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/13 17:12:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/02/06 06:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2006/03/23 12:17:04 | 00,094,208 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2006/03/23 12:13:40 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2006/03/23 12:17:50 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/08/05 13:56:34 | 00,064,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehtray.exe
PRC - [2006/03/23 12:13:30 | 00,163,840 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2006/06/28 14:54:52 | 16,248,320 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2006/08/10 19:29:14 | 00,352,256 | ---- | M] (Acer Incorporated) -- C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
PRC - [2006/07/20 22:15:32 | 00,593,920 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2006/01/24 18:00:08 | 00,397,312 | ---- | M] (acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\Monitor.exe
PRC - [2005/12/27 15:50:28 | 00,069,632 | ---- | M] (HiTRUST) -- C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
PRC - [2008/01/01 14:23:02 | 00,286,720 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\qttask.exe
PRC - [2005/08/05 13:56:28 | 00,046,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehmsas.exe
PRC - [2007/12/11 12:10:26 | 00,267,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/02/06 17:47:52 | 01,036,640 | ---- | M] (Vendio Services, Inc.) -- C:\Program Files\Search Settings\SearchSettings.exe
PRC - [2008/02/22 04:25:22 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
PRC - [2009/05/02 22:25:14 | 01,947,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2007/07/04 02:25:16 | 00,947,544 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
PRC - [2009/02/06 06:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2007/12/11 12:10:16 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2004/08/10 20:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2006/03/23 12:17:42 | 00,094,208 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2009/05/03 22:57:36 | 00,507,904 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Documents and Settings\Mwema\Local Settings\Temp\RtkBtMnt.exe
PRC - [2009/05/15 09:06:42 | 00,011,776 | -H-- | M] () -- c:\windows\pp06.exe
PRC - [2009/05/15 09:06:40 | 00,013,824 | ---- | M] () -- C:\WINDOWS\System32\SYS32DLL.exe
PRC - [2009/05/02 22:25:12 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/04/06 15:32:44 | 01,277,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2006/05/22 12:54:00 | 03,080,704 | ---- | M] (Acer Value Labs, Taiwan) -- C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe
PRC - [2009/04/24 00:38:12 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/05/15 13:43:48 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mwema\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2006/07/25 18:03:44 | 00,100,032 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Auto | Stopped])
SRV - [2009/05/02 22:25:12 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2005/10/24 16:40:52 | 01,314,816 | ---- | M] (Avocent Inc.) -- C:\Acer\Empowering Technology\admServ.exe -- (AWService [Auto | Running])
SRV - [2006/10/09 16:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe -- (ehRecvr [Auto | Running])
SRV - [2005/08/05 13:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe -- (ehSched [Auto | Running])
SRV - [2005/11/17 14:18:52 | 01,527,900 | ---- | M] (MAGIX®) -- C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance [On_Demand | Stopped])
SRV - [2009/04/25 09:50:10 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/12/11 12:10:16 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2008/04/13 17:11:56 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\irmon.dll -- (Irmon [Auto | Running])
SRV - [2006/05/18 16:52:06 | 00,049,152 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2006/07/25 18:03:44 | 02,119,360 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate [On_Demand | Stopped])
SRV - [2005/08/05 13:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe -- (McrdSvc [Auto | Running])
SRV - [2004/08/10 04:11:50 | 00,085,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mhn.dll -- (MHN [On_Demand | Stopped])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/12/14 16:00:00 | 00,544,768 | ---- | M] (Magix AG) -- C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe -- (UPnPService [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2008/01/06 20:30:14 | 00,110,304 | ---- | M] (Protect Software GmbH) -- C:\WINDOWS\system32\drivers\ACEDRV09.sys -- (ACEDRV09 [Auto | Running])
DRV - [2004/08/10 20:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Boot | Stopped])
DRV - [2008/04/13 11:36:40 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Boot | Stopped])
DRV - [2004/08/10 20:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Boot | Stopped])
DRV - [2004/08/10 20:00:00 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Boot | Stopped])
DRV - [2009/05/02 22:25:22 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/05/02 22:25:22 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/05/02 22:25:28 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2005/11/02 13:24:24 | 00,424,320 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\DRIVERS\bcmwl5.sys -- (BCM43XX [On_Demand | Running])
DRV - [2005/10/31 14:17:00 | 00,045,312 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
DRV - [2004/08/10 20:00:00 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Boot | Stopped])
DRV - [2004/08/10 20:00:00 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Boot | Stopped])
DRV - [2004/12/08 14:10:00 | 00,016,896 | ---- | M] (Dritek System Inc.) -- C:\WINDOWS\system32\DRIVERS\DKbFltr.sys -- (DKbFltr [On_Demand | Running])
DRV - [2006/06/16 19:17:36 | 00,061,056 | ---- | M] (ENE Technology Inc.) -- C:\WINDOWS\system32\DRIVERS\EMS7SK.sys -- (EMSCR [On_Demand | Running])
DRV - [2006/06/16 19:17:38 | 00,040,064 | ---- | M] (ENE Technology Inc.) -- C:\WINDOWS\system32\DRIVERS\ESD7SK.sys -- (ESDCR [On_Demand | Running])
DRV - [2006/06/16 19:17:38 | 00,074,752 | ---- | M] (ENE Technology Inc.) -- C:\WINDOWS\system32\DRIVERS\ESM7SK.sys -- (ESMCR [On_Demand | Running])
DRV - [2006/09/19 14:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008/04/13 09:36:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/10/24 10:20:52 | 00,218,496 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys -- (HSFHWAZL [On_Demand | Running])
DRV - [2005/10/18 16:53:24 | 00,998,656 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys -- (HSF_DPV [On_Demand | Running])
DRV - [2006/03/23 12:47:06 | 01,166,972 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2006/06/28 16:25:24 | 04,304,384 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2005/10/05 15:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2004/08/10 20:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Boot | Stopped])
DRV - [2005/09/13 15:34:40 | 00,004,392 | ---- | M] (OSA Technologies) -- C:\WINDOWS\System32\Drivers\NdisFilt.sys -- (NdisFilt [On_Demand | Stopped])
DRV - [2005/05/02 12:13:42 | 00,009,600 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\NETMNT.sys -- (NETMNT [On_Demand | Stopped])
DRV - [2006/08/18 22:40:50 | 00,006,144 | ---- | M] (NewTech Infosystems, Inc.) -- C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
DRV - [2005/10/15 18:20:44 | 00,012,106 | ---- | M] (OSA Technologies) -- C:\WINDOWS\system32\drivers\OsaFsLoc.sys -- (OsaFsLoc [System | Running])
DRV - [2005/06/30 16:58:24 | 00,007,296 | ---- | M] (OSA Technologies, An Avocent Company) -- C:\WINDOWS\system32\drivers\osaio.sys -- (osaio [Auto | Running])
DRV - [2005/01/14 15:57:16 | 00,004,010 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\drivers\osanbm.sys -- (osanbm [Auto | Running])
DRV - [2004/08/10 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/05/12 18:54:10 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/08/10 20:00:00 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Boot | Stopped])
DRV - [2004/08/10 20:00:00 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Boot | Stopped])
DRV - [2004/08/10 20:00:00 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Boot | Stopped])
DRV - [2006/11/07 18:02:04 | 00,022,272 | ---- | M] (Research In Motion Limited) -- C:\WINDOWS\System32\Drivers\RimUsb.sys -- (RimUsb [On_Demand | Stopped])
DRV - [2006/10/20 10:28:04 | 00,026,368 | R--- | M] (Research in Motion Ltd) -- C:\WINDOWS\system32\DRIVERS\RimSerial.sys -- (RimVSerPort [On_Demand | Running])
DRV - [2004/08/10 20:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Running])
DRV - [2007/11/13 03:25:54 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/04/13 11:36:40 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Boot | Stopped])
DRV - [2005/10/31 14:16:00 | 00,046,080 | ---- | M] (SMSC) -- C:\WINDOWS\system32\DRIVERS\smcirda.sys -- (SMCIRDA [On_Demand | Stopped])
DRV - [2002/11/26 14:54:58 | 00,016,936 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMNDIS5.sys -- (SMNDIS5 [On_Demand | Stopped])
DRV - [2004/08/10 20:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Boot | Stopped])
DRV - [2004/08/10 20:00:00 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Boot | Stopped])
DRV - [2004/08/10 20:00:00 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Boot | Stopped])
DRV - [2004/08/10 20:00:00 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Boot | Stopped])
DRV - [2004/08/10 20:00:00 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Boot | Stopped])
DRV - [2006/03/03 12:52:30 | 00,192,672 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2004/12/17 17:14:44 | 00,013,952 | ---- | M] () -- C:\WINDOWS\System32\drivers\UBHelper.sys -- (UBHelper [Boot | Running])
DRV - [2004/08/10 20:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Boot | Stopped])
DRV - [2005/11/27 07:36:08 | 01,427,968 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\DRIVERS\w39n51.sys -- (w39n51 [On_Demand | Stopped])
DRV - [2005/10/18 16:52:30 | 00,721,280 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
DRV - [2005/01/13 14:46:16 | 00,069,632 | ---- | M] () -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys [Auto | Running])
DRV - [2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=104...amp;clcid=0x409
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default = A0 ED 37 01 67 C1 55 48 92 91 E2 38 41 53 1B 4D [binary data]
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default = A0 ED 37 01 67 C1 55 48 92 91 E2 38 41 53 1B 4D [binary data]
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Default = A0 ED 37 01 67 C1 55 48 92 91 E2 38 41 53 1B 4D [binary data]
IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Default = A0 ED 37 01 67 C1 55 48 92 91 E2 38 41 53 1B 4D [binary data]

IE - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default = A0 ED 37 01 67 C1 55 48 92 91 E2 38 41 53 1B 4D [binary data]
IE - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\S-1-5-21-1186635847-3316958432-342249213-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {AEDB8946-3FA9-4C83-BC33-A5B0A40DC717}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/05/08 15:32:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/05/08 15:32:02 | 00,000,000 | ---D | M]

[2009/05/08 15:32:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mwema\Application Data\mozilla\Extensions
[2009/05/08 15:32:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mwema\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/08 15:32:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mwema\Application Data\mozilla\Firefox\Profiles\yhdubu2c.default\extensions
[2009/05/08 15:32:02 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/05/08 15:32:02 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/05/09 07:24:08 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{AEDB8946-3FA9-4C83-BC33-A5B0A40DC717}
[2009/04/24 00:38:32 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/24 00:38:34 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/04/23 20:39:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/23 20:39:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/23 20:39:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/23 20:39:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/23 20:39:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/23 20:39:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/23 20:39:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (0 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - Reg Error: Key error. File not found
O2 - BHO: (796525 Class) - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - C:\WINDOWS\system32\796525\796525.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll (HiTRUST)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O3 - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot (Acer Value Labs, Taiwan)
O4 - HKLM..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe" (Avocent Inc.)
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent File not found
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe (HiTRUST)
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Incorporated)
O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe (acer Inc.)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [LaunchApp] Alaunch (Acer Inc.)
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC ()
O4 - HKLM..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe (Vendio Services, Inc.)
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKU\.DEFAULT..\Run: [SYS32DLL] SYS32DLL ()
O4 - HKU\S-1-5-18..\Run: [SYS32DLL] SYS32DLL ()
O4 - HKU\S-1-5-21-1186635847-3316958432-342249213-1005..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKU\S-1-5-21-1186635847-3316958432-342249213-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\Mwema\Start Menu\Programs\Startup\MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe (Smith Micro Software, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O7 - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O7 - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [Bluetooth Namespace] - C:\WINDOWS\system32\wshbth.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/08/18 22:41:54 | 00,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2007/03/07 15:05:30 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[10 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/05/15 13:43:43 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mwema\Desktop\OTListIt2.exe
[2009/05/15 09:06:40 | 00,011,776 | -H-- | C] () -- C:\WINDOWS\pp06.exe
[2009/05/15 09:06:40 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3188f44.dat
[2009/05/15 09:06:40 | 00,000,001 | ---- | C] () -- C:\WINDOWS\9g2234wesdf3dfgjf23
[2009/05/15 09:06:39 | 00,013,824 | ---- | C] () -- C:\WINDOWS\System32\SYS32DLL.exe
[2009/05/15 09:06:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\796525
[2009/05/15 09:06:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/05/09 08:04:11 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\Mwema\Desktop\dds.scr
[2009/05/08 15:32:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/05/08 15:32:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mwema\Application Data\Mozilla
[2009/05/08 15:32:03 | 00,001,510 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/05/08 15:31:59 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/05/04 01:26:47 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/04 01:26:47 | 00,000,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/04 01:26:44 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/04 01:26:43 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/03 23:52:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/05/03 23:42:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/05/03 23:42:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/05/03 23:42:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/05/03 23:42:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2009/05/03 23:40:06 | 00,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2009/05/03 23:38:25 | 00,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2009/05/03 23:31:51 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2009/05/03 22:13:30 | 00,000,553 | ---- | C] () -- C:\Documents and Settings\Mwema\Desktop\RegCleaner.lnk
[2009/05/03 22:13:29 | 00,000,000 | ---D | C] -- C:\Program Files\RegCleaner
[2009/05/03 21:01:03 | 52,650,3936 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/03 15:29:54 | 00,000,484 | ---- | C] () -- C:\Documents and Settings\Mwema\My Documents\audio.rtf
[2009/05/03 15:16:07 | 00,004,043 | ---- | C] () -- C:\Documents and Settings\Mwema\My Documents\new.rtf
[2009/05/03 07:36:07 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/05/02 22:33:37 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/05/02 22:25:30 | 00,011,952 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/05/02 22:25:30 | 00,001,415 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/05/02 22:25:27 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/05/02 22:25:21 | 00,325,896 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/05/02 22:25:21 | 00,027,784 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/05/02 22:25:18 | 36,106,834 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/05/02 22:25:18 | 00,434,673 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/05/02 22:25:18 | 00,056,490 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/05/02 22:25:17 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/05/02 22:25:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/05/02 22:25:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mwema\Application Data\AVGTOOLBAR
[2009/05/02 22:25:11 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/05/02 22:25:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/05/02 22:20:02 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/04/27 20:20:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/04/27 19:25:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mwema\Application Data\Malwarebytes
[2009/04/27 19:25:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/27 19:23:56 | 02,967,816 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mwema\Desktop\mbam-setup.exe
[2009/04/27 18:49:43 | 00,000,001 | ---- | C] () -- C:\WINDOWS\System32\uniq.tll
[2009/04/27 02:55:21 | 00,022,016 | ---- | C] () -- C:\Documents and Settings\Mwema\My Documents\budget nyc 2009.doc
[2009/04/24 15:34:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/04/21 22:08:40 | 00,016,384 | ---- | C] () -- C:\Documents and Settings\Mwema\My Documents\profs.xls
[2009/04/21 14:37:33 | 00,027,136 | ---- | C] () -- C:\Documents and Settings\Mwema\Desktop\Introductory_letter.doc
[2009/04/21 14:18:31 | 00,074,240 | ---- | C] () -- C:\Documents and Settings\Mwema\Desktop\Resume.doc
[2009/04/16 16:57:12 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/16 16:57:12 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/16 16:57:12 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/16 16:57:12 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/16 16:57:12 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/16 16:57:12 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/16 16:57:11 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/16 16:57:11 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/16 16:57:11 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/16 16:51:47 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/16 16:51:46 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/03/29 21:06:12 | 00,000,411 | ---- | C] () -- C:\WINDOWS\Sampler.INI
[2009/03/29 21:06:12 | 00,000,028 | ---- | C] () -- C:\WINDOWS\Robota.INI
[2009/03/29 21:06:11 | 00,000,411 | ---- | C] () -- C:\WINDOWS\BeatBox.INI
[2008/01/06 15:00:14 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\mgxasio2.dll
[2008/01/06 14:26:00 | 00,005,817 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2007/11/04 22:53:22 | 00,000,783 | ---- | C] () -- C:\WINDOWS\NTIWVEDT.INI
[2007/05/01 17:24:57 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\VZWDLManager.dll
[2007/03/13 23:30:06 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/03/07 15:14:16 | 00,000,464 | ---- | C] () -- C:\WINDOWS\System32\eRLog.ini
[2007/03/07 15:10:51 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\APISlice.dll
[2007/03/07 15:10:51 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\SC_res.dll
[2007/03/07 15:10:51 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\EN_res.dll
[2007/03/07 15:10:51 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\TC_res.dll
[2007/03/07 15:10:51 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\MSNChatHook.dll
[2006/08/19 08:21:18 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/18 22:42:20 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2006/08/18 22:40:54 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2006/08/18 22:40:54 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2006/08/18 22:40:54 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2006/08/18 22:40:54 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2006/08/18 21:54:16 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/08/18 21:40:48 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2006/06/16 19:17:32 | 00,356,352 | ---- | C] () -- C:\WINDOWS\EMCRI.dll
[2005/12/14 20:59:52 | 00,000,038 | ---- | C] () -- C:\WINDOWS\Acer.ini
[2005/10/31 18:17:38 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/10/26 14:59:46 | 00,037,706 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/08/05 14:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/05/02 12:13:42 | 00,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\NETMNT.sys
[2005/03/28 15:45:26 | 00,000,081 | ---- | C] () -- C:\WINDOWS\ALaunch.ini
[2004/12/17 17:14:44 | 00,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2004/08/10 20:00:00 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 20:00:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\mssfc.dll
[2003/12/29 20:45:08 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\ServiceControl.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/12/26 16:12:30 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/03 23:46:38 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 16:33:56 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/23 22:04:36 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll

========== Files - Modified Within 30 Days ==========

[10 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/05/15 13:43:48 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mwema\Desktop\OTListIt2.exe
[2009/05/15 09:35:44 | 00,056,490 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/05/15 09:35:42 | 36,106,834 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/05/15 09:06:42 | 00,011,776 | -H-- | M] () -- C:\WINDOWS\pp06.exe
[2009/05/15 09:06:42 | 00,000,002 | -H-- | M] () -- C:\WINDOWS\t55ft3188f44.dat
[2009/05/15 09:06:42 | 00,000,001 | ---- | M] () -- C:\WINDOWS\9g2234wesdf3dfgjf23
[2009/05/15 09:06:40 | 00,013,824 | ---- | M] () -- C:\WINDOWS\System32\SYS32DLL.exe
[2009/05/15 08:52:42 | 00,000,464 | ---- | M] () -- C:\WINDOWS\System32\eRLog.ini
[2009/05/15 08:52:18 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/15 08:52:14 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Mwema\Local Settings\desktop.ini
[2009/05/15 08:51:38 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/15 08:51:34 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/15 08:51:32 | 52,650,3936 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/15 03:09:48 | 00,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2009/05/14 00:58:22 | 00,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/05/09 08:04:14 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\Mwema\Desktop\dds.scr
[2009/05/08 15:32:12 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/05/08 15:32:04 | 00,001,510 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/05/07 05:18:30 | 01,609,728 | ---- | M] () -- C:\WINDOWS\MEDB.mdb
[2009/05/07 03:16:30 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/06 13:28:36 | 00,031,232 | ---- | M] () -- C:\Documents and Settings\Mwema\My Documents\resume_bakery.doc
[2009/05/04 10:30:28 | 00,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/05/04 01:46:52 | 00,238,352 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/05/04 01:26:48 | 00,000,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/03 23:57:46 | 00,445,630 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/05/03 23:57:46 | 00,385,164 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/03 23:57:46 | 00,054,682 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/05/03 23:38:14 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2009/05/03 22:57:32 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\Mwema\Start Menu\Programs\Startup\MEMonitor.lnk
[2009/05/03 22:13:32 | 00,000,553 | ---- | M] () -- C:\Documents and Settings\Mwema\Desktop\RegCleaner.lnk
[2009/05/03 21:02:44 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/05/03 15:29:56 | 00,000,484 | ---- | M] () -- C:\Documents and Settings\Mwema\My Documents\audio.rtf
[2009/05/03 15:16:08 | 00,004,043 | ---- | M] () -- C:\Documents and Settings\Mwema\My Documents\new.rtf
[2009/05/02 22:25:32 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/05/02 22:25:32 | 00,001,415 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/05/02 22:25:28 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/05/02 22:25:22 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/05/02 22:25:22 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/05/02 22:25:20 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/05/02 22:25:20 | 00,434,673 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/04/27 19:23:58 | 02,967,816 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mwema\Desktop\mbam-setup.exe
[2009/04/27 18:49:44 | 00,000,001 | ---- | M] () -- C:\WINDOWS\System32\uniq.tll
[2009/04/27 08:07:28 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Mwema\My Documents\budget nyc 2009.doc
[2009/04/22 04:06:14 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\Mwema\My Documents\profs.xls
[2009/04/21 14:37:34 | 00,027,136 | ---- | M] () -- C:\Documents and Settings\Mwema\Desktop\Introductory_letter.doc
[2009/04/21 14:18:34 | 00,074,240 | ---- | M] () -- C:\Documents and Settings\Mwema\Desktop\Resume.doc
< End of report >




Extras LOG:

OTListIt Extras logfile created on: 5/15/2009 1:45:17 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Mwema\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.04 Mb Total Physical Memory | 122.50 Mb Available Physical Memory | 24.40% Memory free
1.20 Gb Paging File | 0.74 Gb Available in Paging File | 62.14% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.57 Gb Total Space | 13.53 Gb Free Space | 39.13% Space Free | Partition Type: FAT32
Drive D: | 35.06 Gb Total Space | 32.81 Gb Free Space | 93.58% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER-FCAFBFA90D
Current User Name: Mwema
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"80:TCP" = 80:TCP:*:Enabled:SYS32DLL
"7171:TCP" = 7171:TCP:*:Enabled:SYS32DLL

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2007/12/11 12:10:18 | 17,152,808 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
File not found -- C:\Program Files\Blubster\Blubster.exe:*:Enabled:Blubster
[2006/12/14 16:00:00 | 00,544,768 | ---- | M] (Magix AG) -- C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe:LocalSubNet:Enabled:Magix UPnP Service
[2009/05/02 22:25:14 | 01,085,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2009/05/02 22:25:16 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe
[2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/04/13 17:12:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\EXPLORER.EXE:*:Disabled:Windows Explorer

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{15B70821-7893-4607-805A-BB80F3EA8279}" = Acer Empowering Technology framework
"{16D9439B-DF3D-43D1-A727-4B335300D07A}" = OverDrive Media Console
"{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}" = iTunes
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{32AD1A7A-25F1-44B9-A396-EA8A4A6605B0}" = Search Settings 1.1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{41E993EE-14C3-413D-A922-4A941AB2BCC1}" = VZAccess Manager for RIM
"{48B82226-75E3-4E90-92CC-D30F79EA6380}" = Norton Security Scan
"{4DA416AE-6D1C-40D6-BCA3-A65A59DD60FC}" = Acer eDataSecurity Management
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6A28AB0B-22B1-494C-AF61-B386EA1736C0}" = LightScribe 1.4.97.1
"{6CA897D0-67F5-4F75-8261-DC8BFCA6DA42}" = Acer eLock Management
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}" = Text-To-Speech-Runtime
"{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}" = Rhapsody Player Engine
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B06B842F-2450-494F-BBDE-217CDC151A37}" = NTI Backup NOW! 4.5
"{B5C209B1-8DDB-4642-A573-375B951514CB}" = Apple Mobile Device Support
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser
"{C8E4455F-0F70-4DA2-A9F9-2D56C80E10AD}" = Sibelius Scorch (ActiveX Only)
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D458BBDC-0363-42E0-8FF9-4736E3CB3CA2}" = Acer Screensaver
"{DEE08946-40F0-4890-853E-60A6C3306041}" = Acer ePerformance Management
"{E0D51394-1D45-460A-B62D-383BC4F8B335}" = QuickTime
"{E38BC648-883B-4EE5-966C-94C4B7AB3E0B}" = Acer eSettings Management
"{E431C518-2EE2-471E-9234-BE995C36D513}" = Acer eDataSecurity Management 1.00.26
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AVG8Uninstall" = AVG Free 8.5
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_1025007F" = HDAUDIO Soft Data Fax Modem with SmartCP
"ePresentation" = Acer ePresentation Management
"Firebird SQL Server US" = Firebird SQL Server - MAGIX Edition 2.0.0.1 (US)
"GridVista" = Acer GridVista
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{15B70821-7893-4607-805A-BB80F3EA8279}" = Acer Empowering Technology framework
"InstallShield_{6CA897D0-67F5-4F75-8261-DC8BFCA6DA42}" = Acer eLock Management
"InstallShield_{DEE08946-40F0-4890-853E-60A6C3306041}" = Acer ePerformance Management
"InstallShield_{E38BC648-883B-4EE5-966C-94C4B7AB3E0B}" = Acer eSettings Management
"LG USB Drivers" = LG USB Drivers
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"LManager" = Launch Manager
"Magic DVD Ripper_is1" = Magic DVD Ripper V5.3 build 4
"MAGIX Goya burnR US" = MAGIX Goya burnR 1.3.1.2 (US)
"MAGIX Music Maker 12 deluxe US" = MAGIX Music Maker 12 deluxe 12.1.0.4 (US)
"MAGIX Music Manager 2007 US" = MAGIX Music Manager 2007 8.1.1.114 (US)
"MAGIX Photo Manager 2007 US" = MAGIX Photo Manager 2007 4.1.1.77 (US)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"QuickLink Mobile Phonebook" = QuickLink Mobile Phonebook
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VCast Music Essentials Manager" = V CAST Music Manager
"VideoCutter_is1" = Kate's Video Cutter
"VZAccess Manager" = VZAccess Manager
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Puzzle Pirates" = Puzzle Pirates

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1186635847-3316958432-342249213-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Puzzle Pirates" = Puzzle Pirates

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/10/2009 8:27:59 AM | Computer Name = ACER-FCAFBFA90D | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error This service is not authorized to start.

Error - 5/10/2009 8:52:09 AM | Computer Name = ACER-FCAFBFA90D | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error This service is not authorized to start.

Error - 5/10/2009 7:54:40 PM | Computer Name = ACER-FCAFBFA90D | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error This service is not authorized to start.

Error - 5/11/2009 2:53:34 PM | Computer Name = ACER-FCAFBFA90D | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error This service is not authorized to start.

Error - 5/12/2009 11:16:34 AM | Computer Name = ACER-FCAFBFA90D | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error This service is not authorized to start.

Error - 5/13/2009 11:55:53 AM | Computer Name = ACER-FCAFBFA90D | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error This service is not authorized to start.

Error - 5/14/2009 1:19:47 PM | Computer Name = ACER-FCAFBFA90D | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error This service is not authorized to start.

Error - 5/15/2009 8:51:54 AM | Computer Name = ACER-FCAFBFA90D | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error This service is not authorized to start.

Error - 5/15/2009 9:17:59 AM | Computer Name = ACER-FCAFBFA90D | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16827, faulting
module unknown, version 0.0.0.0, fault address 0xf8000000.

Error - 5/15/2009 1:20:53 PM | Computer Name = ACER-FCAFBFA90D | Source = Application Error | ID = 1001
Description = Fault bucket 1233113631.

[ System Events ]
Error - 5/12/2009 11:17:17 AM | Computer Name = ACER-FCAFBFA90D | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the AdminWorks Agent X6 service
to connect.

Error - 5/12/2009 9:29:03 PM | Computer Name = ACER-FCAFBFA90D | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.3 for the Network Card with network
address 0016CFC126F8 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 5/13/2009 11:56:09 AM | Computer Name = ACER-FCAFBFA90D | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate
Scheduler service to connect.

Error - 5/13/2009 11:56:09 AM | Computer Name = ACER-FCAFBFA90D | Source = Service Control Manager | ID = 7000
Description = The Automatic LiveUpdate Scheduler service failed to start due to
the following error: %%1053

Error - 5/14/2009 1:20:26 PM | Computer Name = ACER-FCAFBFA90D | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate
Scheduler service to connect.

Error - 5/14/2009 1:20:26 PM | Computer Name = ACER-FCAFBFA90D | Source = Service Control Manager | ID = 7000
Description = The Automatic LiveUpdate Scheduler service failed to start due to
the following error: %%1053

Error - 5/15/2009 8:51:59 AM | Computer Name = ACER-FCAFBFA90D | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 5/15/2009 8:52:04 AM | Computer Name = ACER-FCAFBFA90D | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate
Scheduler service to connect.

Error - 5/15/2009 8:52:04 AM | Computer Name = ACER-FCAFBFA90D | Source = Service Control Manager | ID = 7000
Description = The Automatic LiveUpdate Scheduler service failed to start due to
the following error: %%1053

Error - 5/15/2009 8:52:04 AM | Computer Name = ACER-FCAFBFA90D | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
hpn
i2omp
ini910u
IntelIde
mraid35x
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
sisagp
Sparrow
symc810
symc8xx
sym_hi
sym_u3
TosIde
ultra
viaagp
ViaIde


< End of report >



GMER Log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-15 13:55:14
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 82E3D3D8 ZwEnumerateKey
Code 82E6C390 ZwFlushInstructionCache
Code 82E6F00E IofCallDriver
Code 82F8100E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 82E6F013
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 82F81013
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 82E6C394
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 82E3D3DC
? kbbsguja.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ovfsthxrrpbqboy.sys
File C:\WINDOWS\system32\ovfsthxttvtmlfu.dat
File C:\WINDOWS\system32\ovfsthxlywntqpm.dll
File C:\WINDOWS\system32\ovfsthxqwidltkk.dat
File C:\WINDOWS\system32\ovfsthxkqxetnom.dll
File C:\WINDOWS\system32\ovfsthxiqrmybom.dll

---- EOF - GMER 1.0.15 ----

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:55 AM

Posted 15 May 2009 - 02:48 PM

We need to run Combofix.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 purplestarz929

purplestarz929
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 15 May 2009 - 06:16 PM

The internet is slow to load pages or perform searches on any site, not just search engines. The redirects appeared to be fixed at first, but the longer im online the more links get redirected. Here is the Combofix log:

ComboFix 09-05-15.01 - Mwema 05/15/2009 18:59.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.196 [GMT -4:00]
Running from: c:\documents and settings\Mwema\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Mwema\LOCALS~1\Temp\McInstallTemp (2)\1033\DwnloadL.dll
c:\docume~1\Mwema\LOCALS~1\Temp\McInstallTemp (2)\1033\L10NRes.dll
c:\docume~1\Mwema\LOCALS~1\Temp\McInstallTemp (2)\CodeRes.dll
c:\docume~1\Mwema\LOCALS~1\Temp\McInstallTemp (2)\Compat.dll
c:\docume~1\Mwema\LOCALS~1\Temp\McInstallTemp (2)\Dwnload.dll
c:\docume~1\Mwema\LOCALS~1\Temp\McInstallTemp (2)\Install.exe
c:\docume~1\Mwema\LOCALS~1\Temp\McInstallTemp (2)\McBrwsr2.dll
c:\docume~1\Mwema\LOCALS~1\Temp\McInstallTemp (2)\McUtil.dll
c:\docume~1\Mwema\LOCALS~1\Temp\McInstallTemp (2)\MispLF.dll
c:\documents and settings\Mwema\Local Settings\Temp\McInstallTemp (2)\1033\DwnloadL.dll
c:\documents and settings\Mwema\Local Settings\Temp\McInstallTemp (2)\1033\L10NRes.dll
c:\documents and settings\Mwema\Local Settings\Temp\McInstallTemp (2)\CodeRes.dll
c:\documents and settings\Mwema\Local Settings\Temp\McInstallTemp (2)\Compat.dll
c:\documents and settings\Mwema\Local Settings\Temp\McInstallTemp (2)\Dwnload.dll
c:\documents and settings\Mwema\Local Settings\Temp\McInstallTemp (2)\Install.exe
c:\documents and settings\Mwema\Local Settings\Temp\McInstallTemp (2)\McBrwsr2.dll
c:\documents and settings\Mwema\Local Settings\Temp\McInstallTemp (2)\McUtil.dll
c:\documents and settings\Mwema\Local Settings\Temp\McInstallTemp (2)\MispLF.dll
c:\windows\system32\drivers\ovfsthxrrpbqboy.sys
c:\windows\system32\mssfc.dll
c:\windows\system32\ovfsthxiqrmybom.dll
c:\windows\system32\ovfsthxkqxetnom.dll
c:\windows\system32\ovfsthxlywntqpm.dll
c:\windows\system32\ovfsthxqwidltkk.dat
c:\windows\system32\ovfsthxttvtmlfu.dat
c:\windows\system32\SYS32DLL.exe
c:\windows\system32\uniq.tll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxulkmotoi
-------\Legacy_SFC
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-15 23:05 . 2009-05-15 23:05 -------- d-sh--w C:\FOUND.000
2009-05-08 19:32 . 2009-05-08 19:32 0 ----a-w c:\windows\nsreg.dat
2009-05-08 19:32 . 2009-05-08 19:32 -------- d-----w c:\documents and settings\Mwema\Local Settings\Application Data\Mozilla
2009-05-04 05:26 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-04 05:26 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 05:26 . 2009-05-04 05:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-04 03:42 . 2009-05-04 03:42 -------- d-----w c:\windows\system32\scripting
2009-05-04 03:42 . 2009-05-04 03:42 -------- d-----w c:\windows\l2schemas
2009-05-04 03:42 . 2009-05-04 03:42 -------- d-----w c:\windows\system32\en
2009-05-04 03:42 . 2009-05-04 03:42 -------- d-----w c:\windows\system32\bits
2009-05-04 03:40 . 2009-05-04 03:40 -------- d-----w c:\windows\ServicePackFiles
2009-05-04 02:13 . 2009-05-04 02:13 -------- d-----w c:\program files\RegCleaner
2009-05-03 02:33 . 2009-05-03 02:33 -------- d--h--w C:\$AVG8.VAULT$
2009-05-03 02:25 . 2009-05-03 02:25 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 02:25 . 2009-05-03 02:25 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-03 02:25 . 2009-05-03 02:25 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 02:25 . 2009-05-03 02:25 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-03 02:25 . 2009-05-03 02:25 -------- d-----w c:\documents and settings\Mwema\Application Data\AVGTOOLBAR
2009-05-03 02:25 . 2009-05-03 02:25 -------- d-----w c:\program files\AVG
2009-05-03 02:25 . 2009-05-03 02:25 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-27 23:25 . 2009-04-27 23:25 -------- d-----w c:\documents and settings\Mwema\Application Data\Malwarebytes
2009-04-27 23:25 . 2009-04-27 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 22:35 . 2009-04-27 22:35 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-04-24 19:34 . 2009-04-24 19:34 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-16 20:57 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 20:57 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 20:57 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 20:57 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 20:57 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 20:57 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 20:57 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 20:57 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 20:57 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 20:51 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 20:51 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 23:02 . 2006-08-19 12:21 12 ----a-w c:\windows\bthservsdp.dat
2009-05-04 05:48 . 2007-03-07 19:06 69944 ----a-w c:\documents and settings\Mwema\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2004-08-11 00:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-01-09 15:02 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-11 00:00 78336 ----a-w c:\windows\system32\ieencode.dll
2008-07-11 15:08 . 2008-07-11 15:08 16 ---ha-w c:\program files\Common Files\mxfilerelatedcache.mxc2
2008-07-11 15:08 . 2008-07-11 15:08 16 ---ha-w c:\program files\mxfilerelatedcache.mxc2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"= "c:\program files\Search Settings\kb126\SearchSettings.dll" [2008-02-06 1160544]

[HKEY_CLASSES_ROOT\clsid\{e312764e-7706-43f1-8dab-fcdd2b1e416d}]
[HKEY_CLASSES_ROOT\SearchSettings.BHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}]
[HKEY_CLASSES_ROOT\SearchSettings.BHO]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-17 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-11 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-21 593920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-01 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"SearchSettings"="c:\program files\Search Settings\SearchSettings.exe" [2008-02-06 1036640]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-13 110592]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYS32DLL"="SYS32DLL" [X]

c:\documents and settings\Mwema\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2007-10-9 947544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 02:25 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/2/2009 10:25 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/2/2009 10:25 PM 108552]
R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [1/6/2008 8:30 PM 110304]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/2/2009 10:25 PM 298776]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [1/6/2008 3:11 PM 1527900]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [1/6/2008 3:12 PM 544768]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - INT15.SYS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ewvjgxex
.
- - - - ORPHANS REMOVED - - - -

BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Mwema\Application Data\Mozilla\Firefox\Profiles\yhdubu2c.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 19:07
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2792)
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\MSVCR71.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\acer\Empowering Technology\admServ.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\IGFXEXT.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\docume~1\Mwema\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2009-05-15 19:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-15 23:09

Pre-Run: 14,456,717,312 bytes free
Post-Run: 15,354,920,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

226 --- E O F --- 2009-05-14 04:58

Edited by purplestarz929, 15 May 2009 - 07:08 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:55 AM

Posted 16 May 2009 - 02:03 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
ewvjgxex

NetSvc::
ewvjgxex

Folder::
c:\program files\Search Settings

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"=-
[-HKEY_CLASSES_ROOT\clsid\{e312764e-7706-43f1-8dab-fcdd2b1e416d}]
[-HKEY_CLASSES_ROOT\SearchSettings.BHO.1]
[-HKEY_CLASSES_ROOT\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}]
[-HKEY_CLASSES_ROOT\SearchSettings.BHO]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchSettings"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYS32DLL"=-
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 purplestarz929

purplestarz929
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 16 May 2009 - 06:02 PM

ComboFix 09-05-16.05 - Mwema 05/16/2009 18:53.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.259 [GMT -4:00]
Running from: c:\documents and settings\Mwema\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mwema\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Settings
c:\program files\Search Settings\kb126\SearchSettings.dll
c:\program files\Search Settings\mxfilerelatedcache.mxc2
c:\program files\Search Settings\SearchSettings.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EWVJGXEX


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-15 23:05 . 2009-05-15 23:05 -------- d-sh--w C:\FOUND.000
2009-05-08 19:32 . 2009-05-08 19:32 0 ----a-w c:\windows\nsreg.dat
2009-05-08 19:32 . 2009-05-08 19:32 -------- d-----w c:\documents and settings\Mwema\Local Settings\Application Data\Mozilla
2009-05-04 05:26 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-04 05:26 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 05:26 . 2009-05-04 05:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-04 03:42 . 2009-05-04 03:42 -------- d-----w c:\windows\system32\scripting
2009-05-04 03:42 . 2009-05-04 03:42 -------- d-----w c:\windows\l2schemas
2009-05-04 03:42 . 2009-05-04 03:42 -------- d-----w c:\windows\system32\en
2009-05-04 03:42 . 2009-05-04 03:42 -------- d-----w c:\windows\system32\bits
2009-05-04 03:40 . 2009-05-04 03:40 -------- d-----w c:\windows\ServicePackFiles
2009-05-04 02:13 . 2009-05-04 02:13 -------- d-----w c:\program files\RegCleaner
2009-05-03 02:33 . 2009-05-03 02:33 -------- d--h--w C:\$AVG8.VAULT$
2009-05-03 02:25 . 2009-05-03 02:25 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 02:25 . 2009-05-03 02:25 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-03 02:25 . 2009-05-03 02:25 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 02:25 . 2009-05-03 02:25 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-03 02:25 . 2009-05-03 02:25 -------- d-----w c:\documents and settings\Mwema\Application Data\AVGTOOLBAR
2009-05-03 02:25 . 2009-05-03 02:25 -------- d-----w c:\program files\AVG
2009-05-03 02:25 . 2009-05-03 02:25 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-27 23:25 . 2009-04-27 23:25 -------- d-----w c:\documents and settings\Mwema\Application Data\Malwarebytes
2009-04-27 23:25 . 2009-04-27 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 22:35 . 2009-04-27 22:35 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-04-24 19:34 . 2009-04-24 19:34 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 22:56 . 2006-08-19 12:21 12 ----a-w c:\windows\bthservsdp.dat
2009-05-04 05:48 . 2007-03-07 19:06 69944 ----a-w c:\documents and settings\Mwema\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2004-08-11 00:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-01-09 15:02 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-11 00:00 78336 ----a-w c:\windows\system32\ieencode.dll
2008-07-11 15:08 . 2008-07-11 15:08 16 ---ha-w c:\program files\Common Files\mxfilerelatedcache.mxc2
2008-07-11 15:08 . 2008-07-11 15:08 16 ---ha-w c:\program files\mxfilerelatedcache.mxc2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-17 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-11 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-21 593920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-01 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-13 110592]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

c:\documents and settings\Mwema\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2007-10-9 947544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 02:25 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/2/2009 10:25 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/2/2009 10:25 PM 108552]
R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [1/6/2008 8:30 PM 110304]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/2/2009 10:25 PM 298776]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [1/6/2008 3:11 PM 1527900]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [1/6/2008 3:12 PM 544768]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Mwema\Application Data\Mozilla\Firefox\Profiles\yhdubu2c.default\
FF - plugin: c:\documents and settings\Mwema\Application Data\Mozilla\Firefox\Profiles\yhdubu2c.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 18:59
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3496)
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\MSVCR71.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\acer\EMPOWERING TECHNOLOGY\ADMSERV.EXE
c:\windows\EHOME\EHRECVR.EXE
c:\windows\EHOME\EHSCHED.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\windows\EHOME\MCRDSVC.EXE
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\program files\LAUNCH MANAGER\LMANAGER.EXE
c:\windows\EHOME\EHMSAS.EXE
c:\program files\AVG\AVG8\AVGTRAY.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\SYSTEM32\IGFXEXT.EXE
c:\windows\SYSTEM32\IGFXSRVC.EXE
c:\docume~1\Mwema\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2009-05-16 19:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 23:01
ComboFix2.txt 2009-05-15 23:09

Pre-Run: 15,271,395,328 bytes free
Post-Run: 15,253,110,784 bytes free

174 --- E O F --- 2009-05-14 04:58

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:55 AM

Posted 17 May 2009 - 07:59 AM

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 purplestarz929

purplestarz929
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 17 May 2009 - 07:55 PM

Links are still being redirected, but not as frequently. The internet isn't as slow as is was before, though.

Edited by purplestarz929, 17 May 2009 - 08:25 PM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:55 AM

Posted 18 May 2009 - 11:36 AM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 purplestarz929

purplestarz929
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 18 May 2009 - 01:36 PM

SDFix: Version 1.240
Run by Administrator on Mon 05/18/2009 at 02:30 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 14:34:55
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\MAGIX Shared\\UPnPService\\UPnPService.exe"="C:\\Program Files\\Common Files\\MAGIX Shared\\UPnPService\\UPnPService.exe:LocalSubNet:Enabled:Magix UPnP Service"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Fri 18 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Fri 18 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Fri 18 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Fri 18 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Fri 18 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Tue 1 May 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 5 Jul 2007 146,432 ..SHR --- "C:\Program Files\Verizon Wireless\V CAST Music Manager\Setup.exe"
Mon 7 May 2007 53,248 A.SHR --- "C:\Program Files\Verizon Wireless\V CAST Music Manager\_Setupx.dll"
Tue 1 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:55 AM

Posted 18 May 2009 - 04:33 PM

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 purplestarz929

purplestarz929
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 18 May 2009 - 05:22 PM

GooredFix v1.92 by jpshortstuff
Log created at 18:21 on 18/05/2009 running Option #1 (Mwema)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{AEDB8946-3FA9-4C83-BC33-A5B0A40DC717}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:55 AM

Posted 18 May 2009 - 05:27 PM

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt)


Check to see if you are still being redirected.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 purplestarz929

purplestarz929
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 18 May 2009 - 05:36 PM

It seems to be fixed! Here is the log anyway but I'll let you know if any problems arise. Thanks A TON :thumbup2:!

GooredFix v1.92 by jpshortstuff
Log created at 18:29 on 18/05/2009 running Option #2 (Mwema)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{AEDB8946-3FA9-4C83-BC33-A5B0A40DC717}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

Edited by purplestarz929, 18 May 2009 - 05:37 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users