Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple worms found with AVG8


  • This topic is locked This topic is locked
31 replies to this topic

#1 pyrael

pyrael

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 14 May 2009 - 11:48 AM

this started on 5/11. I installed a free program that popped up an error that a dll was not found (even though it was in the folder). It then popped up an installer for a completely different piece of software. I immediately suspected malware or the like and checked my running processes. I found 3 processes besides the actual software running. 2 were temp files and one was unsecapp.exe (which has never been found running before). I immediately killed all the processes and ran my anti-virus. It found nothing!! I uninstalled AVG and spybot suspecting that since their processes were not all there that they had been compromised. Still nothing was found. I re-booted into safe mode, and Ran AVG from there (Console version). Also, I found that I could no longer go to AVG's website, safer-networking.org and many others, it said network server not found. Upon googling about this, I came across info that pointed to a DNS problem. After checking my DNS IPs I found that they were not correct. I have 4 computers running on a small home network, all have static IPs and obviously the same DNS IPs. I have changed the IPs back, but am still weary that the original worm is resident somewhere as things are still not normal and internet is slower than usual as well as processing time for even notepad. Below are the AVG report, and the DDS.txt file that DDS created (as requested by the preparation Howto)
Attach.txt is attached also

Here is the report from AVG:
AVG 8.5 Anti-Virus command line scanner
Copyright (c) 1992 - 2009 AVG Technologies
Program version 8.0.300, engine 8.0.319
Virus Database: Version 270.12.27/2112  2009-05-13

C:\autorun.inf Virus found Worm/AutoRun Object was moved to Virus Vault.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. 
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. 
C:\Documents and Settings\Administrator\NTUSER.DAT Locked file. Not tested. 
C:\Documents and Settings\Administrator\NTUSER.dat.LOG Locked file. Not tested. 
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Locked file. Not tested. 
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. 
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. 
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested. 
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested. 
C:\Documents and Settings\Pyrael\Local Settings\Temp\tmp13.tmp Virus identified Worm/Generic.YVH Object was moved to Virus Vault.
C:\Documents and Settings\Pyrael\Local Settings\Temp\tmp5C3.tmp Virus identified Worm/Generic.YVH Object was moved to Virus Vault.
C:\pagefile.sys Locked file. Not tested. 
C:\System Volume Information\ Locked file. Not tested. 
C:\WINDOWS\system32\CatRoot2\edb.log Locked file. Not tested. 
C:\WINDOWS\system32\CatRoot2\tmp.edb Locked file. Not tested. 
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Locked file. Not tested. 
C:\WINDOWS\system32\config\default Locked file. Not tested. 
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested. 
C:\WINDOWS\system32\config\SAM Locked file. Not tested. 
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested. 
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested. 
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested. 
C:\WINDOWS\system32\config\software Locked file. Not tested. 
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested. 
C:\WINDOWS\system32\config\system Locked file. Not tested. 
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested. 
C:\WINDOWS\Temp\tempo-522912171.tmp Trojan horse FakeAlert.KH Object was moved to Virus Vault.
C:\WINDOWS\Temp\tempo-2901125.tmp Trojan horse FakeAlert.KH Object was moved to Virus Vault.
D:\autorun.inf Virus found Worm/AutoRun Object was moved to Virus Vault.
D:\System Volume Information\ Locked file. Not tested. 

------------------------------------------------------------
Objects scanned	 : 209455
Found infections	:	6
Found PUPs		  :	0
Healed infections   :	6
Healed PUPs		 :	0
Warnings			:	0
------------------------------------------------------------

DDS.txt:
DDS (Ver_09-05-14.01) - NTFSx86  
Run by Pyrael at 12:16:05.07 on Thu 05/14/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.2047.1293 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)   {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Pyrael\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Taskman=c:\recycler\s-1-5-21-4702827238-2137610469-248019476-3519\rundll32.exe
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [Chatango] c:\program files\chatango\Chatango.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\pyrael\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\pyrael\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet 7100 series\bin\hpogrp07.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238265005765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15107/CTPID.cab
TCP: NameServer = 85.255.112.7,85.255.112.88
TCP: {7B447AA5-2891-46CE-B84A-17FF02B9452A} = 24.92.226.40,24.92.226.41
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pyrael\applic~1\mozilla\firefox\profiles\cxa52mwg.default\
FF - plugin: c:\program files\mozilla firefox 3.1 beta 3\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("dom.storage.default_quota",	  5120);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-13 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-13 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-13 298776]
R2 Folding@home-CPU-[1];Folding@home-CPU-[1];c:\program files\folding@home windows smp client v1.01\folding@home-win32-x86.exe -svcstart -d "c:\program files\folding@home windows smp client v1.01" --> c:\program files\folding@home windows smp client v1.01\folding@home-win32-x86.exe -svcstart -d c:\program files\Folding@Home Windows SMP Client V1.01 [?]
R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files\folding@home windows smp client v1.01\smpd.exe [2009-3-28 1135616]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-9-24 935208]
S3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [2006-3-20 1452032]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2009-4-13 7548]

============== File Associations ===============

scrfile="%1" /S "%3"

=============== Created Last 30 ================

2009-05-14 11:10	<DIR>	--d-----	C:\HJT
2009-05-14 09:24	<DIR>	--d-h---	C:\$AVG8.VAULT$
2009-05-13 13:18	11,952	a-------	c:\windows\system32\avgrsstx.dll
2009-05-13 13:18	325,896	a-------	c:\windows\system32\drivers\avgldx86.sys
2009-05-13 13:17	<DIR>	--d-----	c:\windows\system32\drivers\Avg
2009-05-13 13:04	0	a-------	c:\windows\system32\commonpriv.log.lock
2009-05-13 13:02	<DIR>	--d-----	c:\program files\AVG
2009-05-13 13:02	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\avg8
2009-05-13 11:36	65	a-------	c:\windows\wininit.ini
2009-05-13 11:20	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-05-13 11:20	<DIR>	--d-----	c:\program files\Security Task Manager
2009-05-13 11:13	112	a---h---	C:\aaw7boot.cmd
2009-05-13 11:07	<DIR>	--d-----	c:\windows\pss
2009-05-13 10:29	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-12 21:23	<DIR>	--d-----	c:\documents and settings\pyrael\.housecall6.6
2009-05-09 19:36	65	a-------	c:\windows\ARIEL_SS.INI
2009-05-09 19:36	<DIR>	--d-----	c:\windows\DISNEY
2009-05-09 19:36	<DIR>	--d-----	C:\DISNEY
2009-05-08 16:55	<DIR>	--d-----	c:\program files\DAZ
2009-05-05 22:29	<DIR>	--d-----	c:\program files\Chatango
2009-04-23 10:55	<DIR>	--d-----	c:\program files\BreakPoint Software
2009-04-19 21:11	221,184	a-------	c:\windows\system32\wmpns.dll
2009-04-19 21:11	<DIR>	--d-----	c:\program files\Windows Media Connect 2
2009-04-19 21:10	<DIR>	--d-----	c:\windows\system32\LogFiles
2009-04-19 16:44	<DIR>	--ds----	c:\documents and settings\pyrael\UserData
2009-04-19 16:44	0	a-------	c:\windows\iplayer.INI
2009-04-19 16:43	<DIR>	--d-----	c:\program files\InterActual
2009-04-19 16:38	0	a-------	c:\windows\syscheck.INI
2009-04-19 16:12	<DIR>	--d-----	c:\program files\Rocky Horror Picture Show DVD
2009-04-19 16:12	872,772	a-------	c:\windows\system32\Rocky Horror Picture Show DVD.scr
2009-04-19 15:52	0	a-------	c:\windows\pcfriend.INI
2009-04-19 15:51	<DIR>	--d-----	c:\program files\PCFriendly
2009-04-19 09:12	<DIR>	--d-----	c:\program files\GraphCalc

==================== Find3M  ====================

2009-05-10 14:55	76,487	a-------	c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-12 11:46	4,096	a-------	c:\windows\d3dx.dat
2009-03-30 12:03	410,984	a-------	c:\windows\system32\deploytk.dll
2009-03-24 12:59	409,600	a-------	c:\windows\system32\wrap_oal.dll
2009-03-24 12:59	114,688	a-------	c:\windows\system32\OpenAL32.dll
2009-03-23 14:13	118,784	a-------	c:\windows\dsdxirmv.exe
2009-03-23 01:24	21,640	a-------	c:\windows\system32\emptyregdb.dat

============= FINISH: 12:16:30.89 ===============

I have downloaded Hijackthis and can run it if you like, I have not done so yet.

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:21 AM

Posted 15 May 2009 - 10:21 AM

Hello! :)
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


It sounds like a case of Zlob/DNSchanger that change the router's DNS settings. Please download Malwarebytes' Anti-Malware from Here or Here

Next disconnect your system from the internet, and your router, then…

Double Click mbam-setup.exe to install the application.
  • Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


===============================================


Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE

However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.

===============================================

Please post the Malwarebytes log and let me know how things are running now :thumbup2:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 pyrael

pyrael
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 15 May 2009 - 06:32 PM

hi Sam! Thanks for the reply.

My router does not appear affected by whatever is on this computer, however as you asked I did reset the router and then from an unaffected computer put the password to a new (never used before) one. The DNS change I was referring to was locally on the affected machine (Network connections>Local Area Connection >Properties>Internet Protocol>Properties) which is supposed to be the IP from my cable company, not the Ukrainian one that was there :) . I have been able to fix it there and it has not changed back even with reboots.

I have a problem though, I downloded (6 Times) the mbam-setup.exe program (3 from each location). I can get it to appear to install, it will show up in the start menu, and program files, but will not run :thumbup2:

I tried disabling my firewall (since I unplugged the lan from the computer) and also rebooted with AVG disabled as well as spybot. It just will not run :step4:

Should I try running in safe mode? That's how AVG finally worked

thanks again for the help

Steve

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:21 AM

Posted 16 May 2009 - 02:07 PM

Yes, give it a try in safe mode and see if it will run there.

We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 pyrael

pyrael
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 16 May 2009 - 03:32 PM

ok Sam,

I couldn't get it to run in safe mode either :thumbup2:

Here is the txt files from the OTListIt2:

OTListIt.Txt:
OTListIt logfile created on: 5/16/2009 4:23:29 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Pyrael\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.32 Gb Available Physical Memory | 66.18% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 4096 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 13.24 Gb Free Space | 17.77% Space Free | Partition Type: NTFS
Drive D: | 149.04 Gb Total Space | 125.25 Gb Free Space | 84.04% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: R6S
Current User Name: Pyrael
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/05/13 13:17:52 | 00,486,168 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [1999/12/13 02:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTsvcCDA.exe
PRC - [2009/02/05 13:45:12 | 00,422,912 | ---- | M] () -- C:\Program Files\Folding@Home Windows SMP Client V1.01\Folding@home-Win32-x86.exe
PRC - [2009/03/30 12:03:28 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2007/01/31 14:29:46 | 01,135,616 | ---- | M] () -- C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe
PRC - [2008/09/24 15:32:48 | 00,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2007/06/28 12:43:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/01/31 14:29:50 | 01,158,144 | ---- | M] () -- C:\Program Files\Folding@Home Windows SMP Client V1.01\mpiexec.exe
PRC - [2007/01/31 14:29:46 | 01,135,616 | ---- | M] () -- C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe
PRC - [2009/03/28 22:39:30 | 02,035,712 | ---- | M] () -- C:\Program Files\Folding@Home Windows SMP Client V1.01\FahCore_a1.exe
PRC - [2009/03/28 22:39:30 | 02,035,712 | ---- | M] () -- C:\Program Files\Folding@Home Windows SMP Client V1.01\FahCore_a1.exe
PRC - [2009/03/28 22:39:30 | 02,035,712 | ---- | M] () -- C:\Program Files\Folding@Home Windows SMP Client V1.01\FahCore_a1.exe
PRC - [2009/03/28 22:39:30 | 02,035,712 | ---- | M] () -- C:\Program Files\Folding@Home Windows SMP Client V1.01\FahCore_a1.exe
PRC - [2004/08/04 08:00:00 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2005/10/31 11:51:52 | 00,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
PRC - [2009/03/30 12:03:28 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/05/13 13:17:53 | 01,947,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2004/12/02 19:23:34 | 00,102,400 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
PRC - [2008/02/05 00:18:28 | 00,356,352 | ---- | M] (Pear Media, LLC) -- C:\Program Files\Chatango\Chatango.exe
PRC - [2003/06/24 23:23:40 | 00,495,682 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
PRC - [2003/06/24 23:59:16 | 00,299,008 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpoevm07.exe
PRC - [2003/06/25 00:41:06 | 00,294,912 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
PRC - [2003/06/25 01:19:18 | 00,188,416 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
PRC - [2009/04/28 22:02:18 | 00,308,216 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
PRC - [2009/05/16 16:22:40 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pyrael\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2005/09/23 08:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/05/13 13:17:52 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Disabled | Stopped])
SRV - [2005/09/23 08:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [1999/12/13 02:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTsvcCDA.exe -- (Creative Service for CDROM Access [Auto | Running])
SRV - [2009/02/05 13:45:12 | 00,422,912 | ---- | M] () -- C:\Program Files\Folding@Home Windows SMP Client V1.01\Folding@home-Win32-x86.exe -- (Folding@home-CPU-[1] [Auto | Running])
SRV - [2004/08/04 08:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/03/30 12:03:28 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2007/01/31 14:29:46 | 01,135,616 | ---- | M] () -- C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe -- (mpich2_smpd [Auto | Running])
SRV - [2008/09/24 15:32:48 | 00,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0 [Auto | Running])
SRV - [2007/06/28 12:43:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/05/13 13:18:00 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/05/13 13:17:58 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2005/01/10 19:15:24 | 00,138,752 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
DRV - [2009/02/24 19:42:14 | 00,116,736 | ---- | M] (MagicISO, Inc.) -- C:\WINDOWS\system32\DRIVERS\mcdbus.sys -- (mcdbus [On_Demand | Running])
DRV - [2007/06/28 12:43:00 | 06,807,328 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2005/01/10 19:15:30 | 00,106,496 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\DRIVERS\ctoss2k.sys -- (ossrv [On_Demand | Running])
DRV - [2007/06/15 11:47:26 | 01,127,936 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\P17.sys -- (P17 [On_Demand | Running])
DRV - [2006/03/20 19:34:56 | 01,452,032 | ---- | M] (Sensaura) -- C:\WINDOWS\system32\drivers\p17filt.sys -- (p17filt [On_Demand | Stopped])
DRV - [2004/08/04 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/10/30 22:14:20 | 00,117,888 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys -- (RTLE8023xp [On_Demand | Running])
DRV - [2006/01/07 12:09:50 | 00,007,548 | ---- | M] () -- C:\WINDOWS\system32\drivers\samhid.sys -- (samhid [On_Demand | Stopped])
DRV - [2004/08/04 08:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2005/08/17 09:45:00 | 00,058,352 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\sscdbus.sys -- (sscdbus [On_Demand | Stopped])
DRV - [2005/08/17 09:46:20 | 00,008,272 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys -- (sscdmdfl [On_Demand | Stopped])
DRV - [2005/08/17 09:46:26 | 00,093,872 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\sscdmdm.sys -- (sscdmdm [On_Demand | Stopped])
DRV - [2005/08/17 09:47:48 | 00,073,696 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\sscdserd.sys -- (sscdserd [On_Demand | Stopped])
DRV - [2007/12/24 17:37:00 | 00,138,384 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-507921405-602609370-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-507921405-602609370-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-507921405-602609370-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-21-507921405-602609370-839522115-1004\S-1-5-21-507921405-602609370-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-507921405-602609370-839522115-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-507921405-602609370-839522115-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-507921405-602609370-839522115-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-21-507921405-602609370-839522115-1005\S-1-5-21-507921405-602609370-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.7

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/03/31 11:48:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/05/10 09:22:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5b4\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX 3.1 BETA 3\COMPONENTS [2009/05/11 06:57:50 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5b4\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX 3.1 BETA 3\PLUGINS [2009/05/10 09:22:24 | 00,000,000 | ---D | M]

[2009/03/23 14:24:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Pyrael\Application Data\mozilla\Extensions
[2009/03/23 14:24:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Pyrael\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/30 12:04:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Pyrael\Application Data\mozilla\Firefox\Profiles\cxa52mwg.default\extensions
[2009/03/23 14:21:37 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/23 14:21:37 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/02/19 21:43:33 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/02/19 21:43:34 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/02/19 15:33:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/02/19 15:33:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/02/19 15:33:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/02/19 15:33:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/02/19 15:33:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/02/19 15:33:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/02/19 15:33:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL File not found
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r (Creative Technology Ltd)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install File not found
O4 - HKLM..\Run: [P17Helper] Rundll32 P17.dll,P17Helper File not found
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)
O4 - HKU\S-1-5-21-507921405-602609370-839522115-1004..\Run: [Chatango] C:\Program Files\Chatango\Chatango.exe (Pear Media, LLC)
O4 - HKU\S-1-5-21-507921405-602609370-839522115-1004..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R (Creative Technology Ltd)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\Pyrael\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O4 - Startup: C:\Documents and Settings\Pyrael\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-602609370-839522115-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1238265005765 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareup...15107/CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.7,85.255.112.88
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{7B447AA5-2891-46CE-B84A-17FF02B9452A}\\NameServer = 24.92.226.40,24.92.226.41
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-4702827238-2137610469-248019476-3519\rundll32.exe) - C:\RECYCLER\S-1-5-21-4702827238-2137610469-248019476-3519\.exe File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/23 01:26:06 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/05/14 13:52:30 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/05/16 16:22:23 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Pyrael\Desktop\OTListIt2.exe
[2009/05/16 16:19:55 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\gbbjqkd.sys
[2009/05/15 19:09:20 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/15 19:09:18 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/15 19:09:17 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/15 19:09:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/15 19:05:24 | 02,967,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pyrael\Desktop\mbam-setup.exe
[2009/05/15 12:59:04 | 00,009,356 | ---- | C] () -- C:\Documents and Settings\Pyrael\My Documents\JTS_Label.odt
[2009/05/14 12:15:28 | 00,359,883 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\dds.scr
[2009/05/14 11:14:11 | 00,000,491 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Shortcut to HijackThis.exe.lnk
[2009/05/14 11:10:38 | 00,000,000 | ---D | C] -- C:\HJT
[2009/05/14 11:07:50 | 00,318,369 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\HiJackThis.zip
[2009/05/14 09:24:21 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/05/13 13:22:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pyrael\My Documents\sheet music
[2009/05/13 13:18:02 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/05/13 13:18:01 | 00,011,952 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/05/13 13:18:00 | 00,325,896 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/05/13 13:17:58 | 00,027,784 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/05/13 13:17:54 | 36,119,516 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/05/13 13:17:54 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/05/13 13:17:54 | 00,434,673 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/05/13 13:17:54 | 00,056,731 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/05/13 13:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/05/13 13:02:39 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/05/13 13:02:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/05/13 12:57:47 | 64,852,304 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Pyrael\Desktop\avg_free_stf_en_85_329a1515.exe
[2009/05/13 11:36:46 | 00,000,065 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/05/13 11:36:32 | 00,787,000 | ---- | C] (Prevx) -- C:\Documents and Settings\Pyrael\Desktop\PREVXCSIFREE.EXE
[2009/05/13 11:20:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2009/05/13 11:20:38 | 00,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2009/05/13 11:20:09 | 01,709,408 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\taskmanager17.exe
[2009/05/13 11:13:30 | 00,000,112 | -H-- | C] () -- C:\aaw7boot.cmd
[2009/05/13 11:07:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/05/13 10:59:52 | 00,000,458 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/05/13 10:58:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/05/13 10:56:53 | 37,452,296 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\Pyrael\Desktop\Ad-AwareAE.exe
[2009/05/13 10:29:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/05/13 10:28:26 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Pyrael\Desktop\spybotsd162.exe
[2009/05/11 09:52:28 | 00,053,553 | ---- | C] () -- C:\Documents and Settings\Pyrael\My Documents\AutoSave_Untitled_1.skp
[2009/05/11 09:40:30 | 00,053,553 | ---- | C] () -- C:\Documents and Settings\Pyrael\My Documents\AutoSave_Untitled.skp
[2009/05/10 20:58:39 | 00,002,052 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Update Victoria 4.2 Base.lnk
[2009/05/10 15:37:32 | 02,735,265 | ---- | C] () -- C:\Documents and Settings\Pyrael\My Documents\homeworld.pz3
[2009/05/10 15:01:44 | 00,322,876 | ---- | C] () -- C:\Documents and Settings\Pyrael\My Documents\Untitled.3ds
[2009/05/10 15:01:40 | 00,307,935 | ---- | C] () -- C:\Documents and Settings\Pyrael\My Documents\sixus1me.jpg
[2009/05/10 14:59:13 | 00,001,911 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Style Builder.lnk
[2009/05/10 14:59:13 | 00,001,825 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\LayOut 2.lnk
[2009/05/10 14:59:13 | 00,001,762 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google SketchUp 7.lnk
[2009/05/10 14:58:57 | 00,000,000 | ---D | C] -- C:\Program Files\Google
[2009/05/10 14:47:46 | 00,957,635 | ---- | C] () -- C:\Documents and Settings\Pyrael\My Documents\Untitled.skb
[2009/05/10 14:47:37 | 00,460,583 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Untitled.kmz
[2009/05/10 14:45:08 | 00,338,875 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Untitled.png
[2009/05/10 14:38:28 | 00,941,644 | ---- | C] () -- C:\Documents and Settings\Pyrael\My Documents\Untitled.skp
[2009/05/10 09:29:46 | 00,000,806 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Foxit PDF Editor.lnk
[2009/05/09 19:36:55 | 00,000,065 | ---- | C] () -- C:\WINDOWS\ARIEL_SS.INI
[2009/05/09 19:36:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\DISNEY
[2009/05/09 19:36:40 | 00,000,000 | ---D | C] -- C:\DISNEY
[2009/05/08 16:55:54 | 00,000,000 | ---D | C] -- C:\Program Files\DAZ
[2009/05/08 15:31:28 | 00,017,920 | -HS- | C] () -- C:\Documents and Settings\Pyrael\My Documents\Thumbs.db
[2009/05/05 22:29:20 | 00,000,000 | ---D | C] -- C:\Program Files\Chatango
[2009/05/05 22:29:16 | 00,228,414 | ---- | C] () -- C:\Documents and Settings\Pyrael\My Documents\ChatangoInstaller.exe
[2009/05/05 13:27:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pyrael\Desktop\CD
[2009/05/04 09:12:53 | 00,004,252 | ---- | C] () -- C:\Documents and Settings\Pyrael\My Documents\OakAshandThorn_Trad_song.html
[2009/05/03 11:39:16 | 00,056,720 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\NEW_CAMELOT.ODT
[2009/05/02 21:46:47 | 00,091,648 | -HS- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Thumbs.db
[2009/05/02 02:00:31 | 00,085,506 | ---- | C] () -- C:\Documents and Settings\Pyrael\My Documents\Beltane.pdf
[2009/05/02 01:54:28 | 00,023,811 | ---- | C] () -- C:\Documents and Settings\Pyrael\My Documents\Beltane.odt
[2009/05/01 16:13:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pyrael\Desktop\SpinningThing
[2009/05/01 15:16:10 | 56,014,5136 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Audio.zip
[2009/04/30 11:03:38 | 00,167,250 | R--- | C] () -- C:\Documents and Settings\Pyrael\My Documents\homeimprovementcd.wav
[2009/04/28 10:03:32 | 00,895,391 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\pent.pmd
[2009/04/24 09:03:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pyrael\My Documents\New Camelot
[2009/04/23 10:55:31 | 00,000,961 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hex Workshop Hex Editor.lnk
[2009/04/23 10:55:30 | 00,000,000 | ---D | C] -- C:\Program Files\BreakPoint Software
[2009/04/21 08:59:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pyrael\Desktop\pent
[2009/04/21 08:55:49 | 00,000,030 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\pent.swf
[2009/04/20 13:55:05 | 07,373,240 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\pent.pz3
[2009/04/20 12:06:58 | 00,002,991 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\SammyHagarYourLoveIsDrivingMeCrazy.aup
[2009/04/20 12:06:58 | 00,002,986 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\SammyHagarYourLoveIsDrivingMeCrazy.aup.bak
[2009/04/20 12:06:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Pyrael\Desktop\SammyHagarYourLoveIsDrivingMeCrazy_data
[2009/04/20 10:09:14 | 03,340,228 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\SammyHagarYourLoveIsDrivingMeCrazy.mp3
[2009/04/19 21:11:47 | 00,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2009/04/19 21:11:38 | 00,221,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmpns.dll
[2009/04/19 21:11:35 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2009/04/19 21:10:50 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2009/04/19 21:10:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2009/04/19 21:10:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2009/04/19 16:44:44 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2009/04/19 16:43:55 | 00,000,779 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\InterActual Player.lnk
[2009/04/19 16:43:48 | 00,000,000 | ---D | C] -- C:\Program Files\InterActual
[2009/04/19 16:38:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\syscheck.INI
[2009/04/19 16:12:48 | 00,001,892 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Rocky Horror Picture Show DVD.lnk
[2009/04/19 16:12:45 | 00,000,000 | ---D | C] -- C:\Program Files\Rocky Horror Picture Show DVD
[2009/04/19 16:12:39 | 00,872,772 | ---- | C] (Grooveware Multimedia) -- C:\WINDOWS\System32\Rocky Horror Picture Show DVD.scr
[2009/04/19 15:52:58 | 00,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2009/04/19 15:51:18 | 00,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PCFriendly DVD.lnk
[2009/04/19 15:51:11 | 00,000,000 | ---D | C] -- C:\Program Files\PCFriendly
[2009/04/19 15:25:45 | 01,091,196 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\What_Lurks.png
[2009/04/19 15:13:28 | 00,113,355 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\mammoth_cave.jpg
[2009/04/19 15:04:40 | 01,003,331 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Skeleton_on_stage_lg.jpg
[2009/04/19 14:56:28 | 00,788,852 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Iao Theater stage full view.jpg
[2009/04/19 14:53:05 | 00,379,038 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\0585-tpa-theater-stage-s1.jpg
[2009/04/19 14:50:26 | 00,098,359 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Skeleton_on_stage_sm.jpg
[2009/04/19 14:46:08 | 00,035,311 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\stage3.jpg
[2009/04/19 14:43:21 | 01,319,456 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Skeleton.pz3
[2009/04/19 14:43:21 | 00,198,582 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Skeleton.pmd
[2009/04/19 14:42:56 | 00,072,029 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Skeleton_Magician.png
[2009/04/19 13:11:59 | 03,368,001 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\vampire.pmd
[2009/04/19 13:11:59 | 01,996,077 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\vampire.pz3
[2009/04/19 13:11:47 | 00,078,214 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\vampire.png
[2009/04/19 12:05:52 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\Services.lnk
[2009/04/19 12:03:07 | 00,038,327 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\beautiful_skin_workshop.jpg
[2009/04/19 12:01:16 | 00,024,522 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\succubus.jpg
[2009/04/19 11:40:52 | 00,023,525 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\clinton.jpg
[2009/04/19 09:12:04 | 00,000,000 | ---D | C] -- C:\Program Files\GraphCalc
[2009/04/19 09:11:46 | 00,862,023 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\GraphCalc4.0.1.exe
[2009/04/17 17:05:37 | 00,155,799 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\eris_thumb.png
[2009/04/17 16:16:54 | 00,010,778 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\torch.jpg
[2009/04/17 15:54:55 | 00,023,785 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\cherry-belly-button-ring.jpg
[2009/04/17 13:12:25 | 00,263,007 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\eris_LIGHT1_0001.shm
[2009/04/17 12:08:30 | 00,754,258 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\eris.png
[2009/04/17 09:18:25 | 02,864,564 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\eris.pmd
[2009/04/17 09:18:25 | 02,640,498 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\eris.pz3
[2009/04/17 07:18:51 | 00,055,750 | ---- | C] () -- C:\Documents and Settings\Pyrael\Desktop\turd.jpg
[2009/04/13 08:43:35 | 00,000,192 | ---- | C] () -- C:\WINDOWS\System32\sam.ini
[2009/04/13 08:36:27 | 00,487,424 | ---- | C] () -- C:\WINDOWS\System32\FDRpage.dll
[2009/04/13 08:36:27 | 00,007,548 | ---- | C] () -- C:\WINDOWS\System32\drivers\Samhid.sys
[2009/04/13 07:45:43 | 00,000,285 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009/04/05 10:19:01 | 00,002,727 | ---- | C] () -- C:\WINDOWS\DevMgr.ini
[2009/04/05 10:16:56 | 00,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
[2009/04/05 10:16:37 | 00,000,141 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2009/04/05 10:16:36 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2009/03/28 14:14:35 | 01,380,352 | ---- | C] () -- C:\WINDOWS\System32\mpich2shmp.dll
[2009/03/28 14:14:35 | 01,196,032 | ---- | C] () -- C:\WINDOWS\System32\mpich2.dll
[2009/03/28 14:14:35 | 01,175,552 | ---- | C] () -- C:\WINDOWS\System32\mpich2shm.dll
[2009/03/28 14:14:35 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\mpich2mpi.dll
[2009/03/27 22:01:55 | 00,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/03/27 22:01:55 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/03/27 21:49:03 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/03/27 21:34:23 | 00,004,767 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009/03/26 10:45:26 | 00,000,070 | ---- | C] () -- C:\WINDOWS\sbwin.ini
[2009/03/23 11:52:08 | 00,005,663 | ---- | C] () -- C:\WINDOWS\System32\Ludap17.ini
[2009/03/23 11:52:08 | 00,000,075 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/06/28 12:43:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/06/28 12:43:00 | 01,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/06/28 12:43:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/06/28 12:43:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/06/28 12:43:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/05/03 07:38:42 | 00,064,512 | ---- | C] () -- C:\WINDOWS\System32\P17.dll
[2004/08/04 08:00:00 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/04 08:00:00 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/04 08:00:00 | 00,000,528 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 08:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/10/02 19:48:18 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\P17CPI.dll
[2003/06/25 01:38:06 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\win2000.dll
[2002/04/11 10:41:06 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[1998/10/11 00:07:38 | 00,088,576 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/05/16 16:22:40 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pyrael\Desktop\OTListIt2.exe
[2009/05/16 16:19:55 | 00,061,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\gbbjqkd.sys
[2009/05/16 16:19:07 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Pyrael\Local Settings\desktop.ini
[2009/05/16 16:19:04 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/16 16:19:03 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/15 19:21:12 | 02,967,800 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pyrael\Desktop\mbam-setup.exe
[2009/05/15 19:16:21 | 00,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/15 17:02:19 | 36,119,516 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/05/15 17:02:07 | 00,056,731 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/05/15 12:59:05 | 00,009,356 | ---- | M] () -- C:\Documents and Settings\Pyrael\My Documents\JTS_Label.odt
[2009/05/14 16:51:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/05/14 12:15:33 | 00,359,883 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\dds.scr
[2009/05/14 11:14:11 | 00,000,491 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Shortcut to HijackThis.exe.lnk
[2009/05/14 11:09:16 | 00,318,369 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\HiJackThis.zip
[2009/05/13 13:20:25 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/05/13 13:20:25 | 00,434,673 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/05/13 13:18:02 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/05/13 13:18:01 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/05/13 13:18:00 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/05/13 13:17:58 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/05/13 13:01:21 | 64,852,304 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Pyrael\Desktop\avg_free_stf_en_85_329a1515.exe
[2009/05/13 11:36:46 | 00,000,065 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/05/13 11:36:33 | 00,787,000 | ---- | M] (Prevx) -- C:\Documents and Settings\Pyrael\Desktop\PREVXCSIFREE.EXE
[2009/05/13 11:20:09 | 01,709,408 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\taskmanager17.exe
[2009/05/13 11:13:30 | 00,000,112 | -H-- | M] () -- C:\aaw7boot.cmd
[2009/05/13 11:00:39 | 00,000,458 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/05/13 10:58:15 | 37,452,296 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\Pyrael\Desktop\Ad-AwareAE.exe
[2009/05/13 10:28:26 | 16,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Pyrael\Desktop\spybotsd162.exe
[2009/05/11 09:52:28 | 00,053,553 | ---- | M] () -- C:\Documents and Settings\Pyrael\My Documents\AutoSave_Untitled_1.skp
[2009/05/11 09:45:40 | 00,053,553 | ---- | M] () -- C:\Documents and Settings\Pyrael\My Documents\AutoSave_Untitled.skp
[2009/05/10 20:58:39 | 00,002,052 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Update Victoria 4.2 Base.lnk
[2009/05/10 15:37:33 | 02,735,265 | ---- | M] () -- C:\Documents and Settings\Pyrael\My Documents\homeworld.pz3
[2009/05/10 15:01:44 | 00,322,876 | ---- | M] () -- C:\Documents and Settings\Pyrael\My Documents\Untitled.3ds
[2009/05/10 14:59:28 | 00,091,648 | -HS- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Thumbs.db
[2009/05/10 14:59:13 | 00,001,911 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Style Builder.lnk
[2009/05/10 14:59:13 | 00,001,825 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\LayOut 2.lnk
[2009/05/10 14:59:13 | 00,001,762 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google SketchUp 7.lnk
[2009/05/10 14:47:47 | 00,941,644 | ---- | M] () -- C:\Documents and Settings\Pyrael\My Documents\Untitled.skp
[2009/05/10 14:47:37 | 00,460,583 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Untitled.kmz
[2009/05/10 14:45:08 | 00,338,875 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Untitled.png
[2009/05/10 14:38:30 | 00,957,635 | ---- | M] () -- C:\Documents and Settings\Pyrael\My Documents\Untitled.skb
[2009/05/10 10:54:46 | 00,017,920 | -HS- | M] () -- C:\Documents and Settings\Pyrael\My Documents\Thumbs.db
[2009/05/10 09:29:46 | 00,000,806 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Foxit PDF Editor.lnk
[2009/05/09 19:36:55 | 00,000,065 | ---- | M] () -- C:\WINDOWS\ARIEL_SS.INI
[2009/05/06 13:03:30 | 00,307,935 | ---- | M] () -- C:\Documents and Settings\Pyrael\My Documents\sixus1me.jpg
[2009/05/05 22:29:16 | 00,228,414 | ---- | M] () -- C:\Documents and Settings\Pyrael\My Documents\ChatangoInstaller.exe
[2009/05/04 09:12:53 | 00,004,252 | ---- | M] () -- C:\Documents and Settings\Pyrael\My Documents\OakAshandThorn_Trad_song.html
[2009/05/03 07:50:28 | 00,001,212 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/05/03 07:50:28 | 00,001,212 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/05/02 02:00:38 | 00,023,811 | ---- | M] () -- C:\Documents and Settings\Pyrael\My Documents\Beltane.odt
[2009/05/02 02:00:32 | 00,085,506 | ---- | M] () -- C:\Documents and Settings\Pyrael\My Documents\Beltane.pdf
[2009/05/01 15:16:25 | 56,014,5136 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Audio.zip
[2009/04/30 19:59:23 | 07,373,240 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\pent.pz3
[2009/04/30 19:59:21 | 00,895,391 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\pent.pmd
[2009/04/30 11:03:38 | 00,167,250 | R--- | M] () -- C:\Documents and Settings\Pyrael\My Documents\homeimprovementcd.wav
[2009/04/27 13:43:48 | 03,368,001 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\vampire.pmd
[2009/04/27 13:43:48 | 01,996,077 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\vampire.pz3
[2009/04/25 22:58:13 | 00,056,720 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\NEW_CAMELOT.ODT
[2009/04/23 10:55:31 | 00,000,961 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hex Workshop Hex Editor.lnk
[2009/04/21 08:55:49 | 00,000,030 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\pent.swf
[2009/04/20 12:09:23 | 00,002,991 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\SammyHagarYourLoveIsDrivingMeCrazy.aup
[2009/04/20 12:06:58 | 00,002,986 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\SammyHagarYourLoveIsDrivingMeCrazy.aup.bak
[2009/04/20 10:09:15 | 03,340,228 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\SammyHagarYourLoveIsDrivingMeCrazy.mp3
[2009/04/19 21:38:49 | 00,002,727 | ---- | M] () -- C:\WINDOWS\DevMgr.ini
[2009/04/19 21:11:48 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/19 21:11:42 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2009/04/19 21:11:42 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2009/04/19 21:11:38 | 00,000,528 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/04/19 21:10:50 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2009/04/19 16:44:44 | 00,000,000 | ---- | M] () -- C:\WINDOWS\iplayer.INI
[2009/04/19 16:43:59 | 00,000,609 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PCFriendly DVD.lnk
[2009/04/19 16:43:55 | 00,000,779 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\InterActual Player.lnk
[2009/04/19 16:38:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\syscheck.INI
[2009/04/19 16:12:48 | 00,001,892 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Rocky Horror Picture Show DVD.lnk
[2009/04/19 16:12:40 | 00,872,772 | ---- | M] (Grooveware Multimedia) -- C:\WINDOWS\System32\Rocky Horror Picture Show DVD.scr
[2009/04/19 15:52:58 | 00,000,000 | ---- | M] () -- C:\WINDOWS\pcfriend.INI
[2009/04/19 15:37:51 | 01,091,196 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\What_Lurks.png
[2009/04/19 15:26:56 | 00,078,214 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\vampire.png
[2009/04/19 15:13:28 | 00,113,355 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\mammoth_cave.jpg
[2009/04/19 15:05:24 | 00,072,029 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Skeleton_Magician.png
[2009/04/19 15:04:40 | 01,003,331 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Skeleton_on_stage_lg.jpg
[2009/04/19 14:56:29 | 00,788,852 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Iao Theater stage full view.jpg
[2009/04/19 14:53:06 | 00,379,038 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\0585-tpa-theater-stage-s1.jpg
[2009/04/19 14:50:26 | 00,098,359 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Skeleton_on_stage_sm.jpg
[2009/04/19 14:46:08 | 00,035,311 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\stage3.jpg
[2009/04/19 14:43:21 | 01,319,456 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Skeleton.pz3
[2009/04/19 14:43:21 | 00,198,582 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Skeleton.pmd
[2009/04/19 12:05:52 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\Services.lnk
[2009/04/19 12:03:07 | 00,038,327 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\beautiful_skin_workshop.jpg
[2009/04/19 12:01:16 | 00,024,522 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\succubus.jpg
[2009/04/19 11:40:52 | 00,023,525 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\clinton.jpg
[2009/04/19 09:11:46 | 00,862,023 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\GraphCalc4.0.1.exe
[2009/04/17 17:05:38 | 00,155,799 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\eris_thumb.png
[2009/04/17 17:04:13 | 00,754,258 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\eris.png
[2009/04/17 16:16:54 | 00,010,778 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\torch.jpg
[2009/04/17 16:11:24 | 02,640,498 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\eris.pz3
[2009/04/17 16:11:23 | 02,864,564 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\eris.pmd
[2009/04/17 15:59:49 | 00,023,785 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\cherry-belly-button-ring.jpg
[2009/04/17 14:30:20 | 00,263,007 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\eris_LIGHT1_0001.shm
[2009/04/17 07:19:38 | 00,055,750 | ---- | M] () -- C:\Documents and Settings\Pyrael\Desktop\turd.jpg
< End of report >[/code]


Extras.Txt:
[code=auto:0]OTListIt Extras logfile created on: 5/16/2009 4:23:29 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Pyrael\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.32 Gb Available Physical Memory | 66.18% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 4096 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 13.24 Gb Free Space | 17.77% Space Free | Partition Type: NTFS
Drive D: | 149.04 Gb Total Space | 125.25 Gb Free Space | 84.04% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: R6S
Current User Name: Pyrael
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
.scr [@ = scrfile] -- "%1" /S "%3"

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-507921405-602609370-839522115-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-507921405-602609370-839522115-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2009/03/18 19:50:30 | 04,363,504 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2009/05/13 13:17:53 | 01,085,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0711500B-9912-4D60-9A49-C577B4503D42}" = Nero Recode Help
"{07FF7593-9DEA-40B5-9F87-F557E65BBF60}" = Nero Recode
"{1122AAC4-AAAA-43BF-B2D4-3C8C12378952}" = Nero InfoTool
"{11A84FCA-C3C7-4AFD-A797-111DB8569DBC}" = Nero BurningROM
"{12345674-DE9A-677A-CCEE-666356D89777}" = Nero BurnRights
"{1B040683-C390-4711-ABC7-DA8D85E470E7}" = NeroBurningROM
"{1B1DDAD2-C704-49F8-8FC2-18DAAD9A87C5}" = Sound Blaster Audigy
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{2D3455A8-3B15-41A8-99F8-0D4215746463}" = Nero StartSmart
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F30CC51-0788-487B-AA83-7214A239C0C0}" = Nero Disc Copy Gadget Help
"{4448ABF6-786D-4C3D-A49D-7BB237E6DD17}" = Foxit PDF IFilter
"{48E15C9C-E25C-40AD-A46B-AB270729B9B9}" = Google SketchUp Pro 7
"{4D42353B-533F-4306-AD0B-7FEF292ADE04}" = Nero CoverDesigner Help
"{4E8C27C2-D727-4C00-A90E-C3F6376EEE70}" = Nero ControlCenter
"{548F99E0-14CC-4D53-A7D6-4A62A5F2C748}" = Nero PhotoSnap
"{54A55DF7-BCC0-4C98-84AB-01CDA57687C7}" = Hex Workshop v5.1
"{56BE5CC9-95E6-4128-ABEA-968414CA9C80}" = DolbyFiles
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5A62A775-A29A-4CE1-BBC2-4A9CD0B211EF}" = Nero Live Help
"{5AE12194-3EAA-40DF-B2BF-FE1D6B78BBF4}" = Nero Vision
"{5C2E8A0F-80E2-4C68-8CC0-D8D16E7196BF}" = Nero RescueAgent Help
"{5C42EAB8-54F9-423A-948C-1CBEF25F8DB4}" = Nero PhotoSnap Help
"{5C9BB0B3-E830-4814-BBA4-D93535E1C7B9}" = Nero Live
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B976ADF-8AE8-434E-B282-A06C7F624D2F}" = Python 2.5.2
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75321954-2589-11DC-DDCC-E98356D81493}" = Nero DriveSpeed
"{753973C4-B961-43BF-B2D4-3C8C92F7216E}" = Nero DriveSpeed
"{78523651-D8B1-11DC-CCEE-741589645873}" = Nero DiscSpeed
"{8C654BD0-1949-43DE-84F2-EC2A1ABB0CB4}" = Nero ShowTime
"{943CC0C0-2253-4FE0-9493-DD386F7857FD}" = Nero Express
"{948FFAAE-C57F-447B-9B07-3721E950BFDC}" = Nero ShowTime
"{961D53EA-40DC-4156-AD74-25684CE05F81}" = Nero Installer
"{9A875B56-A35C-46BA-A3AA-DF8D03EE9F2F}" = Nero ControlCenter
"{9cc89170-000b-457d-91f1-53691f85b223}" = Python 2.6.1
"{9F3523F8-DAD7-AE52-6DA7-45CDDDF33726}" = Advertising Center
"{A73BEC3C-40A0-480E-87EF-EFCD33629088}" = NeroExpress
"{A8399F58-234A-48C6-BA55-30C15738BF3C}" = Nero CoverDesigner
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{AAA12554-2589-11DC-92EF-E98356D81493}" = Nero InfoTool
"{AABBCC54-D8B1-11DC-92EF-E98356D81493}" = Nero DiscSpeed
"{AFAF626C-D2E6-455C-9A5A-ACDF049A6168}" = ASUS nVidia Driver
"{B2C12C8D-65DC-40BD-B309-5ADB0C6C8D8F}" = Nero WaveEditor
"{BCD82AB5-670D-4242-90FA-1F97103C16CD}" = Movie Templates - Starter Kit
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C99C89A3-119A-45E6-B26E-DD5643CAA0C5}" = Menu Templates - Starter Kit
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CD1826A5-CFCC-4C6E-9F9D-E181876162EA}" = Nero Rescue Agent
"{d3ea5369-fabf-41d2-bcf8-61be14eb7e66}" = Nero 9
"{D4A2EF65-9888-4EFF-8EA0-A2D2C3152A29}" = Samsung USB Driver (MCCI 4.34) WHQL v3.4
"{D7C206B6-1A63-4389-A8B1-8F607D0BFF1F}" = Nero StartSmart Help
"{E4A8DD87-A746-4443-BF25-CAF99CED6767}" = Nero Disc Copy Gadget
"{E52C258D-DCF6-411B-B690-06DAC5009F37}" = Foxit Reader
"{E86156E5-9859-440D-8876-26CED1349802}" = Nero WaveEditor Help
"{EA9FFE54-D8B1-11DC-92EF-E98356D81493}" = Nero BurnRights
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
"{F53F6769-AC46-49E3-ABE3-2C8AFD39D0DD}" = Nero Vision
"{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 1.0.6
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AGSAdventureDev312SP1_is1" = Adventure Game Studio 3.1.2 SP1
"Ariel's Story Studio" = Ariel's Story Studio
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.7 (Unicode)
"AVG8Uninstall" = AVG Free 8.5
"Blender" = Blender (remove only)
"Bogs Adventure in Easy3D_is1" = Bogs Adventure in Easy3D v1.00
"Chatango" = Chatango Message Catcher
"Crave_is1" = Crave 1.09
"Creative Software AutoUpdate" = Creative Software AutoUpdate
"Device Control" = Device Control
"DreamStation DXi2" = DreamStation DXi2
"EAXSet" = Creative EAX Settings
"Folding@Home Windows SMP Client" = Folding@Home Windows SMP Client
"Foxit PDF Editor" = Foxit PDF Editor
"GGE909 PC Recoil Pad" = GGE909 PC Recoil Pad
"GraphCalc v4.0.1_is1" = GraphCalc v4.0.1
"HijackThis" = HijackThis 2.0.2
"hp officejet 7100 series 1238941140" = hp officejet 7100 series
"Hydrogen" = Hydrogen
"InstallShield_{D4A2EF65-9888-4EFF-8EA0-A2D2C3152A29}" = Samsung USB Driver (MCCI 4.34) WHQL v3.4
"InterActual Player" = InterActual Player
"King's Quest III" = King's Quest III
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"leafDrums2" = leafdigital leafDrums 2.1
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mask Of Eternity" = Mask Of Eternity
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.7)" = Mozilla Firefox (3.0.7)
"Mozilla Firefox (3.5b4)" = Mozilla Firefox (3.5b4)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"PCFriendly" = PCFriendly
"Poser 7" = Poser 7
"PureVoice" = PureVoice 1.3.2
"pygtk-py2.6" = Python 2.6 pygtk-2.12.1
"Rocky Horror Picture Show DVD" = Rocky Horror Picture Show DVD
"Security Task Manager" = Security Task Manager 1.7h
"sfArk" = sfArk
"Sierra Utilities" = Sierra Utilities
"SMPlayer_is1" = SMPlayer 0.6.6
"SONAR8Producer_is1" = SONAR 8.0 Producer Edition
"SPEAKER" = Creative Speaker Settings
"Switch" = Switch Sound File Converter
"SysInfo" = Creative System Information
"The Silver Lining_is1" = TSL Alpha Demo - Public Demo RC1
"Trend Micro HouseCall 6.6" = HouseCall 6.6
"Ultimate ZIP Cracker" = Ultimate ZIP Cracker
"Victoria 4.2 Base DAZ Studio Content ps_pe069_Victoria4DS" = Victoria 4.2 Base DAZ Studio Content
"Victoria 4.2 Base ps_pe069_Victoria4" = Victoria 4.2 Base
"Vienna SoundFont Studio" = Creative Vienna SoundFont Studio
"Vuze" = Vuze
"WaveStudio 7" = Creative WaveStudio 7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinGimp-2.0_is1" = GIMP 2.6.6
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1" = Xvid 1.2.1 final uninstall
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/24/2009 5:32:19 PM | Computer Name = R6S | Source = Application Error | ID = 1000
Description = Faulting application mask.exe, version 0.0.0.10, faulting module mask.exe,
version 0.0.0.10, fault address 0x000e8a3f.

Error - 4/24/2009 6:00:27 PM | Computer Name = R6S | Source = Application Error | ID = 1000
Description = Faulting application mask.exe, version 0.0.0.10, faulting module mask.exe,
version 0.0.0.10, fault address 0x000e8a3f.

Error - 5/4/2009 9:44:59 AM | Computer Name = R6S | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4026.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/4/2009 10:36:31 AM | Computer Name = R6S | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4026.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/7/2009 4:39:55 PM | Computer Name = R6S | Source = Application Hang | ID = 1002
Description = Hanging application Poser.exe, version 7.0.0.63, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/8/2009 10:13:59 PM | Computer Name = R6S | Source = Application Hang | ID = 1002
Description = Hanging application Poser.exe, version 7.0.0.63, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/10/2009 2:56:27 PM | Computer Name = R6S | Source = MsiInstaller | ID = 1013
Description = Product: Google SketchUp Pro 7 -- There is a newer version of Google
SketchUp already installed.

Error - 5/11/2009 9:46:20 AM | Computer Name = R6S | Source = Application Error | ID = 1000
Description = Faulting application sketchup.exe, version 7.0.8657.0, faulting module
msvcr80.dll, version 8.0.50727.762, fault address 0x00008a8c.

Error - 5/11/2009 9:54:27 AM | Computer Name = R6S | Source = Application Error | ID = 1000
Description = Faulting application sketchup.exe, version 7.0.8657.0, faulting module
msvcr80.dll, version 8.0.50727.762, fault address 0x00008a8c.

Error - 5/13/2009 10:59:03 AM | Computer Name = R6S | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

[ System Events ]
Error - 5/12/2009 9:05:03 PM | Computer Name = R6S | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 5/12/2009 9:08:34 PM | Computer Name = R6S | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 5/13/2009 10:59:48 AM | Computer Name = R6S | Source = DCOM | ID = 10010
Description = The server {49BD2028-1523-11D1-AD79-00C04FD8FDFF} did not register
with DCOM within the required timeout.

Error - 5/13/2009 11:00:42 AM | Computer Name = R6S | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 5/13/2009 11:05:41 AM | Computer Name = R6S | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 5/13/2009 11:24:03 AM | Computer Name = R6S | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 5/13/2009 1:08:10 PM | Computer Name = R6S | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 5/13/2009 1:09:18 PM | Computer Name = R6S | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 5/13/2009 1:09:21 PM | Computer Name = R6S | Source = Service Control Manager | ID = 7034
Description = The Folding@home-CPU-[1] service terminated unexpectedly. It has
done this 1 time(s).

Error - 5/13/2009 1:16:01 PM | Computer Name = R6S | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058


< End of report >

Thanks again

Pyrael

Edited by Buckeye_Sam, 17 May 2009 - 08:08 AM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:21 AM

Posted 17 May 2009 - 08:15 AM

Please do not enclose the logs you post into a code box. Just copy and paste them exactly as they are.


Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    C:\WINDOWS\System32\drivers\gbbjqkd.sys


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html



=================



Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-4702827238-2137610469-248019476-3519\rundll32.exe) - C:\RECYCLER\S-1-5-21-4702827238-2137610469-248019476-3519\.exe File not found
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.7,85.255.112.88
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 pyrael

pyrael
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 18 May 2009 - 06:05 AM

ok, sorry about the code boxes.

I tried uploading the file, XP states it does not exist. I tired viewing hidden files too. I did not find it under safe mode either.
Here is the log generated upon reboot by OTL2:

========== OTLISTIT ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\TaskMan:C:\RECYCLER\S-1-5-21-4702827238-2137610469-248019476-3519\rundll32.exe deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer| /E : value set successfully!
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5c4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTListIt2 by OldTimer - Version 2.0.15.8 log created on 05182009_065638

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_5c4.dat not found!

Registry entries deleted on Reboot...


I hope that's what you were looking for
thanks again
Pyrael

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:21 AM

Posted 18 May 2009 - 12:04 PM

Try this.
  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    • C:\WINDOWS\System32\drivers\gbbjqkd.sys
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 pyrael

pyrael
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 19 May 2009 - 11:36 AM

Same thing happened :thumbup2:

as soon as I click on the text feild to paste the path, it brings up a browse window. I paste the path there and it complains the file doesn't exist. I tried using a different file and then changing the filename to the one specified but it just opens the browse window again. I tried this under safe mode also :)

Is it possible that I need to do that specific scan again and get a new filename? Of course I have a limited understanding of this, but I have heard of viruses doing this kind of thing before and since I had to restart, well I'm sure you know what I mean LOL

It's running faster, but even after the DNS fix that I did (Changed back to the proper one in Local Area Connection), and the removal of the registry entry you had me do, I'm still getting strange re-directs to sites that I know exist.

What happens is that I will type something like spybot into google and if I click the link to spybot, which at the bottom of firefox in the status bar will show http://www.safer-networking.org , but the url it send me to will be some random thing. this lads time it was this : http://www.stopzilla.com/products/stopzill...72&cid=1004

the time before that it was some site called missingpages.com

and I was even redirected to this: http://64.111.208.122/click.php?c=d73f962e...44fe55a75356000

which is now no longer valid

At times, my connection seems to severely slow and sometimes (twice while typing this) my keyboard no longer responds within this Tab and I must switch tabs, and then can come back and continue typing.

my router doesn't really show much info as far as what is blocked etc.. just incoming IPs. I wish it showed me info on outgoing as I have no idea if it will block outgoing ports. :step4:
It's an NE041 (linksys network everywhere)

Thanks for the help, I hope I described the symptoms well enough.

Pyrael

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:21 AM

Posted 19 May 2009 - 02:29 PM

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 pyrael

pyrael
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 19 May 2009 - 09:03 PM

here's the log file as requested

GooredFix v1.92 by jpshortstuff
Log created at 22:02 on 19/05/2009 running Option #1 (Pyrael)
Firefox version 3.5b4 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.5b4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox 3.1 Beta 3\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.5b4\extensions]
"Components"="C:\Program Files\Mozilla Firefox 3.1 Beta 3\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:21 AM

Posted 20 May 2009 - 11:35 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 pyrael

pyrael
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 20 May 2009 - 02:23 PM

ok, I went as far a I am assuming I should :)

I downloaded it and ran it, it complained about my antivirus (took a bit to figure out how to disable it :thumbup2: )
After that, it still said it was running, but the processes were gone. I let it continue, it downloaded and installed the recovery console 9I thought it was already but let it anyway)
It then scanned, found 2 suspicious files and then said it needed to reboot

Upon reboot, It came up with a warning that combofix had been compromised by a filepatching virus called virut and was not safe to continue.

The 2 files it found were:
C:\WINDOWS\System32\drivers\gxvxcrnvblxfqrmpfqjnrjxawviqhxrbltq.sys
C:\WINDOWS\System32\gxvxcldstanpotjaoapjwmtkypdqolphsklcf.dll

neither exist in those locations :step4:

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:21 AM

Posted 20 May 2009 - 03:37 PM

Those are rootkit files and you won't be able to see them, but rest assured that they are there.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Note: If you have problems with DrWeb shutting down before it completes the scan you can perform a custom scan and select individual folders to scan. In that case start with C:\Windows\System32

Please post the contents of the log from DrWeb in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 pyrael

pyrael
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 20 May 2009 - 06:31 PM

OK, here's the log:

rundll32.exe;c:\recycler\s-1-5-21-4702827238-2137610469-248019476-3519;Win32.HLLW.Lime.3;Deleted.;
FIND3M.bat;C:\ComboFix;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\FIND3M.bat;C:\Documents and Settings\Pyrael\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
data002;C:\Documents and Settings\Pyrael\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Pyrael\Desktop;Container contains infected objects;Moved.;
FlashMenuFactory-DEMO-Setup.exe\data300;C:\Documents and Settings\Pyrael\My Documents\My Pictures\graphics.pyrael.com\FlashMenuFactory-DEMO-Setup.exe;Trojan.DownLoader.30503;;
FlashMenuFactory-DEMO-Setup.exe;C:\Documents and Settings\Pyrael\My Documents\My Pictures\graphics.pyrael.com;Container contains infected objects;Moved.;
gxvxcldstanpotjaoapjwmtkypdqolphsklcf.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.Tdss.155;;
S-7-2-22-100020030-100011358-100011199-2123.com;C:\RECYCLER;BackDoor.Tdss.119;;
S-9-8-77-100026960-100029969-100027187-1014.com;C:\RECYCLER;BackDoor.Tdss.119;;
A0024607.dll;C:\System Volume Information\_restore{556C5083-9492-4A7E-A176-527EF9EBFBBA}\RP138;BackDoor.Tdss.155;;
A0024634.exe;C:\System Volume Information\_restore{556C5083-9492-4A7E-A176-527EF9EBFBBA}\RP138;Win32.HLLW.Lime.3;;
A0024635.exe/data002\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{556C5083-9492-4A7E-A176-527EF9EBFBBA}\RP138\A0024635.exe/data002;Probably BATCH.Virus;;
data002;C:\System Volume Information\_restore{556C5083-9492-4A7E-A176-527EF9EBFBBA}\RP138;Archive contains infected objects;;
A0024635.exe;C:\System Volume Information\_restore{556C5083-9492-4A7E-A176-527EF9EBFBBA}\RP138;Container contains infected objects;Moved.;
S-7-2-22-100020030-100011358-100011199-2123.com;D:\RECYCLER;BackDoor.Tdss.119;;
S-9-8-77-100026960-100029969-100027187-1014.com;D:\RECYCLER;BackDoor.Tdss.119;;

Honestly, I thought I had shut off system restore


thanks again
Pyrael




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users