Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task Manager Disabled, Regedit disabled, virus scanners detect but dont delete properly


  • This topic is locked This topic is locked
29 replies to this topic

#1 ldbright

ldbright

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 23 June 2009 - 02:44 PM

Hi,

Ive had, what I believe to be a backdoor trojan on my computer for about 6 weeks now. It started with a malicious pop up which kept appearing making it look like i had loads of viruses and telling me that I needed to buy this virus scanner and my computer would not power off when shutting down. I knew I had a virus so I tried to use my scanner malwarebytes but it would not open, the virus had got to that as well. Eventually I tried copying malwarebytes to a removable media and managed to scan that way. I had lots of trojans including koobface. My computer was still really slow after the scan and they had not been properly deleted because each scan kept bringing the trojans again.

The next problem was my internet browser would not work, i eventually fixed it (cant remember how) but i believe the virus caused this. Then was the disabling of task manager, regedit and gpedit, which i have found by reading forums how to get this enabled again. I have since downloaded AVG, this tells me i have a trojan horse called 'generic7' again I keep scanning, the same viruses are found and deleted then on reboot they are there again. I also noticed that when i can access task manager some proccesses such as windows defender are really high and the only way to run the computer without it crashing/slowing down is to terminate the proccess. One new thing that has only just started to happen is that the ‘task manager/ regit disable has by administrator’ pop up sometimes appears and cant be closed, instead they multiplies and i have to reboot.

Although I will confess my anti virus prevention techniques are great, when i get viruses, i can usually delete it or use and scan and get rid of it myself. This is the worse virus I have ever dealt with.

If anyone gets and opportunity can you please look at my DDS and help me. It is much appreciated thanks.

Louise

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 23 June 2009 - 04:35 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be "four eyes and two brains" but responses may be somewhat delayed so please be patient!!!!

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

I need a more detailed view of your computer.
Please do this..............
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
==========

With your next post please provide:

* RSIT info.txt
* RSIT log.txt

I will review your logs and post instructions forthcoming.
Regards,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 ldbright

ldbright
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 23 June 2009 - 04:46 PM

First of all can i say thank you for looking at my computer.
Here is the log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Gwen at 2009-06-23 22:40:02
Microsoft Windows XP Professional Service Pack 3
System drive C: has 40 GB (35%) free of 114 GB
Total RAM: 446 MB (28% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\ParetoLogic Registration.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}]
MSN helper - C:\WINDOWS\system32\bekbn.dll [2009-05-31 42496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-31 1107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C7EFE99-C71F-48b8-8CC8-BA506CA76A33}]
MS extension - C:\WINDOWS\system32\xagkf32.dll [2009-05-19 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-05-31 2223872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2006-06-09 552960]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-05-31 2223872]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-11-10 15473664]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-12-01 7311360]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-12-01 86016]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe [2006-11-09 49263]
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe [2003-01-27 376912]
"4oD"=C:\Program Files\Kontiki\KHost.exe [2007-04-23 1032640]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-09-28 185896]
"OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe [2006-10-11 75304]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-05-31 1947928]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"kdx"=C:\Program Files\Kontiki\KHost.exe [2007-04-23 1032640]
"AROReminder"=C:\Program Files\Advanced Registry Optimizer\aro.exe [2008-10-14 1925416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="karna.dat vktvih.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-05-31 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2009-06-23 22:40:04 ----D---- C:\Program Files\trend micro
2009-06-23 22:40:02 ----D---- C:\rsit
2009-06-22 19:12:24 ----D---- C:\Documents and Settings\Gwen\Application Data\Sammsoft
2009-06-22 19:11:57 ----D---- C:\Program Files\Advanced Registry Optimizer
2009-06-22 18:50:41 ----D---- C:\Program Files\CCleaner
2009-06-18 13:20:39 ----A---- C:\WINDOWS\system32\al.txt
2009-05-31 20:37:13 ----D---- C:\Documents and Settings\Gwen\Application Data\WinRAR
2009-05-31 19:46:17 ----D---- C:\Documents and Settings\Gwen\Application Data\Sports Interactive
2009-05-31 18:50:44 ----D---- C:\Documents and Settings\Gwen\Application Data\Apple Computer
2009-05-31 18:21:44 ----HD---- C:\$AVG8.VAULT$
2009-05-31 17:58:54 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-05-31 17:58:28 ----D---- C:\Documents and Settings\Gwen\Application Data\AVGTOOLBAR
2009-05-31 12:18:40 ----D---- C:\Program Files\Common Files\ParetoLogic
2009-05-31 12:18:40 ----D---- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2009-05-31 11:00:18 ----A---- C:\WINDOWS\system32\bekbn.dll
2009-05-24 09:09:41 ----D---- C:\WINDOWS\system32\121973

======List of files/folders modified in the last 1 months======

2009-06-23 22:40:04 ----RD---- C:\Program Files
2009-06-23 22:38:54 ----D---- C:\Documents and Settings\All Users\Application Data\Kontiki
2009-06-23 21:59:50 ----D---- C:\Program Files\Mozilla Firefox
2009-06-23 20:07:48 ----D---- C:\WINDOWS\Prefetch
2009-06-23 20:07:13 ----D---- C:\WINDOWS\Temp
2009-06-23 19:41:03 ----SD---- C:\WINDOWS\Tasks
2009-06-22 22:23:22 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-06-22 22:22:46 ----D---- C:\WINDOWS
2009-06-22 19:53:11 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-06-22 18:52:29 ----D---- C:\WINDOWS\Debug
2009-06-22 18:52:16 ----D---- C:\WINDOWS\Minidump
2009-06-22 18:52:04 ----SHD---- C:\RECYCLER
2009-06-22 13:17:58 ----D---- C:\WINDOWS\system32
2009-06-18 13:25:08 ----D---- C:\WINDOWS\system32\CatRoot
2009-06-18 13:24:42 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-06-18 13:23:45 ----HD---- C:\WINDOWS\inf
2009-06-18 13:14:10 ----D---- C:\WINDOWS\system32\CatRoot2
2009-06-11 12:36:38 ----D---- C:\Documents and Settings\Gwen\Application Data\Adobe
2009-06-02 22:00:45 ----AD---- C:\Documents and Settings\All Users\Application Data\Sports Interactive
2009-06-02 17:51:01 ----D---- C:\WINDOWS\system32\drivers
2009-06-02 17:35:45 ----D---- C:\WINDOWS\system32\Lang
2009-06-01 21:46:23 ----SD---- C:\Documents and Settings\Gwen\Application Data\Microsoft
2009-06-01 21:45:39 ----A---- C:\WINDOWS\ODBC.INI
2009-06-01 21:45:30 ----SHD---- C:\WINDOWS\Installer
2009-06-01 18:43:47 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-06-01 18:34:39 ----D---- C:\Program Files\Common Files
2009-06-01 18:26:38 ----D---- C:\WINDOWS\system32\appmgmt
2009-06-01 18:19:54 ----A---- C:\WINDOWS\DUMP755e.tmp
2009-06-01 17:33:42 ----A---- C:\WINDOWS\DUMP7dcb.tmp
2009-06-01 17:32:22 ----A---- C:\WINDOWS\DUMP80f7.tmp
2009-06-01 17:31:15 ----A---- C:\WINDOWS\DUMP82ad.tmp
2009-05-31 20:58:09 ----D---- C:\WINDOWS\system32\wbem
2009-05-31 20:57:19 ----D---- C:\WINDOWS\system32\sX3i19
2009-05-31 20:53:27 ----D---- C:\WINDOWS\system32\nas
2009-05-31 20:49:15 ----D---- C:\WINDOWS\system32\ITX
2009-05-31 20:41:08 ----D---- C:\WINDOWS\system32\dcs2
2009-05-30 16:39:02 ----D---- C:\WINDOWS\network diagnostic
2009-05-24 10:34:00 ----D---- C:\WINDOWS\system32\796525
2009-05-24 10:34:00 ----D---- C:\WINDOWS\system32\218538
2009-05-24 10:34:00 ----D---- C:\WINDOWS\system32\199638
2009-05-24 09:31:00 ----D---- C:\WINDOWS\system32\547372

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-31 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-31 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-31 108552]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.5.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-08-05 21035]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\system32\DRIVERS\irsir.sys [2001-08-17 18688]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-12-01 3535424]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 RT61;Linksys Wireless-G PCI Adapter Driver(RT61); C:\WINDOWS\system32\DRIVERS\RT61.sys [2005-10-27 356096]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 EAPPkt;Realtek EAPPkt Protocol; C:\WINDOWS\system32\DRIVERS\EAPPkt.sys []
S2 xxnuxjnk;xxnuxjnk; C:\WINDOWS\system32\drivers\quxu.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 FXDRV;FXDRV; \??\D:\Fxdrv.sys []
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-11-10 4064256]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2007-10-31 30464]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbcm;USB Cable Modem 351000 NDIS Driver; C:\WINDOWS\system32\DRIVERS\usbcm.sys [2006-11-23 13335]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 zebrbus;Sony Ericsson Composite Device driver; C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2007-04-13 83080]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM); C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2007-04-13 108424]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apache2.2;Apache2.2; C:\Apache2.2\bin\httpd.exe [2008-12-10 24636]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-05-31 908568]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-31 298776]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 KService;KService; C:\Program Files\Kontiki\KService.exe [2007-04-23 3068352]
R2 MySQL;MySQL; C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld --defaults-file=C:\Program Files\MySQL\MySQL Server 5.1\my.ini MySQL []
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-12-01 131139]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

Here is the info:

info.txt logfile of random's system information tool 1.06 2009-06-23 22:40:11

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4oD-->MsiExec.exe /I {8B7443F5-E141-42A0-AB61-ED2331AAD606}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Advanced Registry Optimizer-->"C:\Program Files\Advanced Registry Optimizer\unins000.exe" /silent
Apache HTTP Server 2.2.11-->MsiExec.exe /I{85262A06-2D8C-4BC1-B6ED-5A705D09CFFC}
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ArcSoft PhotoStudio 5.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\SETUP.EXE" -l0x9
AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Azureus-->C:\Program Files\Azureus\Uninstall.exe
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
BroadJump Client Foundation-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
Canon MP Navigator 3.0-->"C:\Program Files\Canon\MP Navigator 3.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 3.0\uninst.ini
Canon MP460 User Registration-->C:\Program Files\Canon\IJEREG\MP460\UNINST.EXE
Canon MP460-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP460\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP460 /L0x0009
Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DFE-530TX Driver-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F2BB456F-C07B-4EDE-975F-4D6DED19750A}
Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
foobar2000 v0.9.4.2-->"C:\Program Files\foobar2000\uninstall.exe"
Football Manager 2008-->"C:\Program Files\Sports Interactive\Football Manager 2008\Uninstall_Football Manager 2008\Uninstall Football Manager 2008.exe"
Football Manager 2009-->"C:\Program Files\Sports Interactive\Football Manager 2009\Uninstall_Football Manager 2009\Uninstall Football Manager 2009.exe"
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
J2SE Development Kit 5.0 Update 10-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150100}
J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
Linksys Wireless-G PCI Adapter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9
Macromedia Dreamweaver 8-->MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Monkey's Audio-->"C:\Program Files\Monkey's Audio\unins000.exe"
Mozilla Firefox (3.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MySQL Server 5.1-->MsiExec.exe /I{01D76D8E-A496-4870-8357-87C6D2B5E807}
NetBeans IDE 5.0-->C:\Program Files\netbeans-5.0\_uninst\uninstaller.exe
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Pacific Poker-->C:\PROGRA~1\PACIFI~1\UNWISE.EXE C:\PROGRA~1\PACIFI~1\INSTALL.LOG
Pixelfusion WMP Plugin 1.50-->"C:\Program Files\QO Labs\Pixelfusion WMP Plugin\unins000.exe"
PokerStars-->"C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RON Tool Netupbanner-->C:\WINDOWS\system32\mxaxjeoxes.exe
ScanSoft OmniPage SE 4.0-->MsiExec.exe /I{C1E693A4-B1D5-4DCD-B68D-2087835B7184}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sony Ericsson Media Manager 1.0-->MsiExec.exe /X{06AC45D1-CB9B-48CC-B5C8-1A55DEE26AD0}
SopCast 2.0.4-->C:\Program Files\SopCast\uninst.exe
Sun Java System Application Server Platform Edition-->"C:\Sun\AppServer\uninstall.exe" -javahome "C:\Program Files\Java\jdk1.5.0_10"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TVUPlayer 2.3.0.0-->C:\Program Files\TVUPlayer\uninst.exe
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VideoLAN VLC media player 0.8.6a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

======Hosts File======

127.0.0.1 microsoft

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: LOUISEB1
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
Beep

Record Number: 25674
Source Name: Service Control Manager
Time Written: 20090424230101.000000+060
Event Type: error
User:

Computer Name: LOUISEB1
Event Code: 7000
Message: The Realtek EAPPkt Protocol service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 25673
Source Name: Service Control Manager
Time Written: 20090424230101.000000+060
Event Type: error
User:

Computer Name: LOUISEB1
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
Beep

Record Number: 25649
Source Name: Service Control Manager
Time Written: 20091016192605.000000+060
Event Type: error
User:

Computer Name: LOUISEB1
Event Code: 7000
Message: The Realtek EAPPkt Protocol service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 25648
Source Name: Service Control Manager
Time Written: 20091016192605.000000+060
Event Type: error
User:

Computer Name: LOUISEB1
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 25643
Source Name: W32Time
Time Written: 20091016071230.000000+060
Event Type: warning
User:

=====Application event log=====

Computer Name: LOUISEB1
Event Code: 3299
Message: The Apache service named reported the following error:
>>> httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName .

Record Number: 1236
Source Name: Apache Service
Time Written: 20090112160453.000000+000
Event Type: error
User:

Computer Name: LOUISEB1
Event Code: 3299
Message: The Apache service named reported the following error:
>>> httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName .

Record Number: 1229
Source Name: Apache Service
Time Written: 20090112073233.000000+000
Event Type: error
User:

Computer Name: LOUISEB1
Event Code: 3299
Message: The Apache service named reported the following error:
>>> httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName .

Record Number: 1222
Source Name: Apache Service
Time Written: 20090111135041.000000+000
Event Type: error
User:

Computer Name: LOUISEB1
Event Code: 3299
Message: The Apache service named reported the following error:
>>> httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName .

Record Number: 1215
Source Name: Apache Service
Time Written: 20090110150439.000000+000
Event Type: error
User:

Computer Name: LOUISEB1
Event Code: 3299
Message: The Apache service named reported the following error:
>>> httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName .

Record Number: 1208
Source Name: Apache Service
Time Written: 20090109180129.000000+000
Event Type: error
User:

======Environment variables======

"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\,C:\PHP;C:\Program Files\MySQL\MySQL Server 5.1\bin
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=2f02
"QTJAVA"=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%

-----------------EOF-----------------

I have sent them as attachments too.

Louise

Attached Files

  • Attached File  info.txt   17.08KB   14 downloads
  • Attached File  log.txt   14.79KB   0 downloads


#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 23 June 2009 - 04:57 PM

Your welcome :thumbup2:

No need to attach unless I ask. Copy and paste please.
Your infection blocked part of my log.

Please do this.....

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

With your next post please provide:

* OTListIt.txt
* OTL Extra.txt

Kind regards,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 ldbright

ldbright
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 23 June 2009 - 05:04 PM

OTL:

OTL logfile created on: 23/06/2009 22:59:06 - Run 1
OTL by OldTimer - Version 3.0.5.1 Folder = C:\Documents and Settings\Gwen\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

446.48 Mb Total Physical Memory | 117.37 Mb Available Physical Memory | 26.29% Memory free
1.03 Gb Paging File | 0.51 Gb Available in Paging File | 49.38% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 39.11 Gb Free Space | 34.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LOUISEB1
Current User Name: Gwen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2008/12/10 01:10:14 | 00,024,636 | ---- | M] (Apache Software Foundation) -- C:\Apache2.2\bin\httpd.exe
PRC - [2008/10/01 14:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/31 17:58:01 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2007/04/23 11:22:14 | 03,068,352 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe
PRC - [2008/11/15 06:53:14 | 06,447,744 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
PRC - [2009/05/31 17:58:03 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/05/31 17:58:03 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2005/12/01 06:02:00 | 00,131,139 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2009/05/31 17:58:03 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/05/31 17:58:03 | 00,692,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2008/12/10 01:10:14 | 00,024,636 | ---- | M] (Apache Software Foundation) -- C:\Apache2.2\bin\httpd.exe
PRC - [2008/04/14 01:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/10/01 19:57:00 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/06/12 14:05:28 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2009/06/23 22:58:23 | 00,512,512 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gwen\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/12/10 01:10:14 | 00,024,636 | ---- | M] (Apache Software Foundation) -- C:\Apache2.2\bin\httpd.exe -- (Apache2.2 [Auto | Running])
SRV - [2008/10/01 14:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2007/10/24 02:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/05/31 17:58:03 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/05/31 17:58:01 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2007/10/24 02:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/04/14 01:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/10/01 19:57:00 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2008/04/14 01:11:55 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\irmon.dll -- (Irmon [Auto | Running])
SRV - [2007/04/23 11:22:14 | 03,068,352 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe -- (KService [Auto | Running])
SRV - [2008/11/15 06:53:14 | 06,447,744 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe -- (MySQL [Auto | Running])
SRV - [2005/12/01 06:02:00 | 00,131,139 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2008/08/05 20:06:29 | 00,021,035 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\System32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2009/05/31 17:58:49 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/05/31 17:58:47 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/05/31 17:58:54 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2008/04/17 14:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2005/01/07 18:07:16 | 00,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\drivers\HdAudio.sys -- (HdAudAddService [On_Demand | Running])
DRV - [2008/04/13 17:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/11/10 09:44:12 | 04,064,256 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Stopped])
DRV - [2001/08/17 14:51:32 | 00,018,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\irsir.sys -- (irsir [On_Demand | Running])
DRV - [2005/12/01 06:02:00 | 03,535,424 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2005/07/29 10:11:02 | 00,034,048 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\NVENETFD.sys -- (NVENETFD [On_Demand | Stopped])
DRV - [2005/07/29 10:11:04 | 00,012,928 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nvnetbus.sys -- (nvnetbus [On_Demand | Running])
DRV - [2004/08/04 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2006/08/25 04:47:00 | 00,036,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2005/10/27 16:06:30 | 00,356,096 | ---- | M] (Ralink Technology Inc.) -- C:\WINDOWS\System32\DRIVERS\RT61.sys -- (RT61 [On_Demand | Running])
DRV - [2007/11/13 11:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2007/10/31 15:09:14 | 00,030,464 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2006/11/23 13:35:16 | 00,013,335 | R--- | M] (Microsystems Corp) -- C:\WINDOWS\System32\DRIVERS\usbcm.sys -- (usbcm [On_Demand | Stopped])
DRV - [2007/04/13 09:50:30 | 00,083,080 | ---- | M] (MCCI) -- C:\WINDOWS\System32\DRIVERS\zebrbus.sys -- (zebrbus [On_Demand | Stopped])
DRV - [2007/04/13 09:50:38 | 00,108,424 | ---- | M] (MCCI) -- C:\WINDOWS\System32\DRIVERS\zebrmdmc.sys -- (zebrmdmc [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1123561945-1563985344-839522115-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1123561945-1563985344-839522115-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-1123561945-1563985344-839522115-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKU\S-1-5-21-1123561945-1563985344-839522115-1006\S-1-5-21-1123561945-1563985344-839522115-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1123561945-1563985344-839522115-1006\S-1-5-21-1123561945-1563985344-839522115-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5
FF - prefs.js..extensions.enabledItems: {1d5287d1-8a92-0001-1f31-1cec198018d8}:2.1.0.7
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/05/31 17:58:01 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1d5287d1-8a92-0001-1f31-1cec198018d8}: C:\Program Files\AVG\AVG8\ToolbarFF [2009/05/31 17:58:01 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/06/12 14:05:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/06/12 14:05:34 | 00,000,000 | ---D | M]

[2009/05/13 14:53:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gwen\Application Data\mozilla\Extensions
[2009/05/13 14:53:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gwen\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/02/21 18:43:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gwen\Application Data\mozilla\Firefox\Profiles\9xwt8hbr.default\extensions
[2009/06/02 15:28:30 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/12 14:05:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/06/12 14:05:27 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/06/12 14:05:27 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2001/05/24 17:42:58 | 00,032,768 | ---- | M] (Macromedia, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2005/12/05 23:31:00 | 00,114,688 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npmozax.dll
[2009/06/12 14:05:28 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2003/07/14 23:56:52 | 00,013,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2007/05/10 22:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/10/30 14:36:34 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/10/30 14:36:34 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/10/30 14:36:35 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/10/30 14:36:35 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/10/30 14:36:35 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/10/30 14:36:35 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/10/30 14:36:35 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/04/04 18:07:21 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2009/04/04 18:07:21 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/04 18:07:21 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2009/04/04 18:07:21 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/04 18:07:21 | 00,000,759 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2008/09/23 00:15:59 | 00,002,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\foxstart.xml
[2009/04/04 18:07:21 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/04 18:07:21 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/04 18:07:21 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (755 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 microsoft
O2 - BHO: (MSN helper) - {10C0B0C0-FC01-473b-8EBB-4376353F96E4} - C:\WINDOWS\System32\bekbn.dll (AOL)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (MS extension) - {7C7EFE99-C71F-48b8-8CC8-BA506CA76A33} - C:\WINDOWS\System32\xagkf32.dll (Google Inc)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [4oD] C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HDAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-1123561945-1563985344-839522115-1006..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe ()
O4 - HKU\S-1-5-21-1123561945-1563985344-839522115-1006..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1123561945-1563985344-839522115-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1123561945-1563985344-839522115-1006\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1123561945-1563985344-839522115-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1123561945-1563985344-839522115-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-21-1123561945-1563985344-839522115-1006_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1123561945-1563985344-839522115-1006_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (Sun Microsystems, Inc.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\Program Files\PacificPoker\pacificpoker.exe (Cassava Ent.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (karna.dat) - File not found
O20 - AppInit_DLLs: (vktvih.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/12 20:14:57 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/06/23 22:58:03 | 00,512,512 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Gwen\Desktop\OTL.exe
[2009/06/23 22:40:04 | 00,000,000 | ---D | C] -- C:\Program Files\trend micro
[2009/06/23 22:40:02 | 00,000,000 | ---D | C] -- C:\rsit
[2009/06/23 22:38:40 | 00,781,909 | ---- | C] () -- C:\Documents and Settings\Gwen\Desktop\RSIT.exe
[2009/06/23 20:06:21 | 00,359,893 | ---- | C] () -- C:\Documents and Settings\Gwen\Desktop\dds.scr
[2009/06/22 20:15:45 | 00,057,344 | ---- | C] (Registry Fix) -- C:\Documents and Settings\Gwen\Desktop\RegistryFix.exe
[2009/06/22 19:12:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Gwen\Application Data\Sammsoft
[2009/06/22 19:11:58 | 00,001,718 | ---- | C] () -- C:\Documents and Settings\Gwen\Desktop\Check PC For Errors.lnk
[2009/06/22 19:11:57 | 00,000,000 | ---D | C] -- C:\Program Files\Advanced Registry Optimizer
[2009/06/22 18:55:40 | 00,607,060 | ---- | C] () -- C:\Documents and Settings\Gwen\My Documents\cc_20090622_185538.reg
[2009/06/22 18:55:24 | 02,288,448 | ---- | C] (Sammsoft ) -- C:\Documents and Settings\Gwen\Desktop\AROTrial_fs.exe
[2009/06/22 18:50:42 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\Gwen\Desktop\CCleaner.lnk
[2009/06/22 18:50:41 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/06/22 18:49:33 | 03,247,736 | ---- | C] (Piriform Ltd) -- C:\Documents and Settings\Gwen\Desktop\ccsetup220.exe
[2009/06/21 12:10:53 | 00,643,976 | ---- | C] () -- C:\Documents and Settings\Gwen\Desktop\DG_174796.pdf
[2009/06/18 13:20:39 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\nk.dat
[2009/06/11 15:18:34 | 00,006,279 | ---- | C] () -- C:\Documents and Settings\Gwen\Desktop\DavesEmail_Delete_If_Im_Gone.rtf
[2009/06/11 11:07:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Gwen\Local Settings\Application Data\Adobe
[2009/06/11 11:04:31 | 00,053,791 | ---- | C] () -- C:\Documents and Settings\Gwen\Desktop\CV-DavidBassant.pdf
[2009/06/09 18:07:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Gwen\Local Settings\Application Data\Apple
[2009/05/31 20:37:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Gwen\Application Data\WinRAR
[2009/05/31 19:46:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Gwen\My Documents\Sports Interactive
[2009/05/31 19:46:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Gwen\Application Data\Sports Interactive
[2009/05/31 18:50:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Gwen\Application Data\Apple Computer
[2009/05/31 18:21:44 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/05/31 17:58:55 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/05/31 17:58:54 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/05/31 17:58:54 | 00,011,952 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/05/31 17:58:49 | 00,325,896 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/05/31 17:58:47 | 00,027,784 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/05/31 17:58:28 | 37,384,209 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/05/31 17:58:28 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/05/31 17:58:28 | 00,434,673 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/05/31 17:58:28 | 00,086,799 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/05/31 17:58:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/05/31 17:58:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Gwen\Application Data\AVGTOOLBAR
[2009/05/31 17:50:35 | 65,103,168 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Gwen\Desktop\avg_free_stf_en_85_339a1525.exe
[2009/05/31 12:50:31 | 00,000,444 | ---- | C] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2009/05/31 12:47:41 | 00,021,536 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/05/31 12:47:41 | 00,001,364 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/05/31 12:47:41 | 00,000,032 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2009/05/31 12:47:41 | 00,000,032 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2009/05/31 12:18:40 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\ParetoLogic
[2009/05/31 12:18:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/05/31 11:03:55 | 00,000,001 | ---- | C] () -- C:\WINDOWS\System32\q1.dat
[2009/05/31 11:03:55 | 00,000,001 | ---- | C] () -- C:\WINDOWS\System32\idm.dat
[2009/05/31 11:03:55 | 00,000,001 | ---- | C] () -- C:\WINDOWS\System32\ck.dat
[2009/05/31 11:03:55 | 00,000,001 | ---- | C] () -- C:\WINDOWS\System32\c2d.dat
[2009/05/31 11:00:31 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\sonce122730.dat
[2009/05/31 11:00:18 | 00,042,496 | ---- | C] (AOL) -- C:\WINDOWS\System32\bekbn.dll
[2009/05/31 11:00:18 | 00,016,164 | ---- | C] () -- C:\WINDOWS\System32\fkas
[2009/05/12 22:58:41 | 00,000,197 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/12/18 15:35:01 | 02,076,672 | ---- | C] () -- C:\WINDOWS\System32\libmysql.dll
[2008/12/18 15:35:01 | 00,464,172 | ---- | C] () -- C:\WINDOWS\System32\libpq.dll
[2008/12/18 15:35:01 | 00,166,912 | ---- | C] () -- C:\WINDOWS\System32\libmcrypt.dll
[2008/12/18 15:35:01 | 00,165,643 | ---- | C] () -- C:\WINDOWS\System32\libmhash.dll
[2008/12/18 15:34:59 | 01,110,849 | ---- | C] () -- C:\WINDOWS\System32\aspell-15.dll
[2008/11/17 13:35:14 | 01,537,867 | -HS- | C] () -- C:\WINDOWS\System32\htkivlwc.ini
[2008/07/13 17:42:46 | 00,000,416 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/11/02 18:34:13 | 00,663,552 | ---- | C] () -- C:\WINDOWS\System32\libeay32_1-1-0_DDR.dll
[2007/11/02 18:34:13 | 00,532,594 | ---- | C] () -- C:\WINDOWS\System32\xerces-c_1_40_0_DDR.dll
[2007/11/02 18:34:13 | 00,524,377 | ---- | C] () -- C:\WINDOWS\System32\stlport_4_0_0_DDR.dll
[2007/11/02 18:34:13 | 00,307,329 | ---- | C] () -- C:\WINDOWS\System32\BJBase_2-2-2_DDR.dll
[2007/11/02 18:34:13 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32_1-1-0_DDR.dll
[2007/01/18 12:58:25 | 00,000,725 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/13 14:07:16 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2007/01/13 14:07:02 | 00,000,920 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2007/01/12 22:23:09 | 00,135,168 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/12/01 06:02:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/12/01 06:02:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/12/01 06:02:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/12/01 06:02:00 | 00,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/12/01 06:02:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/12/01 06:02:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/12/01 06:02:00 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2004/08/04 13:00:00 | 00,000,507 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 13:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[9 C:\WINDOWS\*.tmp files]
[2009/06/23 22:58:23 | 00,512,512 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gwen\Desktop\OTL.exe
[2009/06/23 22:39:11 | 00,781,909 | ---- | M] () -- C:\Documents and Settings\Gwen\Desktop\RSIT.exe
[2009/06/23 22:10:07 | 04,825,260 | -H-- | M] () -- C:\Documents and Settings\Gwen\Local Settings\Application Data\IconCache.db
[2009/06/23 20:06:46 | 00,359,893 | ---- | M] () -- C:\Documents and Settings\Gwen\Desktop\dds.scr
[2009/06/23 19:41:03 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/06/23 19:19:13 | 00,043,209 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/06/23 19:19:04 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/23 18:27:40 | 37,384,209 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/06/23 18:27:08 | 00,086,799 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/06/23 18:25:43 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/06/23 18:25:20 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/06/22 20:16:01 | 00,057,344 | ---- | M] (Registry Fix) -- C:\Documents and Settings\Gwen\Desktop\RegistryFix.exe
[2009/06/22 19:11:58 | 00,001,718 | ---- | M] () -- C:\Documents and Settings\Gwen\Desktop\Check PC For Errors.lnk
[2009/06/22 18:56:04 | 02,288,448 | ---- | M] (Sammsoft ) -- C:\Documents and Settings\Gwen\Desktop\AROTrial_fs.exe
[2009/06/22 18:55:51 | 00,607,060 | ---- | M] () -- C:\Documents and Settings\Gwen\My Documents\cc_20090622_185538.reg
[2009/06/22 18:50:42 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Gwen\Desktop\CCleaner.lnk
[2009/06/22 18:49:59 | 03,247,736 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\Gwen\Desktop\ccsetup220.exe
[2009/06/22 18:00:00 | 00,000,444 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2009/06/21 23:00:10 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/06/21 12:11:18 | 00,643,976 | ---- | M] () -- C:\Documents and Settings\Gwen\Desktop\DG_174796.pdf
[2009/06/18 13:20:39 | 00,000,416 | ---- | M] () -- C:\WINDOWS\System32\nk.dat
[2009/06/16 18:07:04 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/06/11 15:18:35 | 00,006,279 | ---- | M] () -- C:\Documents and Settings\Gwen\Desktop\DavesEmail_Delete_If_Im_Gone.rtf
[2009/06/11 11:04:41 | 00,053,791 | ---- | M] () -- C:\Documents and Settings\Gwen\Desktop\CV-DavidBassant.pdf
[2009/06/01 21:45:39 | 00,000,725 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2009/06/01 18:33:44 | 00,021,536 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/06/01 18:33:44 | 00,001,364 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/06/01 18:33:44 | 00,000,032 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2009/06/01 18:33:44 | 00,000,032 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2009/05/31 17:58:55 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/05/31 17:58:54 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/05/31 17:58:54 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/05/31 17:58:49 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/05/31 17:58:47 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/05/31 17:58:28 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/05/31 17:58:28 | 00,434,673 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/05/31 17:55:46 | 65,103,168 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Gwen\Desktop\avg_free_stf_en_85_339a1525.exe
[2009/05/31 11:03:55 | 00,000,001 | ---- | M] () -- C:\WINDOWS\System32\q1.dat
[2009/05/31 11:03:55 | 00,000,001 | ---- | M] () -- C:\WINDOWS\System32\idm.dat
[2009/05/31 11:03:55 | 00,000,001 | ---- | M] () -- C:\WINDOWS\System32\ck.dat
[2009/05/31 11:03:55 | 00,000,001 | ---- | M] () -- C:\WINDOWS\System32\c2d.dat
[2009/05/31 11:00:31 | 00,000,002 | -H-- | M] () -- C:\WINDOWS\sonce122730.dat
[2009/05/31 11:00:18 | 00,070,144 | ---- | M] () -- C:\WINDOWS\System32\inform.dat
[2009/05/31 11:00:18 | 00,042,496 | ---- | M] (AOL) -- C:\WINDOWS\System32\bekbn.dll
[2009/05/31 11:00:18 | 00,016,164 | ---- | M] () -- C:\WINDOWS\System32\fkas

========== Alternate Data Streams ==========

@Alternate Data Stream - 55838 bytes -> C:\Documents and Settings\All Users\Application Data\Sports Interactive:$ES_DESCRIPTOR_MVPUV1PKSVXJKX69UK1CWPP0DTVNYKM1UVXPJCEPP4DMJ3K1XYE7LRJEM53EPPJCFPLP45168LPSB5PL0EM6REGXHCTVVVVVVVVVVVVV
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

Extra:

OTL Extras logfile created on: 23/06/2009 22:59:06 - Run 1
OTL by OldTimer - Version 3.0.5.1 Folder = C:\Documents and Settings\Gwen\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

446.48 Mb Total Physical Memory | 117.37 Mb Available Physical Memory | 26.29% Memory free
1.03 Gb Paging File | 0.51 Gb Available in Paging File | 49.38% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 39.11 Gb Free Space | 34.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LOUISEB1
Current User Name: Gwen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = 80:TCP:*:Disabled:HTTP
"443:TCP" = 443:TCP:*:Disabled:HTTPS
"21:TCP" = 21:TCP:*:Disabled:FTP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2009/05/31 17:58:03 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
[2009/05/31 17:58:03 | 01,085,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2009/05/31 17:58:03 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe
[2008/10/01 19:57:04 | 14,258,472 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01D76D8E-A496-4870-8357-87C6D2B5E807}" = MySQL Server 5.1
"{06AC45D1-CB9B-48CC-B5C8-1A55DEE26AD0}" = Sony Ericsson Media Manager 1.0
"{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP460" = Canon MP460
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{32A3A4F4-B792-11D6-A78A-00B0D0150100}" = J2SE Development Kit 5.0 Update 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4DDC3BED-CC68-44AA-B435-D727B620CA5B}" = Linksys Wireless-G PCI Adapter
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{85262A06-2D8C-4BC1-B6ED-5A705D09CFFC}" = Apache HTTP Server 2.2.11
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8B7443F5-E141-42A0-AB61-ED2331AAD606}" = 4oD
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}" = Apple Mobile Device Support
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{C1E693A4-B1D5-4DCD-B68D-2087835B7184}" = ScanSoft OmniPage SE 4.0
"{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}" = iTunes
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2BB456F-C07B-4EDE-975F-4D6DED19750A}" = 530TX
"274c5407c4fa26908310cb5c1c5000001954585180" = NetBeans IDE 5.0
"4oD" = 4oD
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced Registry Optimizer_is1" = Advanced Registry Optimizer
"AVG8Uninstall" = AVG Free 8.5
"Azureus" = Azureus
"BroadJump Client Foundation" = BroadJump Client Foundation
"Canon MP460 User Registration" = Canon MP460 User Registration
"CCleaner" = CCleaner (remove only)
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"foobar2000" = foobar2000 v0.9.4.2
"Football Manager 2008" = Football Manager 2008
"Football Manager 2009" = Football Manager 2009
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{F2BB456F-C07B-4EDE-975F-4D6DED19750A}" = DFE-530TX Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Monkey's Audio_is1" = Monkey's Audio
"Mozilla Firefox (3.0.11)" = Mozilla Firefox (3.0.11)
"MP Navigator 3.0" = Canon MP Navigator 3.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"mxaxjeoxes" = RON Tool Netupbanner
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Pacific Poker" = Pacific Poker
"Pixelfusion WMP Plugin_is1" = Pixelfusion WMP Plugin 1.50
"PokerStars" = PokerStars
"Shockwave" = Shockwave
"SopCast" = SopCast 2.0.4
"Sun Java System Application Server Platform Edition" = Sun Java System Application Server Platform Edition
"SystemRequirementsLab" = System Requirements Lab
"TVUPlayer" = TVUPlayer 2.3.0.0
"VLC media player" = VideoLAN VLC media player 0.8.6a
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 04/05/2009 08:13:34 | Computer Name = LOUISEB1 | Source = nview_info | ID = 11141121
Description =

Error - 04/05/2009 08:13:34 | Computer Name = LOUISEB1 | Source = nview_info | ID = 11141121
Description =

Error - 04/05/2009 08:13:34 | Computer Name = LOUISEB1 | Source = nview_info | ID = 11141121
Description =

Error - 04/05/2009 08:13:34 | Computer Name = LOUISEB1 | Source = nview_info | ID = 11141121
Description =

Error - 04/05/2009 08:13:35 | Computer Name = LOUISEB1 | Source = nview_info | ID = 11141121
Description =

Error - 04/05/2009 08:13:35 | Computer Name = LOUISEB1 | Source = nview_info | ID = 11141121
Description =

Error - 04/05/2009 08:13:35 | Computer Name = LOUISEB1 | Source = nview_info | ID = 11141121
Description =

Error - 04/05/2009 08:13:55 | Computer Name = LOUISEB1 | Source = nview_info | ID = 11141121
Description =

Error - 04/05/2009 16:06:08 | Computer Name = LOUISEB1 | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> httpd.exe:
Could not reliably determine the server's fully qualified domain name, using 127.0.0.1
for ServerName .

Error - 05/05/2009 10:37:52 | Computer Name = LOUISEB1 | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> httpd.exe:
Could not reliably determine the server's fully qualified domain name, using 127.0.0.1
for ServerName .

[ System Events ]
Error - 24/05/2009 04:32:48 | Computer Name = LOUISEB1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 24/05/2009 04:57:15 | Computer Name = LOUISEB1 | Source = Service Control Manager | ID = 7000
Description = The xxnuxjnk service failed to start due to the following error: %%2

Error - 24/05/2009 04:57:15 | Computer Name = LOUISEB1 | Source = Service Control Manager | ID = 7000
Description = The Realtek EAPPkt Protocol service failed to start due to the following
error: %%2

Error - 24/05/2009 04:58:51 | Computer Name = LOUISEB1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 24/05/2009 06:44:20 | Computer Name = LOUISEB1 | Source = Service Control Manager | ID = 7000
Description = The xxnuxjnk service failed to start due to the following error: %%2

Error - 24/05/2009 06:44:20 | Computer Name = LOUISEB1 | Source = Service Control Manager | ID = 7000
Description = The Realtek EAPPkt Protocol service failed to start due to the following
error: %%2

Error - 24/05/2009 06:44:20 | Computer Name = LOUISEB1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 24/05/2009 06:52:05 | Computer Name = LOUISEB1 | Source = Service Control Manager | ID = 7000
Description = The xxnuxjnk service failed to start due to the following error: %%2

Error - 24/05/2009 06:52:05 | Computer Name = LOUISEB1 | Source = Service Control Manager | ID = 7000
Description = The Realtek EAPPkt Protocol service failed to start due to the following
error: %%2

Error - 24/05/2009 06:53:49 | Computer Name = LOUISEB1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep


< End of report >

Thanks
Louise

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 24 June 2009 - 08:25 AM

Hello again Louise,
You have a particularly heavily infected computer. :)
Let's begin.

Please note......

:thumbup2: P2P Warning :)

Your log indicates that you have Azureus installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall Azureus, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

The following is referring to Advanced Registry Optimizer.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

==========

Your logs show that you have Pacific Poker & Poker Stars installed on your computer. I know that you may use these (this) game(s) on a regular basis but I think it's important to note that often these kind of programmes are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programmes yourself on purpose. There are so many online poker games out there these days that it is close to impossible to keep track of whether a programme is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the programme, then you can do so by following the below steps:

You can remove this via Add/Remove.
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer

==========

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

With your next post please provide:

* Combofix.txt
* Gmer.log
* How is your computer running?

Kind regards,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 ldbright

ldbright
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 24 June 2009 - 02:19 PM

Hi T,

I have removed azureus, my poker programs and the registry fixer tool as recommended. I have also run combofix and GMER. Whilst running these i had closed down AVG but it was still running. I tried to stop the processes on my task manager but they just came back. Then I tried to remove AVG with the idea I would reinstall it afterwards but it would not let me, an error message about a HKey came up. I could not close down window defender through task manager either.

My computer is now running a bit better, internet explorer now works! But on my processes in task manager i notice that MSMpEng.exe is still using a lot of memory 48k. It is still quite slow, but I have not rebooted.

I was unsure what was meant by "a HijackThis log," sorry.

Louise

Combo Log:

ComboFix 09-06-23.01 - Gwen 24/06/2009 18:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.145 [GMT 1:00]
Running from: c:\documents and settings\Gwen\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\199638
c:\windows\system32\218538
c:\windows\system32\sX3i19
c:\windows\9g2234wesdf3dfgjf23
c:\windows\f23567.dat
c:\windows\sonce122730.dat
c:\windows\system32\al.txt
c:\windows\system32\drivers\UACxuwkrwosthfwbev.sys
c:\windows\system32\dz1.txt
c:\windows\system32\htkivlwc.ini
c:\windows\system32\inform.dat
c:\windows\system32\kjs
c:\windows\system32\libmhash.dll
c:\windows\system32\p1.txt
c:\windows\system32\r24.txt
c:\windows\system32\skinboxer43.dll
c:\windows\system32\UACfmttprlplojvjqn.dll
c:\windows\system32\UAChaywqxwgryefpmd.log
c:\windows\system32\UAChsovnktnobxumns.dll
c:\windows\system32\UAChwvvwqbrbqpqije.dll
c:\windows\system32\UACicxgemlcfxhdxyk.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACnjncoreflrymffw.log
c:\windows\system32\UACpwbedfpkvpabuth.dll
c:\windows\system32\UACrfvitlexqreqohj.dll
c:\windows\system32\UACxlwexyyufxidvip.dat
c:\windows\system32\wbem\proquota.exe

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\system volume information\_restore{D819831C-0C72-468A-8ED6-EF79EC9E9AC6}\RP485\A0053115.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{D819831C-0C72-468A-8ED6-EF79EC9E9AC6}\RP485\A0053116.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_DHLP


((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-24 17:25 . 2009-06-24 17:25 -------- d-----w- c:\windows\LastGood
2009-06-24 17:14 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-24 17:14 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-24 17:14 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-24 17:14 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-23 21:40 . 2009-06-23 21:40 -------- d-----w- c:\program files\trend micro
2009-06-23 21:40 . 2009-06-23 21:40 -------- d-----w- C:\rsit
2009-06-22 17:50 . 2009-06-22 17:50 -------- d-----w- c:\program files\CCleaner
2009-06-18 12:20 . 2009-06-18 12:20 416 ----a-w- c:\windows\system32\nk.dat
2009-06-11 10:07 . 2009-06-11 11:36 -------- d-----w- c:\documents and settings\Gwen\Local Settings\Application Data\Adobe
2009-06-09 17:07 . 2009-06-09 17:07 -------- d-----w- c:\documents and settings\Gwen\Local Settings\Application Data\Apple
2009-05-31 18:46 . 2009-05-31 18:46 -------- d-----w- c:\documents and settings\Gwen\Application Data\Sports Interactive
2009-05-31 17:50 . 2009-05-31 17:50 -------- d-----w- c:\documents and settings\Gwen\Application Data\Apple Computer
2009-05-31 17:21 . 2009-06-22 21:11 -------- d--h--w- C:\$AVG8.VAULT$
2009-05-31 16:58 . 2009-05-31 16:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-31 16:58 . 2009-05-31 16:58 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-31 16:58 . 2009-05-31 16:58 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-31 16:58 . 2009-05-31 16:58 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-31 16:58 . 2009-06-24 16:26 -------- d-----w- c:\windows\system32\drivers\Avg
2009-05-31 16:58 . 2009-06-22 19:22 -------- d-----w- c:\documents and settings\Gwen\Application Data\AVGTOOLBAR
2009-05-31 11:47 . 2009-06-01 17:33 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-05-31 11:47 . 2009-06-01 17:33 21536 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-31 11:18 . 2009-06-01 17:42 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-05-31 11:18 . 2009-06-01 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-05-31 10:03 . 2009-05-31 10:03 1 ----a-w- c:\windows\system32\q1.dat
2009-05-31 10:03 . 2009-05-31 10:03 1 ----a-w- c:\windows\system32\idm.dat
2009-05-31 10:03 . 2009-05-31 10:03 1 ----a-w- c:\windows\system32\ck.dat
2009-05-31 10:03 . 2009-05-31 10:03 1 ----a-w- c:\windows\system32\c2d.dat
2009-05-31 10:00 . 2009-05-31 10:00 42496 ----a-w- c:\windows\system32\bekbn.dll
2009-05-28 17:14 . 2009-05-28 17:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-24 18:03 . 2007-01-19 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-06-24 16:50 . 2008-11-16 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-24 16:37 . 2008-04-05 17:30 -------- d-----w- c:\program files\PokerStars
2009-06-24 16:37 . 2007-01-15 17:26 -------- d-----w- c:\program files\PacificPoker
2009-06-24 16:35 . 2007-01-14 19:59 -------- d-----w- c:\program files\Azureus
2009-06-02 21:00 . 2009-04-28 15:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-06-01 17:43 . 2009-04-25 09:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-01 17:33 . 2009-05-31 11:47 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-01 17:33 . 2009-05-31 11:47 1364 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-01 17:19 . 2007-01-12 18:54 90112 ----a-w- c:\windows\DUMP755e.tmp
2009-06-01 16:33 . 2007-01-12 18:54 90112 ----a-w- c:\windows\DUMP7dcb.tmp
2009-06-01 16:32 . 2007-01-12 18:54 90112 ----a-w- c:\windows\DUMP80f7.tmp
2009-06-01 16:31 . 2007-01-12 18:54 90112 ----a-w- c:\windows\DUMP82ad.tmp
2009-05-20 18:52 . 2008-11-16 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-19 16:49 . 2009-05-19 16:49 34304 ----a-w- c:\windows\system32\xagkf32.dll
2009-05-19 14:27 . 2008-02-21 17:41 52248 ----a-w- c:\documents and settings\Gwen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-16 14:16 . 2009-05-16 14:16 -------- d-----w- c:\program files\Windows Defender
2009-05-03 10:57 . 2009-05-03 10:57 1 ----a-w- c:\windows\z45ft5992f44.dat
2009-04-28 15:38 . 2007-01-16 17:38 -------- d-----w- c:\program files\Sports Interactive
2009-04-27 14:17 . 2008-03-31 07:57 3218 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-04-25 09:44 . 2009-04-25 09:44 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-06 14:32 . 2008-11-16 14:16 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-11-16 14:16 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2005-07-29 16:24 . 2008-11-17 12:27 472 --sha-r- c:\windows\TG91aXNlIEJyaWdodG1hbg\n36Yurh5KHLVuqxCx3Y1v0.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-01 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-01 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-31 1947928]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HDAShCut.exe [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-11-10 15473664]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-01 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-31 16:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:HTTPS
"21:TCP"= 21:TCP:*:Disabled:FTP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [31/05/2009 17:58 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [31/05/2009 17:58 108552]
R2 Apache2.2;Apache2.2;c:\apache2.2\bin\httpd.exe [10/12/2008 01:10 24636]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [31/05/2009 17:58 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [31/05/2009 17:58 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys --> c:\windows\system32\DRIVERS\EAPPkt.sys [?]
S2 xxnuxjnk;xxnuxjnk;c:\windows\system32\drivers\quxu.sys --> c:\windows\system32\drivers\quxu.sys [?]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1A43B51D-2671-4bcc-89F0-9BC42DB29016}]
rundll32 fow64.dll,InitO

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2E1A9DE4-ADA0-4501-A46E-6633CDB01654}]
rundll32 xagkf32.dll,InitO

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AC018590-FBBD-4789-A15B-FFBBBE6C8965}]
rundll32 bekbn.dll,InitO
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-06-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

GMER Log:

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 19:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-1563985344-839522115-1006\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"GameDir"="c:\\Documents and Settings\\Gwen\\My Documents\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\Gwen\\My Documents\\Sports Interactive\\Football Manager 2009"
"SaveDir"="c:\\Documents and Settings\\Gwen\\My Documents\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="c:\\DOCUME~1\\Gwen\\LOCALS~1\\Temp\\Rar$EX02.422\\FM Genie Scout 2009 XE\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\db\\900\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000000
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="66-F605-0711"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"Currency"=dword:00000056
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(688)
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-24 19:07
ComboFix-quarantined-files.txt 2009-06-24 18:07

Pre-Run: 41,933,467,648 bytes free
Post-Run: 41,925,648,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

241 --- E O F --- 2009-06-24 17:29


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-24 19:56:24
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\Gwen\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\Gwen\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACxuwkrwosthfwbev.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACxuwkrwosthfwbev.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACpwbedfpkvpabuth.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACxlwexyyufxidvip.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UAChsovnktnobxumns.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACrfvitlexqreqohj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACfmttprlplojvjqn.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UAChwvvwqbrbqpqije.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UAChaywqxwgryefpmd.log
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACicxgemlcfxhdxyk.log
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACnjncoreflrymffw.log

---- EOF - GMER 1.0.15 ----

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 24 June 2009 - 11:14 PM

Hi.
Major progress but a lot of work to do. :thumbup2:

For future reference this is how you disable AVG or other security programs.
http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

==========

We need to upload a few suspicious files for closer inspection.
Do this..........

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\z45ft5992f44.dat
c:\windows\TG91aXNlIEJyaWdodG1hbg\n36Yurh5KHLVuqxCx3Y1v0.vbs
c:\windows\system32\drivers\quxu.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal

==========

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

==========

:) Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\nk.dat
c:\windows\system32\q1.dat
c:\windows\system32\idm.dat
c:\windows\system32\ck.dat
c:\windows\system32\c2d.dat
c:\windows\system32\bekbn.dll
c:\windows\system32\xagkf32.dll
c:\windows\z45ft5992f44.dat
c:\windows\system32\drivers\quxu.sys

Folder::
c:\program files\PokerStars
c:\program files\PacificPoker
c:\program files\Azureus
c:\windows\TG91aXNlIEJyaWdodG1hbg

Driver::
xxnuxjnk

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1A43B51D-2671-4bcc-89F0-9BC42DB29016}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2E1A9DE4-ADA0-4501-A46E-6633CDB01654}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AC018590-FBBD-4789-A15B-FFBBBE6C8965}]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Let's get the rest of AVG removed and get another AV reinstalled! Or if you like AVG and you have the installer your welcome to reinstall it.

AVG Uninstaller

Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Please download, install and run the program now. Copy and paste the logfile results in your next post.

==========

With your next post please provide:

* Upload results
* Combofix.txt
* New Installed Antivirus log

Kind regards,
t

Edited by thcbytes, 24 June 2009 - 11:15 PM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 ldbright

ldbright
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 25 June 2009 - 06:14 PM

Hi T,

Here are my results. I have disabled and deleted AVG, I now have avast!

Thanks again for all your help

Louise


Upload Results:

c:\windows\z45ft5992f44.dat

Filename: z45ft5992f44.dat
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 25 Jun 2009 22:11:10 (CET) Permalink


c:\windows\TG91aXNlIEJyaWdodG1hbg\n36Yurh5KHLVuqxCx3Y1v0.vbs

[ArcaVir]
2009-06-25 Trojan.Autorun.Uu
[G DATA]
2009-06-25 Adware.Isearch.D
[Emsisoft A-squared]
2009-06-25 AdWare.Isearch!IK
[Ikarus]
2009-06-25 AdWare.Isearch
[Avast! antivirus]
2009-06-25 VBS:Malware-gen
[Kaspersky Anti-Virus]
2009-06-25 Found nothing
[Grisoft AVG Anti-Virus]
2009-06-25 Found nothing
[ESET NOD32]
2009-06-25 Win32/Adware.ISearch
[Avira AntiVir]
2009-06-25 ADSPY/Isearch
[Norman Virus Control]
2009-06-25 VBS/CommAd.A
[Softwin BitDefender]
2009-06-25 Adware.Isearch.D
[Panda Antivirus]
2009-06-25 Adware/CommAd
[ClamAV]
2009-06-25 Found nothing
[Quick Heal]
2009-06-25 VBS/CommAd.A
[CPsecure]
2009-06-25 Found nothing
[Sophos]
2009-06-25 Found nothing
[Dr.Web]
2009-06-25 Found nothing
[VirusBlokAda VBA32]
2009-06-24 Found nothing
[Frisk F-Prot Antivirus]
2009-06-25 Found nothing
[VirusBuster]
2009-06-25 Found nothing
[F-Secure Anti-Virus]
2009-06-25 Found nothing



c:\windows\system32\drivers\quxu.sys
Could not find file

ComboFix.txt:

ComboFix 09-06-25.01 - Gwen 25/06/2009 22:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.187 [GMT 1:00]
Running from: c:\documents and settings\Gwen\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Gwen\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Azureus
c:\program files\Azureus\plugins\azplugins\azplugins_2.1.3.jar
c:\program files\Azureus\plugins\azrating\azrating_1.3.1.jar
c:\program files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.3.jar
c:\program files\Azureus\plugins\azupdater\plugin.properties
c:\program files\Azureus\plugins\azupdater\Updater.jar
c:\program files\Azureus\Uninstall.exe
c:\program files\PacificPoker
c:\program files\PacificPoker\Cash\media\but68_0.bmp
c:\program files\PacificPoker\Cash\media\but68_1.bmp
c:\program files\PacificPoker\Cash\media\but86_0.bmp
c:\program files\PacificPoker\Cash\media\but86_1.bmp
c:\program files\PacificPoker\Cash\media\but87_0.bmp
c:\program files\PacificPoker\Cash\media\but87_1.bmp
c:\program files\PacificPoker\GameHist\media\american_express.bmp
c:\program files\PacificPoker\GameHist\media\aproved.bmp
c:\program files\PacificPoker\GameHist\media\BACK_TO_HIS_disable.bmp
c:\program files\PacificPoker\GameHist\media\BACK_TO_HIS_down.bmp
c:\program files\PacificPoker\GameHist\media\BACK_TO_HIS_over.bmp
c:\program files\PacificPoker\GameHist\media\BACK_TO_HIS_up.bmp
c:\program files\PacificPoker\GameHist\media\bankdraft.bmp
c:\program files\PacificPoker\GameHist\media\bonus.bmp
c:\program files\PacificPoker\GameHist\media\bonus2.bmp
c:\program files\PacificPoker\GameHist\media\canceled_by_user.bmp
c:\program files\PacificPoker\GameHist\media\cashout_down.bmp
c:\program files\PacificPoker\GameHist\media\cashout_headline.bmp
c:\program files\PacificPoker\GameHist\media\cashout_over.bmp
c:\program files\PacificPoker\GameHist\media\cashout_strip.bmp
c:\program files\PacificPoker\GameHist\media\cashout_title.bmp
c:\program files\PacificPoker\GameHist\media\cashout_up.bmp
c:\program files\PacificPoker\GameHist\media\check.bmp
c:\program files\PacificPoker\GameHist\media\decline.bmp
c:\program files\PacificPoker\GameHist\media\dep_wire.bmp
c:\program files\PacificPoker\GameHist\media\deposit_down.bmp
c:\program files\PacificPoker\GameHist\media\deposit_headline.bmp
c:\program files\PacificPoker\GameHist\media\deposit_over.bmp
c:\program files\PacificPoker\GameHist\media\deposit_strip.bmp
c:\program files\PacificPoker\GameHist\media\deposit_title.bmp
c:\program files\PacificPoker\GameHist\media\deposit_up.bmp
c:\program files\PacificPoker\GameHist\media\dinersclub.bmp
c:\program files\PacificPoker\GameHist\media\fax.bmp
c:\program files\PacificPoker\GameHist\media\FirePay.bmp
c:\program files\PacificPoker\GameHist\media\Font_Date_History.bmp
c:\program files\PacificPoker\GameHist\media\Font_History.bmp
c:\program files\PacificPoker\GameHist\media\FontLDig.bmp
c:\program files\PacificPoker\GameHist\media\games_list_header.bmp
c:\program files\PacificPoker\GameHist\media\games_list_sentence.bmp
c:\program files\PacificPoker\GameHist\media\games_list_strip.bmp
c:\program files\PacificPoker\GameHist\media\Hist_Plate.bmp
c:\program files\PacificPoker\GameHist\media\History_BG.bmp
c:\program files\PacificPoker\GameHist\media\HistoryLobby_BG.bmp
c:\program files\PacificPoker\GameHist\media\jp_history.bmp
c:\program files\PacificPoker\GameHist\media\lobby_disabled.bmp
c:\program files\PacificPoker\GameHist\media\lobby_down.bmp
c:\program files\PacificPoker\GameHist\media\lobby_over.bmp
c:\program files\PacificPoker\GameHist\media\lobby_up.bmp
c:\program files\PacificPoker\GameHist\media\logo_tour_multiple.bmp
c:\program files\PacificPoker\GameHist\media\logo_tour_sit_and_go.bmp
c:\program files\PacificPoker\GameHist\media\lose.bmp
c:\program files\PacificPoker\GameHist\media\mastercard.bmp
c:\program files\PacificPoker\GameHist\media\multiple_tour_down.bmp
c:\program files\PacificPoker\GameHist\media\multiple_tour_over.bmp
c:\program files\PacificPoker\GameHist\media\multiple_tour_up.bmp
c:\program files\PacificPoker\GameHist\media\my_tournaments_header.bmp
c:\program files\PacificPoker\GameHist\media\my_tournaments_strip.bmp
c:\program files\PacificPoker\GameHist\media\novus.bmp
c:\program files\PacificPoker\GameHist\media\OHLP_down.bmp
c:\program files\PacificPoker\GameHist\media\OHLP_over.bmp
c:\program files\PacificPoker\GameHist\media\OHLP_title.bmp
c:\program files\PacificPoker\GameHist\media\OHLP_up.bmp
c:\program files\PacificPoker\GameHist\media\OHP_down.bmp
c:\program files\PacificPoker\GameHist\media\OHP_over.bmp
c:\program files\PacificPoker\GameHist\media\OHP_title.bmp
c:\program files\PacificPoker\GameHist\media\OHP_up.bmp
c:\program files\PacificPoker\GameHist\media\online.bmp
c:\program files\PacificPoker\GameHist\media\pagedown1.bmp
c:\program files\PacificPoker\GameHist\media\pagedown2.bmp
c:\program files\PacificPoker\GameHist\media\pagedown3.bmp
c:\program files\PacificPoker\GameHist\media\pagedown4.bmp
c:\program files\PacificPoker\GameHist\media\pageup1.bmp
c:\program files\PacificPoker\GameHist\media\pageup2.bmp
c:\program files\PacificPoker\GameHist\media\pageup3.bmp
c:\program files\PacificPoker\GameHist\media\pageup4.bmp
c:\program files\PacificPoker\GameHist\media\paid.bmp
c:\program files\PacificPoker\GameHist\media\phone.bmp
c:\program files\PacificPoker\GameHist\media\poker_strip.bmp
c:\program files\PacificPoker\GameHist\media\poker_strip_.bmp
c:\program files\PacificPoker\GameHist\media\poker_strip_headline.bmp
c:\program files\PacificPoker\GameHist\media\poker_strip_headline_.bmp
c:\program files\PacificPoker\GameHist\media\processd.bmp
c:\program files\PacificPoker\GameHist\media\SCS_down.bmp
c:\program files\PacificPoker\GameHist\media\SCS_over.bmp
c:\program files\PacificPoker\GameHist\media\SCS_title.bmp
c:\program files\PacificPoker\GameHist\media\SCS_up.bmp
c:\program files\PacificPoker\GameHist\media\SCSHL_down.bmp
c:\program files\PacificPoker\GameHist\media\SCSHL_over.bmp
c:\program files\PacificPoker\GameHist\media\SCSHL_title.bmp
c:\program files\PacificPoker\GameHist\media\SCSHL_up.bmp
c:\program files\PacificPoker\GameHist\media\sit_and_go_down.bmp
c:\program files\PacificPoker\GameHist\media\sit_and_go_over.bmp
c:\program files\PacificPoker\GameHist\media\sit_and_go_up.bmp
c:\program files\PacificPoker\GameHist\media\Strip.bmp
c:\program files\PacificPoker\GameHist\media\Strip_Header.bmp
c:\program files\PacificPoker\GameHist\media\Strip_Header_tournament.bmp
c:\program files\PacificPoker\GameHist\media\Strip_Tour.bmp
c:\program files\PacificPoker\GameHist\media\Strip_tournament.bmp
c:\program files\PacificPoker\GameHist\media\StripTournamentName.bmp
c:\program files\PacificPoker\GameHist\media\THP_down.bmp
c:\program files\PacificPoker\GameHist\media\THP_over.bmp
c:\program files\PacificPoker\GameHist\media\THP_title.bmp
c:\program files\PacificPoker\GameHist\media\THP_up.bmp
c:\program files\PacificPoker\GameHist\media\time_font.bmp
c:\program files\PacificPoker\GameHist\media\time2lotto.bmp
c:\program files\PacificPoker\GameHist\media\user_has_left.bmp
c:\program files\PacificPoker\GameHist\media\visa.bmp
c:\program files\PacificPoker\GameHist\media\void.bmp
c:\program files\PacificPoker\GameHist\media\waiting.bmp
c:\program files\PacificPoker\GameHist\media\western.bmp
c:\program files\PacificPoker\GameHist\media\wire.bmp
c:\program files\PacificPoker\Login\media\Demo_Logo.bmp
c:\program files\PacificPoker\media\loader.swf
c:\program files\PacificPoker\NoFlash\CancelHover.bmp
c:\program files\PacificPoker\NoFlash\CancelUp.bmp
c:\program files\PacificPoker\NoFlash\DownloadHover.bmp
c:\program files\PacificPoker\NoFlash\DownloadUp.bmp
c:\program files\PacificPoker\NoFlash\FlashBtnUp.bmp
c:\program files\PacificPoker\Poker\media\4colorDeck.bmp
c:\program files\PacificPoker\Poker\media\BlackJack.bmp
c:\program files\PacificPoker\Poker\media\BlackJack_disabled.bmp
c:\program files\PacificPoker\Poker\media\BlackJack_light.bmp
c:\program files\PacificPoker\Poker\media\BlackJack_pressed.bmp
c:\program files\PacificPoker\PokerLobby\Media\BlackJack0.bmp
c:\program files\PacificPoker\PokerLobby\Media\BlackJack1.bmp
c:\program files\PacificPoker\PokerLobby\Media\BlackJack2.bmp
c:\program files\PacificPoker\PokerLobby\Media\BlackJack3.bmp
c:\program files\PacificPoker\ProcessList.txt
c:\program files\PacificPoker\promo.gif
c:\program files\PacificPoker\Settings\media\4colorDeck.bmp
c:\program files\PacificPoker\Settings\media\4colorDeckBW.bmp
c:\program files\PacificPoker\Settings\media\backcard1.bmp
c:\program files\PacificPoker\Settings\media\backcard2.bmp
c:\program files\PacificPoker\Settings\media\backcard3.bmp
c:\program files\PacificPoker\Settings\media\backcard4.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall1_1.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall1_2.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall1_3.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall1_4.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall1_5.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall1_6.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall1_7.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall1_8.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall2_1.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall2_2.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall2_3.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall2_4.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall2_5.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall2_6.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall2_7.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall2_8.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall3_1.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall3_2.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall3_3.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall3_4.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall3_5.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall3_6.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall3_7.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall3_8.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall4_1.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall4_2.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall4_3.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall4_4.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall4_5.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall4_6.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall4_7.bmp
c:\program files\PacificPoker\Settings\media\BackCardSmall4_8.bmp
c:\program files\PacificPoker\Settings\media\BackGr0.bmp
c:\program files\PacificPoker\Settings\media\BackGr1.bmp
c:\program files\PacificPoker\Settings\media\cancel0.bmp
c:\program files\PacificPoker\Settings\media\cancel1.bmp
c:\program files\PacificPoker\Settings\media\cancel2.bmp
c:\program files\PacificPoker\Settings\media\Card.wav
c:\program files\PacificPoker\Settings\media\checkSound.mp3
c:\program files\PacificPoker\Settings\media\checkSound.wav
c:\program files\PacificPoker\Settings\media\Chips.wav
c:\program files\PacificPoker\Settings\media\chipsLong.mp3
c:\program files\PacificPoker\Settings\media\Congratulations.mp3
c:\program files\PacificPoker\Settings\media\DEALING_FLOP_F.mp3
c:\program files\PacificPoker\Settings\media\DEALING_FLOP_M.mp3
c:\program files\PacificPoker\Settings\media\DEALING_RIVER_F.mp3
c:\program files\PacificPoker\Settings\media\DEALING_RIVER_M.mp3
c:\program files\PacificPoker\Settings\media\DEALING_TURN_F.mp3
c:\program files\PacificPoker\Settings\media\DEALING_TURN_M.mp3
c:\program files\PacificPoker\Settings\media\Fold.wav
c:\program files\PacificPoker\Settings\media\jet.wav
c:\program files\PacificPoker\Settings\media\JOIN_US_AGAIN_PCP_F.mp3
c:\program files\PacificPoker\Settings\media\JOIN_US_AGAIN_PCP_M.mp3
c:\program files\PacificPoker\Settings\media\mask.bmp
c:\program files\PacificPoker\Settings\media\NEW_PLAYER_AT_TABLE_F.mp3
c:\program files\PacificPoker\Settings\media\NEW_PLAYER_AT_TABLE_M.mp3
c:\program files\PacificPoker\Settings\media\ok0.bmp
c:\program files\PacificPoker\Settings\media\ok1.bmp
c:\program files\PacificPoker\Settings\media\ok2.bmp
c:\program files\PacificPoker\Settings\media\POPUP_MSG.mp3
c:\program files\PacificPoker\Settings\media\PushBut.wav
c:\program files\PacificPoker\Settings\media\restore0.bmp
c:\program files\PacificPoker\Settings\media\restore1.bmp
c:\program files\PacificPoker\Settings\media\restore2.bmp
c:\program files\PacificPoker\Settings\media\Settings_bg.bmp
c:\program files\PacificPoker\Settings\media\Table10.bmp
c:\program files\PacificPoker\Settings\media\Table8.bmp
c:\program files\PacificPoker\Settings\media\TimerPing.wav
c:\program files\PacificPoker\Settings\media\TimerPingLong.mp3
c:\program files\PacificPoker\Settings\media\U_WIN_F.mp3
c:\program files\PacificPoker\Settings\media\U_WIN_M.mp3
c:\program files\PacificPoker\Settings\media\WEL_PCP_GL_F.mp3
c:\program files\PacificPoker\Settings\media\WEL_PCP_GL_M.mp3
c:\program files\PacificPoker\Utils\ecinw_Demo.iss
c:\program files\PokerStars
c:\program files\PokerStars\_update2default.dat
c:\program files\PokerStars\_update2simple.dat
c:\program files\PokerStars\notes.txt
c:\program files\PokerStars\user.ini
c:\program files\PokerStars\user.ini.bak
c:\windows\TG91aXNlIEJyaWdodG1hbg
c:\windows\TG91aXNlIEJyaWdodG1hbg\n36Yurh5KHLVuqxCx3Y1v0.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_xxnuxjnk


((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-25 19:27 . 2009-06-25 19:27 -------- d-----w- c:\documents and settings\Gwen\Local Settings\Application Data\AVG Security Toolbar
2009-06-25 15:55 . 2009-06-14 15:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-25 15:54 . 2009-06-25 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-25 15:53 . 2009-06-25 15:53 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-24 18:06 . 2009-06-24 18:06 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-24 17:14 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-24 17:14 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-24 17:14 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-24 17:14 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-23 21:40 . 2009-06-23 21:40 -------- d-----w- c:\program files\trend micro
2009-06-23 21:40 . 2009-06-23 21:40 -------- d-----w- C:\rsit
2009-06-18 12:20 . 2009-06-18 12:20 416 ----a-w- c:\windows\system32\nk.dat
2009-06-11 10:07 . 2009-06-11 11:36 -------- d-----w- c:\documents and settings\Gwen\Local Settings\Application Data\Adobe
2009-06-09 17:07 . 2009-06-09 17:07 -------- d-----w- c:\documents and settings\Gwen\Local Settings\Application Data\Apple
2009-05-31 18:46 . 2009-05-31 18:46 -------- d-----w- c:\documents and settings\Gwen\Application Data\Sports Interactive
2009-05-31 17:50 . 2009-05-31 17:50 -------- d-----w- c:\documents and settings\Gwen\Application Data\Apple Computer
2009-05-31 17:21 . 2009-06-22 21:11 -------- d--h--w- C:\$AVG8.VAULT$
2009-05-31 16:58 . 2009-06-25 21:05 -------- d-----w- c:\documents and settings\Gwen\Application Data\AVGTOOLBAR
2009-05-31 11:47 . 2009-06-01 17:33 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-05-31 11:47 . 2009-06-01 17:33 21536 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-31 11:18 . 2009-06-01 17:42 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-05-31 11:18 . 2009-06-01 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-05-31 10:03 . 2009-05-31 10:03 1 ----a-w- c:\windows\system32\q1.dat
2009-05-31 10:03 . 2009-05-31 10:03 1 ----a-w- c:\windows\system32\idm.dat
2009-05-31 10:03 . 2009-05-31 10:03 1 ----a-w- c:\windows\system32\ck.dat
2009-05-31 10:03 . 2009-05-31 10:03 1 ----a-w- c:\windows\system32\c2d.dat
2009-05-31 10:00 . 2009-05-31 10:00 42496 ----a-w- c:\windows\system32\bekbn.dll
2009-05-28 17:14 . 2009-05-28 17:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 21:25 . 2007-01-19 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-06-25 21:05 . 2008-11-16 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-02 21:00 . 2009-04-28 15:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-06-01 17:43 . 2009-04-25 09:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-01 17:33 . 2009-05-31 11:47 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-01 17:33 . 2009-05-31 11:47 1364 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-01 17:19 . 2007-01-12 18:54 90112 ----a-w- c:\windows\DUMP755e.tmp
2009-06-01 16:33 . 2007-01-12 18:54 90112 ----a-w- c:\windows\DUMP7dcb.tmp
2009-06-01 16:32 . 2007-01-12 18:54 90112 ----a-w- c:\windows\DUMP80f7.tmp
2009-06-01 16:31 . 2007-01-12 18:54 90112 ----a-w- c:\windows\DUMP82ad.tmp
2009-05-20 18:52 . 2008-11-16 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-19 16:49 . 2009-05-19 16:49 34304 ----a-w- c:\windows\system32\xagkf32.dll
2009-05-19 14:27 . 2008-02-21 17:41 52248 ----a-w- c:\documents and settings\Gwen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-16 14:16 . 2009-05-16 14:16 -------- d-----w- c:\program files\Windows Defender
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 10:57 . 2009-05-03 10:57 1 ----a-w- c:\windows\z45ft5992f44.dat
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-28 15:38 . 2007-01-16 17:38 -------- d-----w- c:\program files\Sports Interactive
2009-04-27 14:17 . 2008-03-31 07:57 3218 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-04-25 09:44 . 2009-04-25 09:44 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-06 14:32 . 2008-11-16 14:16 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-11-16 14:16 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-24_18.04.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-25 21:24 . 2009-06-25 21:24 16384 c:\windows\Temp\Perflib_Perfdata_634.dat
+ 2007-01-19 00:23 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
- 2007-01-19 00:23 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 44544 c:\windows\system32\pngfilt.dll
+ 2006-11-07 21:03 . 2009-04-29 04:55 52224 c:\windows\system32\msfeedsbs.dll
- 2006-11-07 21:03 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 27648 c:\windows\system32\jsproxy.dll
- 2006-11-07 03:26 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
+ 2006-11-07 03:26 . 2009-04-28 09:05 13824 c:\windows\system32\ieudinit.exe
+ 2004-08-04 12:00 . 2009-04-29 04:55 44544 c:\windows\system32\iernonce.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
+ 2004-08-04 12:00 . 2009-04-28 09:05 70656 c:\windows\system32\ie4uinit.exe
- 2004-08-04 12:00 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
+ 2006-10-17 11:58 . 2009-04-29 04:55 63488 c:\windows\system32\icardie.dll
- 2006-10-17 11:58 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2007-05-08 18:39 . 2009-04-29 04:55 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-05-08 18:39 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2007-05-08 18:39 . 2009-02-20 10:20 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2007-05-08 18:39 . 2009-04-28 09:05 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2004-08-04 12:00 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2009-04-29 04:55 78336 c:\windows\system32\dllcache\ieencode.dll
- 2009-02-20 18:09 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-04 12:00 . 2009-04-28 09:05 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2004-08-04 12:00 . 2009-02-20 10:20 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-20 10:04 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
+ 2007-08-20 10:04 . 2009-04-29 04:55 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-06-24 18:06 . 2008-10-16 13:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-24 18:06 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-24 18:06 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-24 18:06 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-24 18:06 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-24 18:06 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-24 18:06 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-24 18:06 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-24 18:06 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-24 18:06 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-24 21:53 . 2009-02-20 18:09 44544 c:\windows\ie7updates\KB969897-IE7\pngfilt.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 52224 c:\windows\ie7updates\KB969897-IE7\msfeedsbs.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 27648 c:\windows\ie7updates\KB969897-IE7\jsproxy.dll
+ 2009-06-24 21:53 . 2009-02-20 10:20 13824 c:\windows\ie7updates\KB969897-IE7\ieudinit.exe
+ 2009-06-24 21:53 . 2009-02-20 18:09 44544 c:\windows\ie7updates\KB969897-IE7\iernonce.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 78336 c:\windows\ie7updates\KB969897-IE7\ieencode.dll
+ 2009-06-24 21:53 . 2009-02-20 10:20 70656 c:\windows\ie7updates\KB969897-IE7\ie4uinit.exe
+ 2009-06-24 21:53 . 2009-02-20 18:09 63488 c:\windows\ie7updates\KB969897-IE7\icardie.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 233472 c:\windows\system32\webcheck.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 105984 c:\windows\system32\url.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 102912 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 671232 c:\windows\system32\mstime.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 193024 c:\windows\system32\msrating.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 477696 c:\windows\system32\mshtmled.dll
- 2006-11-07 21:03 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
+ 2006-11-07 21:03 . 2009-04-29 04:55 459264 c:\windows\system32\msfeeds.dll
+ 2006-10-17 11:57 . 2009-04-29 04:55 268288 c:\windows\system32\iertutil.dll
- 2006-10-17 11:57 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 385024 c:\windows\system32\iedkcs32.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 11:27 . 2009-04-29 04:55 383488 c:\windows\system32\ieapfltr.dll
- 2006-10-17 11:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
+ 2004-08-04 12:00 . 2009-04-25 05:26 161792 c:\windows\system32\ieakui.dll
- 2004-08-04 12:00 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 230400 c:\windows\system32\ieaksie.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 153088 c:\windows\system32\ieakeng.dll
- 2007-01-12 19:00 . 2009-04-27 14:10 211288 c:\windows\system32\FNTCACHE.DAT
+ 2007-01-12 19:00 . 2009-06-25 15:43 211288 c:\windows\system32\FNTCACHE.DAT
- 2004-08-04 12:00 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 233472 c:\windows\system32\dllcache\webcheck.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 105984 c:\windows\system32\dllcache\url.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 102912 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 671232 c:\windows\system32\dllcache\mstime.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 193024 c:\windows\system32\dllcache\msrating.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2007-05-08 18:39 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-05-08 18:39 . 2009-04-29 04:55 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
+ 2007-01-12 19:12 . 2009-04-25 05:27 636088 c:\windows\system32\dllcache\iexplore.exe
+ 2007-05-08 18:39 . 2009-04-29 04:55 268288 c:\windows\system32\dllcache\iertutil.dll
- 2007-05-08 18:39 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-05-08 18:39 . 2009-04-29 04:55 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-05-08 18:39 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2004-08-04 12:00 . 2009-02-20 05:14 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-04 12:00 . 2009-04-25 05:26 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 133120 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2009-06-24 18:06 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-24 18:06 . 2009-03-03 00:18 826368 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-24 18:06 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-24 18:06 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-24 18:06 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-24 18:06 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-24 18:06 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-24 18:06 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-24 18:06 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-24 18:06 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 124928 c:\windows\system32\dllcache\advpack.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-04 12:00 . 2009-04-29 04:55 124928 c:\windows\system32\advpack.dll
- 2004-08-04 12:00 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
+ 2009-06-24 21:53 . 2009-03-03 00:18 826368 c:\windows\ie7updates\KB969897-IE7\wininet.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 233472 c:\windows\ie7updates\KB969897-IE7\webcheck.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 105984 c:\windows\ie7updates\KB969897-IE7\url.dll
+ 2009-06-24 21:53 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB969897-IE7\spuninst\updspapi.dll
+ 2009-06-24 21:53 . 2008-07-09 07:38 231288 c:\windows\ie7updates\KB969897-IE7\spuninst\spuninst.exe
+ 2009-06-24 21:53 . 2009-02-20 18:09 102912 c:\windows\ie7updates\KB969897-IE7\occache.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 671232 c:\windows\ie7updates\KB969897-IE7\mstime.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 193024 c:\windows\ie7updates\KB969897-IE7\msrating.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 477696 c:\windows\ie7updates\KB969897-IE7\mshtmled.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 459264 c:\windows\ie7updates\KB969897-IE7\msfeeds.dll
+ 2009-06-24 21:53 . 2009-02-28 04:54 636072 c:\windows\ie7updates\KB969897-IE7\iexplore.exe
+ 2009-06-24 21:53 . 2009-02-20 18:09 268288 c:\windows\ie7updates\KB969897-IE7\iertutil.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 385024 c:\windows\ie7updates\KB969897-IE7\iedkcs32.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 383488 c:\windows\ie7updates\KB969897-IE7\ieapfltr.dll
+ 2009-06-24 21:53 . 2009-02-20 05:14 161792 c:\windows\ie7updates\KB969897-IE7\ieakui.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 230400 c:\windows\ie7updates\KB969897-IE7\ieaksie.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 153088 c:\windows\ie7updates\KB969897-IE7\ieakeng.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 133120 c:\windows\ie7updates\KB969897-IE7\extmgr.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 214528 c:\windows\ie7updates\KB969897-IE7\dxtrans.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 347136 c:\windows\ie7updates\KB969897-IE7\dxtmsft.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 124928 c:\windows\ie7updates\KB969897-IE7\advpack.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 1159680 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 3596288 c:\windows\system32\mshtml.dll
- 2006-11-07 21:03 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
+ 2006-11-07 21:03 . 2009-04-29 04:55 6066176 c:\windows\system32\ieframe.dll
+ 2008-10-15 15:18 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-04 12:00 . 2009-04-29 04:56 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 12:00 . 2009-04-29 04:56 3596288 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-08 18:39 . 2009-04-29 04:55 6066176 c:\windows\system32\dllcache\ieframe.dll
- 2007-05-08 18:39 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
+ 2009-06-24 18:06 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-24 18:06 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-24 18:06 . 2009-02-07 18:02 2066048 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-24 18:06 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
+ 2009-06-24 21:53 . 2009-02-20 18:09 1160192 c:\windows\ie7updates\KB969897-IE7\urlmon.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 3595264 c:\windows\ie7updates\KB969897-IE7\mshtml.dll
+ 2009-06-24 21:53 . 2009-02-20 18:09 6066176 c:\windows\ie7updates\KB969897-IE7\ieframe.dll
+ 2009-06-24 21:53 . 2008-07-09 14:25 2455488 c:\windows\ie7updates\KB969897-IE7\ieapfltr.dat
+ 2007-01-18 11:47 . 2009-06-01 16:51 23635392 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 15:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-01 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-01 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HDAShCut.exe [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-11-10 15473664]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-01 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:HTTPS
"21:TCP"= 21:TCP:*:Disabled:FTP

R2 Apache2.2;Apache2.2;c:\apache2.2\bin\httpd.exe [10/12/2008 01:10 24636]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys --> c:\windows\system32\DRIVERS\EAPPkt.sys [?]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-06-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 22:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP00000023DDEBD8B6F4D28FB9 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-1563985344-839522115-1006\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"GameDir"="c:\\Documents and Settings\\Gwen\\My Documents\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\Gwen\\My Documents\\Sports Interactive\\Football Manager 2009"
"SaveDir"="c:\\Documents and Settings\\Gwen\\My Documents\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="c:\\DOCUME~1\\Gwen\\LOCALS~1\\Temp\\Rar$EX02.422\\FM Genie Scout 2009 XE\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\db\\900\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000000
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="66-F605-0711"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"Currency"=dword:00000056
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2176)
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Kontiki\KService.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-25 22:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-25 21:29
ComboFix2.txt 2009-06-24 18:07

Pre-Run: 42,174,996,480 bytes free
Post-Run: 42,159,243,264 bytes free

603 --- E O F --- 2009-06-25 16:15

New Installed Anti Virus Log:

25/06/2009 22:53:34 Gwen 3840 Sign of "Win32:Patched-KG [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temp\UAC5df9.tmp" file.
25/06/2009 22:59:42 Gwen 3840 Sign of "JS:FakeAV-X [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\4CGBLROS\22[1].htm" file.
25/06/2009 22:59:50 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\4CGBLROS\promo3[1].htm" file.
25/06/2009 22:59:53 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\4CGBLROS\promo3[2].htm" file.
25/06/2009 22:59:55 Gwen 3840 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\4CGBLROS\script_en[1].js" file.
25/06/2009 22:59:57 Gwen 3840 Sign of "JS:FakeAV-X [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\6LE6UI72\22[1].htm" file.
25/06/2009 23:00:02 Gwen 3840 Sign of "JS:FakeAV-Z [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\6LE6UI72\destrub[1].js" file.
25/06/2009 23:00:06 Gwen 3840 Sign of "JS:FakeAV-Z [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\6LE6UI72\destrub[2].js" file.
25/06/2009 23:00:07 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\6LE6UI72\promo3[1].htm" file.
25/06/2009 23:00:07 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\6LE6UI72\promo3[2].htm" file.
25/06/2009 23:00:07 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\6LE6UI72\promo3[3].htm" file.
25/06/2009 23:00:07 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\6LE6UI72\promo3[4].htm" file.
25/06/2009 23:00:07 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\6LE6UI72\promo3[5].htm" file.
25/06/2009 23:00:07 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\6LE6UI72\promo3[6].htm" file.
25/06/2009 23:00:07 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\6LE6UI72\promo3[7].htm" file.
25/06/2009 23:00:07 Gwen 3840 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\6LE6UI72\script_en[1].js" file.
25/06/2009 23:00:08 Gwen 3840 Sign of "JS:FakeAV-Z [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\DDBIQQC4\destrub[1].js" file.
25/06/2009 23:00:08 Gwen 3840 Sign of "JS:FakeAV-AB [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\DDBIQQC4\flist000[1].js" file.
25/06/2009 23:00:09 Gwen 3840 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\DDBIQQC4\luxscan4_info[1].htm" file.
25/06/2009 23:00:09 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\DDBIQQC4\promo3[1].htm" file.
25/06/2009 23:00:09 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\DDBIQQC4\promo3[2].htm" file.
25/06/2009 23:00:09 Gwen 3840 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\DDBIQQC4\script_en[1].js" file.
25/06/2009 23:00:09 Gwen 3840 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\DDBIQQC4\starscan4_info[1].htm" file.
25/06/2009 23:00:09 Gwen 3840 Sign of "JS:FakeAV-X [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\DQC2242I\22[1].htm" file.
25/06/2009 23:00:09 Gwen 3840 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\DQC2242I\atomscan4_info[1].htm" file.
25/06/2009 23:00:10 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\DQC2242I\promo3[1].htm" file.
25/06/2009 23:00:10 Gwen 3840 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\DQC2242I\promo3[2].htm" file.
25/06/2009 23:03:06 Gwen 3840 Sign of "Win32:Agent-QEX [Trj]" has been found in "C:\Documents and Settings\Neil\Desktop\setup1_10053.exe\[Embedded_R#DATA1]" file.
25/06/2009 23:03:06 Gwen 3840 Sign of "Win32:Agent-QEX [Trj]" has been found in "C:\Documents and Settings\Neil\Desktop\setup1_10053.exe" file.
25/06/2009 23:11:47 Gwen 3840 Sign of "Win32:Alureon-AP [Rtk]" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACxuwkrwosthfwbev.sys.vir" file.
25/06/2009 23:11:47 Gwen 3840 Sign of "Win32:Fasec [Trj]" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfmttprlplojvjqn.dll.vir" file.
25/06/2009 23:11:47 Gwen 3840 Sign of "Win32:Fasec [Trj]" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\UAChsovnktnobxumns.dll.vir" file.
25/06/2009 23:11:47 Gwen 3840 Sign of "Win32:Fasec [Trj]" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\UAChwvvwqbrbqpqije.dll.vir" file.
25/06/2009 23:11:47 Gwen 3840 Sign of "Win32:Fasec [Trj]" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpwbedfpkvpabuth.dll.vir" file.
25/06/2009 23:11:47 Gwen 3840 Sign of "Win32:Fasec [Trj]" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrfvitlexqreqohj.dll.vir" file.
25/06/2009 23:12:59 Gwen 3840 Sign of "Win32:Alureon-AP [Rtk]" has been found in "C:\System Volume Information\_restore{D819831C-0C72-468A-8ED6-EF79EC9E9AC6}\RP506\A0074736.sys" file.
25/06/2009 23:12:59 Gwen 3840 Sign of "Win32:Fasec [Trj]" has been found in "C:\System Volume Information\_restore{D819831C-0C72-468A-8ED6-EF79EC9E9AC6}\RP506\A0074737.dll" file.
25/06/2009 23:12:59 Gwen 3840 Sign of "Win32:Fasec [Trj]" has been found in "C:\System Volume Information\_restore{D819831C-0C72-468A-8ED6-EF79EC9E9AC6}\RP506\A0074738.dll" file.
25/06/2009 23:12:59 Gwen 3840 Sign of "Win32:Fasec [Trj]" has been found in "C:\System Volume Information\_restore{D819831C-0C72-468A-8ED6-EF79EC9E9AC6}\RP506\A0074739.dll" file.
25/06/2009 23:12:59 Gwen 3840 Sign of "Win32:Fasec [Trj]" has been found in "C:\System Volume Information\_restore{D819831C-0C72-468A-8ED6-EF79EC9E9AC6}\RP506\A0074740.dll" file.
25/06/2009 23:12:59 Gwen 3840 Sign of "Win32:Fasec [Trj]" has been found in "C:\System Volume Information\_restore{D819831C-0C72-468A-8ED6-EF79EC9E9AC6}\RP506\A0074741.dll" file.
25/06/2009 23:13:53 Gwen 3840 Sign of "VBS:Malware-gen" has been found in "C:\System Volume Information\_restore{D819831C-0C72-468A-8ED6-EF79EC9E9AC6}\RP511\A0075582.vbs" file.
25/06/2009 23:23:09 Gwen 3840 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\WINDOWS\system32\bekbn.dll" file.
25/06/2009 23:26:04 Gwen 3840 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\xagkf32.dll" file.
25/06/2009 23:39:32 SYSTEM 1432 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc1.dll" file.
25/06/2009 23:40:05 SYSTEM 1432 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc9.js" file.
25/06/2009 23:40:20 SYSTEM 1432 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc10.htm" file.
25/06/2009 23:40:41 SYSTEM 1432 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\Documents and Settings\Gwen\Desktop\bekbn.dll" file.
25/06/2009 23:40:59 SYSTEM 1432 Sign of "Win32:Alureon-AP [Rtk]" has been found in "C:\Documents and Settings\Gwen\Desktop\A0074736.sys" file.
25/06/2009 23:41:20 SYSTEM 1432 Sign of "Win32:Fasec [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc11.dll" file.
25/06/2009 23:41:24 SYSTEM 1432 Sign of "Win32:Fasec [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc12.dll" file.
25/06/2009 23:41:30 SYSTEM 1432 Sign of "Win32:Fasec [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc13.dll" file.
25/06/2009 23:41:33 SYSTEM 1432 Sign of "Win32:Fasec [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc14.dll" file.
25/06/2009 23:41:37 SYSTEM 1432 Sign of "VBS:Malware-gen" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc15.vbs" file.
25/06/2009 23:41:39 SYSTEM 1432 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc16.dll" file.
25/06/2009 23:41:40 SYSTEM 1432 Sign of "JS:FakeAV-K [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc17.htm" file.
25/06/2009 23:41:47 SYSTEM 1432 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc1.dll" file.
25/06/2009 23:41:54 SYSTEM 1432 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc16.dll" file.
25/06/2009 23:42:01 SYSTEM 1432 Sign of "Win32:Fasec [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc14.dll" file.
25/06/2009 23:42:21 SYSTEM 1432 Sign of "Win32:Fasec [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc18.dll" file.
25/06/2009 23:42:35 SYSTEM 1432 Sign of "JS:FakeAV-X [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc19.htm" file.
25/06/2009 23:42:39 SYSTEM 1432 Sign of "Win32:Fasec [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1123561945-1563985344-839522115-1006\Dc18.dll" file.

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 25 June 2009 - 06:29 PM

Louise,
How is it running? Describe in detail any remaining problems please.
Thanks,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 26 June 2009 - 09:28 AM

Hi again,
Some stubborn files.
Please do this...............

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
==========

And this.....

Open Notepad.
Copy contents in the code box into Notepad: Do not copy the word "code"!

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in ( 
"c:\windows\system32\nk.dat"
"c:\windows\system32\q1.dat"
"c:\windows\system32\idm.dat"
"c:\windows\system32\ck.dat"
"c:\windows\system32\c2d.dat"
"c:\windows\system32\bekbn.dll"
"c:\windows\system32\xagkf32.dll"
"c:\windows\z45ft5992f44.dat"
"C:\Documents and Settings\Neil\Desktop\setup1_10053.exe"
"C:\Documents and Settings\Neil\Desktop\setup1_10053.exe"
"C:\Documents and Settings\Gwen\Desktop\bekbn.dll"
"C:\Documents and Settings\Gwen\Desktop\A0074736.sys") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Go to File - Save as...
Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.

Doubleclick del.bat.
Post the contents of the logfile that opens in your next reply.

==========

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
==========

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

With your next post please provide:

* File delete log
* Bitdefender log
* OTL.txt
* OTL Extra.txt
* How's your computer running?

Kind regards,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 ldbright

ldbright
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 27 June 2009 - 06:50 PM

Hi,

Sorry i didnt post last night i went out. Here are the logs you requested.

File Delete Log:

Deleting files
"c:\windows\system32\nk.dat" deleted
"c:\windows\system32\q1.dat" deleted
"c:\windows\system32\idm.dat" deleted
"c:\windows\system32\ck.dat" deleted
"c:\windows\system32\c2d.dat" deleted
"c:\windows\system32\bekbn.dll" not found
"c:\windows\system32\xagkf32.dll" not found
"c:\windows\z45ft5992f44.dat" deleted
"C:\Documents and Settings\Neil\Desktop\setup1_10053.exe" not found
"C:\Documents and Settings\Neil\Desktop\setup1_10053.exe" not found
"C:\Documents and Settings\Gwen\Desktop\bekbn.dll" not found
"C:\Documents and Settings\Gwen\Desktop\A0074736.sys" not found


BitDefender Online Scanner:



Scan report generated at: Sun, Jun 28, 2009 - 00:14:34









Scan path: C:\;D:\;















Statistics

Time


00:49:08

Files


188393

Folders


9318

Boot Sectors


0

Archives


1085

Packed Files


6284







Results

Identified Viruses


2

Infected Files


3

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


3







Engines Info

Virus Definitions


3729034

Engine build


AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins


17

Archive plugins


44

Unpack plugins


7

E-mail plugins


6

System plugins


4







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\Gwen\Local Settings\temp\_avast4_\unp256816619.tmp


Detected with: Adware.Isearch.D

C:\Documents and Settings\Gwen\Local Settings\temp\_avast4_\unp256816619.tmp


Deleted

C:\Qoobox\Quarantine\C\WINDOWS\TG91aXNlIEJyaWdodG1hbg\n36Yurh5KHLVuqxCx3Y1v0.vbs.vir


Detected with: Adware.Isearch.D

C:\Qoobox\Quarantine\C\WINDOWS\TG91aXNlIEJyaWdodG1hbg\n36Yurh5KHLVuqxCx3Y1v0.vbs.vir


Deleted

C:\WINDOWS\system32\mxaxjeoxes.exe


Infected with: Trojan.Zlob.49489

C:\WINDOWS\system32\mxaxjeoxes.exe


Deleted

OTL:

When I try to do the OTL scan it starts scanning but then the following message pops uo: Access violation at address 00528BC1 in module 'OTL2.exe'. Read of address 00000014. I click ok and the scan freezes.


My computer is running a lot better thanks. I did another avast! scan and the same viruses were found. But the the actual running of the computer is a lot better, using the internet has been the best it's been in a long time! :thumbup2:

Thanks

Louise

#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 27 June 2009 - 09:02 PM

Hi Louise,
Things are coming along quite well. I still think we got some work to do so hang in there please.

We need to see some information about what is happening in your machine. Please perform the following scan again:
  • Download DDS by sUBs from one of the following links if you don't still have it. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 ldbright

ldbright
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 28 June 2009 - 03:56 PM

Hi T,

Here is the DDS and Attach as requested. My computer has been a bit slower today, for example opening firefox took ages for it to loads.
Thanks
Louise

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/01/2007 19:17:32
System Uptime: 28/06/2009 21:39:51 (0 hours ago)

Motherboard: WinFast | | 6150K8MD
Processor: AMD Athlon™ 64 Processor 3500+ | Socket 939 | 2210/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 39.09 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\207E3316C20
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\207E3316C20
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Linksys Wireless-G PCI Adapter
Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_00551737&REV_00\4&DC268A3&0&4880
Manufacturer: Linksys, A Division of Cisco Systems, Inc.
Name: Linksys Wireless-G PCI Adapter
PNP Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_00551737&REV_00\4&DC268A3&0&4880
Service: RT61

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0269\4&28B4DB12&0&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0269\4&28B4DB12&0&01
Service: NVENETFD

==== System Restore Points ===================

RP471: 31/03/2009 18:01:10 - System Checkpoint
RP472: 01/04/2009 18:28:58 - System Checkpoint
RP473: 02/04/2009 21:33:35 - System Checkpoint
RP474: 04/04/2009 11:27:45 - System Checkpoint
RP475: 06/04/2009 17:47:23 - System Checkpoint
RP476: 08/04/2009 19:27:10 - System Checkpoint
RP477: 10/04/2009 17:32:00 - System Checkpoint
RP478: 13/04/2009 18:20:53 - System Checkpoint
RP479: 16/04/2009 17:52:44 - System Checkpoint
RP480: 19/04/2009 19:48:41 - System Checkpoint
RP481: 20/04/2009 20:21:59 - System Checkpoint
RP482: 21/04/2009 20:26:00 - System Checkpoint
RP483: 22/04/2009 23:39:58 - System Checkpoint
RP484: 16/10/2009 07:33:43 - System Checkpoint
RP485: 23/04/2009 20:03:54 - System Checkpoint
RP486: 25/04/2009 11:33:53 - System Checkpoint
RP487: 26/04/2009 13:13:20 - System Checkpoint
RP488: 26/04/2009 13:58:59 - Software Distribution Service 3.0
RP489: 26/04/2009 22:19:36 - Software Distribution Service 3.0
RP490: 28/04/2009 16:43:57 - Installed DirectX
RP491: 28/04/2009 23:28:09 - Software Distribution Service 3.0
RP492: 30/04/2009 18:50:18 - System Checkpoint
RP493: 01/05/2009 18:52:23 - System Checkpoint
RP494: 03/05/2009 11:08:42 - System Checkpoint
RP495: 04/05/2009 13:34:17 - System Checkpoint
RP496: 05/05/2009 19:53:31 - System Checkpoint
RP497: 06/05/2009 20:12:03 - System Checkpoint
RP498: 07/05/2009 21:31:26 - System Checkpoint
RP499: 08/05/2009 21:46:54 - System Checkpoint
RP500: 09/05/2009 21:55:34 - System Checkpoint
RP501: 11/05/2009 20:34:36 - System Checkpoint
RP502: 12/05/2009 21:08:29 - System Checkpoint
RP503: 12/05/2009 22:31:07 - Software Distribution Service 3.0
RP504: 12/05/2009 22:57:15 - Software Distribution Service 3.0
RP505: 02/06/2009 19:09:27 - System Checkpoint
RP506: 19/06/2009 17:50:35 - System Checkpoint
RP507: 24/06/2009 18:27:12 - Software Distribution Service 3.0
RP508: 24/06/2009 22:52:29 - Software Distribution Service 3.0
RP509: 25/06/2009 16:48:31 - Avg8 Update
RP510: 25/06/2009 16:53:28 - Avg8 Update
RP511: 25/06/2009 17:14:27 - Software Distribution Service 3.0
RP512: 27/06/2009 19:17:27 - System Checkpoint

==== Installed Programs ======================

4oD
530TX
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Apache HTTP Server 2.2.11
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
avast! Antivirus
Bonjour
BroadJump Client Foundation
Canon MP Navigator 3.0
Canon MP460
Canon MP460 User Registration
Canon Utilities Easy-PhotoPrint
Critical Update for Windows Media Player 11 (KB959772)
DFE-530TX Driver
Easy-WebPrint
foobar2000 v0.9.4.2
Football Manager 2008
Football Manager 2009
Google Earth
High Definition Audio Driver Package - KB888111
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
iTunes
J2SE Development Kit 5.0 Update 10
J2SE Runtime Environment 5.0 Update 10
Linksys Wireless-G PCI Adapter
Macromedia Dreamweaver 8
Macromedia Extension Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Monkey's Audio
Mozilla Firefox (3.0.11)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MySQL Server 5.1
NVIDIA Drivers
Pixelfusion WMP Plugin 1.50
QuickTime
Realtek High Definition Audio Driver
RON Tool Netupbanner
ScanSoft OmniPage SE 4.0
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Shockwave
Sony Ericsson Media Manager 1.0
SopCast 2.0.4
System Requirements Lab
TVUPlayer 2.3.0.0
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.6a
WebFldrs XP
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip

==== End Of File ===========================

DDS.txt

DDS (Ver_09-05-14.01) - NTFSx86
Run by Gwen at 21:49:03.46 on 28/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.62 [GMT 1:00]

AV: avast! antivirus 4.8.1335 [VPS 090628-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Apache2.2\bin\httpd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Gwen\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\npjpi150_10.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gwen\applic~1\mozilla\firefox\profiles\9xwt8hbr.default\
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-25 114768]
R2 Apache2.2;Apache2.2;c:\apache2.2\bin\httpd.exe [2008-12-10 24636]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-25 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-25 138680]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\eappkt.sys --> c:\windows\system32\drivers\EAPPkt.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-25 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-25 352920]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 zebrbus;Sony Ericsson Composite Device driver;c:\windows\system32\drivers\zebrbus.sys [2007-4-13 83080]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);c:\windows\system32\drivers\zebrmdmc.sys [2007-4-13 108424]

=============== Created Last 30 ================

2009-06-25 22:14 <DIR> --ds---- C:\Combo-Fix
2009-06-25 16:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-06-24 19:06 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-06-24 18:53 <DIR> a-dshr-- C:\cmdcons
2009-06-24 18:14 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-06-24 18:14 50,176 a------- c:\windows\system32\proquota.exe
2009-06-24 18:14 39,424 ac------ c:\windows\system32\dllcache\grpconv.exe
2009-06-24 18:14 39,424 a------- c:\windows\system32\grpconv.exe
2009-06-24 17:47 161,792 a------- c:\windows\SWREG.exe
2009-06-24 17:47 155,136 a------- c:\windows\PEV.exe
2009-06-24 17:47 98,816 a------- c:\windows\sed.exe
2009-06-23 22:40 <DIR> --d----- c:\program files\trend micro
2009-05-31 19:46 <DIR> --d----- c:\docume~1\gwen\applic~1\Sports Interactive
2009-05-31 18:21 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-31 17:58 <DIR> --d----- c:\docume~1\gwen\applic~1\AVGTOOLBAR
2009-05-31 12:47 21,536 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-31 12:47 1,364 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-31 12:47 32 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-05-31 12:47 32 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-05-31 12:18 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-05-31 12:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-05-31 11:00 16,164 a------- c:\windows\system32\fkas

==================== Find3M ====================

2009-06-01 18:19 90,112 a------- c:\windows\DUMP755e.tmp
2009-06-01 17:33 90,112 a------- c:\windows\DUMP7dcb.tmp
2009-06-01 17:32 90,112 a------- c:\windows\DUMP80f7.tmp
2009-06-01 17:31 90,112 a------- c:\windows\DUMP82ad.tmp
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-27 15:17 3,218 a------- c:\windows\system32\PerfStringBackup.TMP
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-11-16 15:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111620081117\index.dat

============= FINISH: 21:49:10.59 ===============

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 28 June 2009 - 05:47 PM

Hello again. :)
Please do this.........

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
==========

You still have remnants of AVG and possibly other antivirus software. That might be slowing you down and should be removed.

Please follow the instructions outlined below.

Posted Image


1. Click on the Start menu.
2. Select Run...
3. Type wbemtest and click OK
4. Connect to root\SecurityCenter
5. Click on Query
6. Type in SELECT * FROM AntiVirusProduct and click on Apply

If there is more than one result, it means there is more than one Antivirus program installed. Double click on each result to view the properties for that Antivirus product. Identify the product(s) installed and DELETE any records for an Antivirus software that is no longer installed.

==========

:thumbup2: Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

Folder::
c:\windows\system32\fkas
c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
c:\docume~1\gwen\applic~1\AVGTOOLBAR
c:\program files\common files\ParetoLogic
c:\docume~1\alluse~1\applic~1\ParetoLogic


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

With your next post please provide:

* Combofix.txt

Kind regards,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users