Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Request for Assistance removing Trojan.Agent and Hacktool.GCM


  • This topic is locked This topic is locked
20 replies to this topic

#1 Khrystalar

Khrystalar

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 13 July 2009 - 06:10 AM

Hi there,

With reference to this topic;

http://www.bleepingcomputer.com/forums/t/239225/request-for-assistance-removing-trojanagent-and-hacktoolgcm/

Zllio asked me to start a new post here with the hope of finding somebody who can help me remove TCPCON.DLL and ADVOCR.DLL from my system. A full description of the problem is in the original topic. (I have a little further information, which I shall post at the end).

I've followed Zllio's instructions and re-run ATF-Cleaner. I've also read through the Preparation Guide and taken all the appropriate steps. Initial DDS logs are below;



DDS (Ver_09-06-26.01) - NTFSx86
Run by Khrys at 10:38:53.89 on 13/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.63 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Khrys\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://global.acer.com
uInternet Connection Wizard,ShellNext = https://signup.worldofwarcraft.com/trial/QS.htm
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149324803055
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
TCP: {6A3AA692-FA27-485A-8C22-E10A9EC76F66} = 212.139.132.25 212.139.132.24
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\khrys\applic~1\mozilla\firefox\profiles\g8v2a3so.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/advanced_search?hl=en
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32.dll

============= SERVICES / DRIVERS ===============

R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [1980-1-1 85888]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-20 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-4-8 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-20 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-7 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-7 298776]
S2 toisfvet;poebunv sevcive;c:\windows\system32\svchost.exe -k toisfvet [1980-1-1 14336]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-7 33752]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-13 10:24 131,072 a------- c:\windows\system32\tcpcon.dll
2009-07-12 23:46 585,728 a------- c:\windows\system32\IPHACTION.dll
2009-07-12 11:49 --dsh--- C:\found.000
2009-07-12 00:23 1,845,632 -------- c:\windows\system32\drivers\win32k.sys
2009-07-10 15:23 --dsh--- c:\documents and settings\khrys\IETldCache
2009-07-10 14:59 -cd-h--- c:\windows\ie8
2009-07-10 14:36 584,704 a------- c:\windows\system32\rpcrt4.dll
2009-07-10 14:36 1,846,784 a------- c:\windows\system32\win32k.sys
2009-07-10 14:36 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2009-06-28 08:10 --d----- c:\program files\Trend Micro
2009-06-27 14:28 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-27 14:28 --d----- c:\program files\SUPERAntiSpyware
2009-06-27 14:28 --d----- c:\docume~1\khrys\applic~1\SUPERAntiSpyware.com
2009-06-27 14:28 --d----- c:\program files\common files\Wise Installation Wizard
2009-06-27 12:01 3 a------- c:\windows\system32\bversion.dll
2009-06-27 11:45 --d----- c:\docume~1\khrys\applic~1\Malwarebytes
2009-06-27 11:44 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 11:44 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-27 11:44 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-27 11:44 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 16:50 --d-h--- C:\$AVG8.VAULT$
2009-06-25 15:59 3 a------- c:\windows\system32bversion.dll
2009-06-25 15:57 94,208 a------- c:\windows\system32\TRSOCR.dll
2009-06-25 15:57 95 a------- c:\windows\system32\TRSOCR.ini
2009-06-25 15:06 509,440 a------- c:\windows\system32\C3A5
2009-06-25 15:05 32,137,216 a------- c:\windows\system32\TRSOCR.dat
2009-06-25 15:05 3 a------- c:\windows\system32\fhpatch.dll
2009-06-25 15:05 0 a------- c:\windows\system32\fiplock.dll
2009-06-25 15:04 0 a------- c:\windows\system32\IpSvchostF.dll
2009-06-25 15:04 6 a------- c:\windows\system32\iphy.dll
2009-06-25 15:04 3 a------- c:\windows\system32\AkKoOUJSqu.ini
2009-06-25 15:03 0 a------- C:\11.ini

==================== Find3M ====================

2009-07-11 17:30 94,208 a------- c:\windows\DUMP686e.tmp
2009-06-28 08:12 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 08:12 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll

============= FINISH: 10:39:24.87 ===============



Further to my comments in the original thread; I would've responded to Zllio's advice a little sooner, but I've actually spent all weekend dealing with a Windows BSoD on this machine, which occurred after I installed some Windows Updates on Friday, at which point I thought I'd finally gotten rid of the viruses. (I did several scans, and nothing showed up). Then I installed four Critical Updates (Including Internet Explorer 8), at which point the system continually Blue-Screened with a KERNAL_EXCEPTION_NOT_HANDLED error code. I eventually figured out I needed to boot up with the Recovery Console and use it to manually uninstall the four Critical Updates. Once I'd done this, Windows started again with no problems. However, TCPCON.dll and ADVOCR.dll were both detected again.

I mention this for two reasons - firstly, in case the Blue Screen is connected to the virus(es) in some way. The STOP error BSoD messages all referred to Win32k.sys or else part of the Windows Logon Subsystem; and when AVG detects the presence of ADVOCR.dll, it tells me that it's been called by the Winlogon.exe process.

Secondly, because I've now worked out what the virus is doing, and why I thought I'd gotten rid of it on Friday. Contrary to what I wrote in the original post, TCPCON.dll does not come back as soon as I start my system. It doesn't appear until I start my internet connection. The MBAM and SAS scans I did on Friday took place before I started the internet; because I'd been scanning all day and didn't think my definitions would need updating again since I started in the morning.

TCPCON.DLL comes back almost immediately my connection is started; but AVG 8.5 (which I run resident) completely misses it. It gets copied back to my System32 directory and then loaded into memory. Once this is done, my internet connection starts showing incoming activity. After about 5 minutes of this, ADVOCR.dll appears back in my System32 directory, but AVG does catch this; if I tell AVG to quarantine the file, nothing else seems to happen. If this file is left unabaited, other (seemingly random) viruses start getting periodically downloaded and executed.

My theory, then; there's something on this system, somewhere, buried so deep that none of the tools I've used so far can find it. Whatever it is, it's running on startup and sitting there quietly waiting for an active internet connection. When it finds one, it downloads/unpacks TCPCON.DLL and loads it into memory. Once this is done, it (or TCPCON.DLL itself) downloads ADVOCR.dll and attempts to run it. AVG catches the problem at this stage, and I can effectively neutralise the malware before it starts doing anything too nasty. However, without some sort of specialist help, I can't find the source to get rid of it.

Any assistance you can render would be hugely appreciated. I know you're busy, and will wait here patiently until someone notices me. :thumbup2:

Thanks in anticipation. Best wishes,

--
Khrys.

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:41 PM

Posted 23 July 2009 - 10:33 AM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 Khrystalar

Khrystalar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 23 July 2009 - 05:45 PM

Hi Syler. Thanks for picking this one up. :thumbup2:

Ok, I've done my best to follow your instructions, but I'm afraid that I've encountered a problem. The PC has started shutting itself down after about 15-20 mins from the point I log in to Windows. This seems to happen every time now when I try to run MBAM. If I don't run MBAM, and do something else instead, it seems to be a 50/50 chance whether it will repeat the same behaviour. I'm hoping I'll have enough time to finish this message before I get shut down again.

In all cases, when this happens, I get two audible warnings, which come in the form of the Windows "error" sound, the brief "bong" that it plays when it can't open a file, etc. I hear it once about 5 minutes before the shutdown, and again about 45 seconds before the shutdown (although there's no accompanying error message to go with it in either case). Then the computer simply turns itself off and restarts. Occasionally it'll give me a very short (2-3 line?) BSoD message when it does this - something about the Windows Logon Process suffering a fatal error. Or just a completely blank blue-screen. But usually, it just cuts the power and boots up again straight away.

Anyway, what this means is that the MBAM Full Scan isn't getting time to run. Instead, I've run the Quick Scan option and attached the log for that, in the hope that this will at least give you some data to go on. To be fair, I've been scanning regularly with MBAM and I've never found anything with the Full Scan that doesn't also show up on the Quick Scan (with the exception the very first time I ran it, when the whole PC was full of viruses, as detailed in my original thread). I'm pretty sure that this log will at least be very similar, if not identical, to the Full Scan log.

As for RSIT - the first time I downloaded it, Windows gave me an error message to tell me it "wasn't a valid Win32 Application". I re-downloaded the file and it appear to be ok now. I'm putting that one down to a corrupted download; but I thought I'd mention it in case it's relevant.

Anyway, here's the logs. Thanks, again, for your help here.

Best wishes,

--
Khrys.


Malwarebytes' Anti-Malware 1.39
Database version: 2488
Windows 5.1.2600 Service Pack 3

23/07/2009 22:47:09
mbam-log-2009-07-23 (22-47-09).txt

Scan type: Quick Scan
Objects scanned: 104120
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\IPHACTION.dll (Trojan.Proscks) -> Delete on reboot.
C:\WINDOWS\system32\tcpcon.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\AdvOcr.dll (Trojan.Hacktool) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\IPHACTION.dll (Trojan.Proscks) -> Delete on reboot.
C:\WINDOWS\system32\tcpcon.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TRSOCR.dat (Trojan.Agent) -> Delete on reboot.



*********************************************************************************


Logfile of random's system information tool 1.06 (written by random/random)
Run by Khrys at 2009-07-23 23:35:50
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 19 GB (51%) free of 36 GB
Total RAM: 447 MB (4% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:36:04, on 23/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Khrys\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Khrys.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://signup.worldofwarcraft.com/trial/QS.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149324803055
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A3AA692-FA27-485A-8C22-E10A9EC76F66}: NameServer = 212.139.132.25 212.139.132.24
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

--
End of file - 3673 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-02 1107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2004-08-26 405504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-06-28 1948440]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
C:\WINDOWS\AGRSMMSG.exe [2004-06-29 88363]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
C:\Program Files\Acer\Acer eMode Management\AspireService.exe [2005-06-21 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
C:\Program Files\Acer\eRecovery\Monitor.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
C:\WINDOWS\system32\HDAShCut.exe [2005-01-08 61952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
C:\Program Files\Acer\Acer eConsole\MediaSync.exe [2005-06-21 425984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe [2005-05-12 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-07-15 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2005-09-22 14854144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe /icon []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe [2005-03-04 36975]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
C:\PROGRA~1\SAGEM\SAGEMF~1\dslmon.exe [2004-07-28 962661]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Tiscali Uplink.lnk]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SNDSrvc"=2
"Automatic LiveUpdate Scheduler"=2
"WZCSVC"=2
"wuauserv"=2
"wscsvc"=2
"Schedule"=2
"ERSvc"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-08-21 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-06-28 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Acer\Acer eConsole\eConsole.exe"="C:\Program Files\Acer\Acer eConsole\eConsole.exe:LocalSubNet:Enabled:eConsole"
"C:\Program Files\Grisoft\AVG Free\avginet.exe"="C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG Free\avgamsvr.exe"="C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG Free\avgcc.exe"="C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe"
"\\Khrysbox\C\Program Files\Winamp\winamp.exe"="\\Khrysbox\C\Program Files\Winamp\winamp.exe:*:Enabled:winamp.exe"
"\\Khrysbox\C\Program Files\Winamp\winampa.exe"="\\Khrysbox\C\Program Files\Winamp\winampa.exe:*:Enabled:winampa.exe"
"\\Khrysbox\C\Program Files\World of Warcraft\BackgroundDownloader.exe"="\\Khrysbox\C\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:BackgroundDownloader.exe"
"D:\Program Files\World of Warcraft\BackgroundDownloader.exe"="D:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Acer\Acer eConsole\MediaServerService.exe"="C:\Program Files\Acer\Acer eConsole\MediaServerService.exe:LocalSubNet:Disabled:Acer Media Server"
"C:\Program Files\Acer\Acer eConsole\MediaSync.exe"="C:\Program Files\Acer\Acer eConsole\MediaSync.exe:LocalSubNet:Disabled:Media Synchoronizer"
"\\Khrysbox\C\Program Files\WarRock\System\WarRock.exe"="\\Khrysbox\C\Program Files\WarRock\System\WarRock.exe:*:Disabled:WarRock.exe"
"\\khrysbox\C\Program Files\WarRock\WRLauncher.exe"="\\khrysbox\C\Program Files\WarRock\WRLauncher.exe:*:Disabled:WRLauncher.exe"
"\\khrysbox\C\Program Files\WarRock\WRUpdater.exe"="\\khrysbox\C\Program Files\WarRock\WRUpdater.exe:*:Disabled:WRUpdater.exe"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"D:\Program Files\World of Warcraft\WoW-2.4.1.8125-to-2.4.2.8278-enGB-downloader.exe"="D:\Program Files\World of Warcraft\WoW-2.4.1.8125-to-2.4.2.8278-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"D:\Program Files\Wolfenstein - Enemy Territory\ET.exe"="D:\Program Files\Wolfenstein - Enemy Territory\ET.exe:*:Enabled:ET"
"D:\Program Files\Valve\Steam\SteamApps\khrystalar\counter-strike source\hl2.exe"="D:\Program Files\Valve\Steam\SteamApps\khrystalar\counter-strike source\hl2.exe:*:Enabled:hl2"
"D:\Program Files\Valve\Steam\SteamApps\khrystalar\synergy\hl2.exe"="D:\Program Files\Valve\Steam\SteamApps\khrystalar\synergy\hl2.exe:*:Enabled:hl2"
"D:\Program Files\Valve\Steam\SteamApps\khrystalar\insurgency\hl2.exe"="D:\Program Files\Valve\Steam\SteamApps\khrystalar\insurgency\hl2.exe:*:Enabled:hl2"
"D:\Program Files\Valve\Steam\SteamApps\khrystalar\half-life 2 deathmatch\hl2.exe"="D:\Program Files\Valve\Steam\SteamApps\khrystalar\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Documents and Settings\Khrys\Local Settings\Temp\Blizzard Launcher Temporary - 13de7d10\Launcher.exe"="C:\Documents and Settings\Khrys\Local Settings\Temp\Blizzard Launcher Temporary - 13de7d10\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Documents and Settings\Khrys\Local Settings\Temp\Blizzard Launcher Temporary - d0bd01d8\Launcher.exe"="C:\Documents and Settings\Khrys\Local Settings\Temp\Blizzard Launcher Temporary - d0bd01d8\Launcher.exe:*:Enabled:Blizzard Launcher"
"D:\Program Files\World of Warcraft\Launcher.exe"="D:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\Outbreak\OutBreak.exe"="C:\Program Files\Outbreak\OutBreak.exe:*:Disabled:Codename: Outbrake"
"\\Khrysbox\C\Program Files\Gnoozle\Gnoozle.exe"="\\Khrysbox\C\Program Files\Gnoozle\Gnoozle.exe:*:Disabled:Gnoozle.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Laptop#Lappy DVD]
shell\AutoRun\command - X:\LaunchEAW.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Ricks-lappy#WoW DVD]
shell\AutoRun\command - X:\Installer.exe


======List of files/folders created in the last 1 months======

2009-07-23 23:35:50 ----D---- C:\rsit
2009-07-23 23:30:42 ----A---- C:\WINDOWS\system32\IPHACTION.dll
2009-07-23 23:30:37 ----A---- C:\WINDOWS\system32\tcpcon.dll
2009-07-23 14:48:47 ----A---- C:\WINDOWS\system32\bversion.dll
2009-07-23 14:22:09 ----A---- C:\WINDOWS\Active Setup Log.txt
2009-07-23 14:22:09 ----A---- C:\WINDOWS\Active Setup Log.BAK
2009-07-19 21:27:29 ----A---- C:\WINDOWS\system32\TRSOCR.dll
2009-07-19 21:27:28 ----A---- C:\WINDOWS\system32\TRSOCR.ini
2009-07-15 15:05:06 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 15:04:59 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-15 15:02:36 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-12 20:38:28 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-07-12 11:49:21 ----SHD---- C:\found.000
2009-07-10 14:59:31 ----D---- C:\WINDOWS\WBEM
2009-07-10 14:41:26 ----A---- C:\WINDOWS\system32\localspl.dll
2009-07-10 14:41:10 ----A---- C:\WINDOWS\system32\wininet.dll
2009-07-10 14:41:10 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-07-10 14:41:10 ----A---- C:\WINDOWS\system32\shdocvw.dll
2009-07-10 14:41:10 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-10 14:41:10 ----A---- C:\WINDOWS\system32\ieencode.dll
2009-07-10 14:41:09 ----HDC---- C:\WINDOWS\$NtUninstallKB969897$
2009-07-10 14:36:51 ----A---- C:\WINDOWS\system32\rpcrt4.dll
2009-06-28 08:10:30 ----D---- C:\Program Files\Trend Micro
2009-06-27 16:28:02 ----A---- C:\RootRepeal report 06-27-09 (16-28-02).txt
2009-06-27 14:28:50 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-27 14:28:38 ----D---- C:\Program Files\SUPERAntiSpyware
2009-06-27 14:28:38 ----D---- C:\Documents and Settings\Khrys\Application Data\SUPERAntiSpyware.com
2009-06-27 14:28:15 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-06-27 12:14:39 ----A---- C:\RootRepeal report 06-27-09 (12-14-39).txt
2009-06-27 11:49:21 ----D---- C:\Program Files\7-Zip
2009-06-27 11:45:01 ----D---- C:\Documents and Settings\Khrys\Application Data\Malwarebytes
2009-06-27 11:44:50 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-06-27 11:44:49 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-06-25 16:50:56 ----HD---- C:\$AVG8.VAULT$
2009-06-25 15:59:10 ----A---- C:\WINDOWS\system32bversion.dll
2009-06-25 15:05:52 ----A---- C:\WINDOWS\system32\fiplock.dll
2009-06-25 15:05:52 ----A---- C:\WINDOWS\system32\fhpatch.dll
2009-06-25 15:04:54 ----A---- C:\WINDOWS\system32\IpSvchostF.dll
2009-06-25 15:04:36 ----A---- C:\WINDOWS\system32\iphy.dll
2009-06-25 15:04:09 ----A---- C:\WINDOWS\system32\AkKoOUJSqu.ini
2009-06-25 15:03:51 ----A---- C:\11.ini

======List of files/folders modified in the last 1 months======

2009-07-23 23:30:54 ----AD---- C:\WINDOWS\system32
2009-07-23 23:27:59 ----D---- C:\Program Files\Mozilla Firefox
2009-07-23 22:49:01 ----A---- C:\WINDOWS\ModemLog_Agere Systems PCI Soft Modem.txt
2009-07-23 22:47:28 ----AD---- C:\WINDOWS\system32\drivers
2009-07-23 22:39:26 ----D---- C:\WINDOWS\Temp
2009-07-23 14:29:12 ----AD---- C:\WINDOWS
2009-07-23 14:27:43 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-07-23 14:27:42 ----D---- C:\WINDOWS\system32\en-us
2009-07-23 14:27:42 ----D---- C:\WINDOWS\Help
2009-07-23 14:27:42 ----D---- C:\Program Files\Internet Explorer
2009-07-23 14:26:21 ----HD---- C:\WINDOWS\inf
2009-07-23 14:26:10 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-23 14:14:37 ----D---- C:\WINDOWS\system32\wbem
2009-07-23 14:14:37 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-23 14:14:27 ----SHD---- C:\WINDOWS\Installer
2009-07-23 14:14:27 ----A---- C:\WINDOWS\ODBC.INI
2009-07-23 14:14:07 ----A---- C:\WINDOWS\win.ini
2009-07-23 12:50:12 ----A---- C:\WINDOWS\entpack.ini
2009-07-19 21:04:04 ----RD---- C:\Program Files
2009-07-15 15:05:09 ----A---- C:\WINDOWS\imsins.BAK
2009-07-15 15:05:05 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-12 20:15:51 ----D---- C:\WINDOWS\system32\CatRoot
2009-07-12 12:04:19 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-11 17:30:08 ----A---- C:\WINDOWS\DUMP686e.tmp
2009-07-10 14:59:27 ----D---- C:\WINDOWS\Media
2009-07-07 16:10:56 ----A---- C:\WINDOWS\system32\MRT.exe
2009-06-28 08:12:22 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-06-27 14:47:20 ----D---- C:\Documents and Settings
2009-06-27 12:06:18 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-06-27 11:34:55 ----SD---- C:\Documents and Settings\Khrys\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-06-28 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-06-28 27784]
R1 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-02 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 UBHelper;UBHelper; C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-18 13952]
R3 adiusbaw;USB ADSL WAN Adapter; C:\WINDOWS\system32\DRIVERS\adiusbaw.sys [2004-03-02 127065]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2004-06-29 1268204]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-08-21 3299840]
R3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\system32\DRIVERS\bridge.sys [2008-04-13 71552]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-09-23 3966976]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 NTIDrvr;Upper Class Filter Driver; C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys [2005-06-18 6144]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2006-10-02 10368]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2007-12-06 285952]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S2 ADILOADER;General Purpose USB Driver (adildr.sys); C:\WINDOWS\System32\Drivers\adildr.sys [2004-03-02 50007]
S3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN); C:\WINDOWS\system32\DRIVERS\alcan5wn.sys [2003-12-08 53600]
S3 alcaudsl;SpeedTouch ADSL Modem ATM Transport; C:\WINDOWS\system32\DRIVERS\alcaudsl.sys [2003-12-08 70688]
S3 Bridge;MAC Bridge; C:\WINDOWS\system32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-08 145920]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-08-21 573440]
R2 avg8emc;AVG8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-06-28 906520]
R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-06-28 298776]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-08-20 593920]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S2 toisfvet;poebunv sevcive; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 Acer Media Server;Acer Media Server; C:\Program Files\acer\Acer eConsole\MediaServerService.exe [2005-06-21 438272]
S4 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-10-05 66872]

-----------------EOF-----------------




********************************************************************************************



info.txt logfile of random's system information tool 1.06 2009-07-23 23:36:08

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\UninstIPP.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
Acer eConsole-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC028E6B-F3F1-4192-B63E-A7C97302ED5A}\setup.exe" -l0x9
Acer eMode Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65CDEC30-4BF4-48FB-8059-9FC480E4E94F}\setup.exe" -l0x9
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Agere Systems PCI Soft Modem-->agrsmdel
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
AyrSuite Plus-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93B95BFE-1B4D-4A8C-92B6-5ECDB4466C95}\Setup.exe" -l0x9
Cactus Spam Filter-->"C:\Program Files\Cactus Spam Filter 2.13\Uninstall.exe" "C:\Program Files\Cactus Spam Filter 2.13\install.log"
Canon MP Drivers 6.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FF3DD04-F386-46B0-97FC-B86238B65487}\Setup.exe" -l0x9 -Uninstall
Canon MP Navigator 1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109AB81D-9732-40B3-9C1F-113A86CE6F93}\setup.exe" /SUUninstall
Canon ScanGear Starter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18A5DFF2-8A95-49F3-873F-743CB5549F3D}\setup.exe" -l0x9 anything
Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe C:\Program Files\Canon\Easy-PhotoPrint\uninst.ini
CD-LabelPrint-->"C:\Program Files\Canon\CD-LabelPrint\Uninstal.exe" Canon.CDLabelPrint.Application
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Indeo® Software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu" -c"C:\Program Files\Ligos\Indeo\Indeo System Files\indounin.dll"
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NTI Backup NOW! 4-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{385979FE-DC4F-4140-8EAD-A59625000D72} /l1033 BUN4
NTI CD & DVD-Maker-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
NTI HomeVideo-Maker-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8A6F713-D72D-47AD-A92D-B5C0E13F98C1}\setup.exe" -l0x9
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Presto! PageManager 6.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5BE42A03-E7B8-42A9-B1BB-FC48B03D58B8}\SETUP.EXE" -l0x9 anything
Realtek High Definition Audio Driver-->RtlUpd.exe -r
SAGEM F@st 800-840-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}\Setup.exe" -l0x9
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\INSTALL.LOG
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Volo View Express-->MsiExec.exe /I{1ECD6EC8-7BB2-4CD5-A384-BAA371BC4D21}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Wolfenstein - Enemy Territory-->D:\PROGRA~1\WOLFEN~1\Uninstall\Unwise.exe /u D:\PROGRA~1\WOLFEN~1\Uninstall\Install.log
World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe

=====HijackThis Backups=====

O1 - Hosts: 115.47.207.146 www.asdfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfadsdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdf-asdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.aswwdfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfa33sdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfagsdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdf4asdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.as66dfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfyyasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 antispyware.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdf9asdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasdfkd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.gg.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasdmfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdeefasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfaoosdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfafsdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasdfjd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfaffsdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfrrasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.3.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asxdfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.1.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdmmmfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfatsdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasdhfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasd44fd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdf8asdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asnnndfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.antispyware.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfvasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.ghfhj.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasdf,d.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdf77asdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.as222dfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfabsdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasdfld.com [2009-06-28]
O1 - Hosts: 115.47.207.146 antispy.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasgdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.live.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.antispy.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.11asdfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.aswwdfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfttasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfffasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfavvvsdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.cvnbcvnb.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfappsdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasdfd5.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.aqqsdfasdfd.com [2009-06-28]
O1 - Hosts: 123.16.197.121 www.asdhhfasdfdyy.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasssdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdf0asdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfasndfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdzfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfuuuasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfawsdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfeasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdcfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdhhfasdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdfaiisdfd.com [2009-06-28]
O1 - Hosts: 115.47.207.146 www.asdwwwfasdfd.com [2009-06-28]
O20 - AppInit_DLLs: C:\DOCUME~1\User\LOCALS~1\Temp\133597962553mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\134163282549mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\134370152510mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\134620932535mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\195225312535mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\19556140259mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\196500002543mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\19728531251mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\198871872540mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\2547962650mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\1851092636mxx.dll [2009-06-28]
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A3AA692-FA27-485A-8C22-E10A9EC76F66}: NameServer = 212.139.132.25 212.139.132.24 [2009-06-28]
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\acer\Acer eConsole\MediaServerService.exe [2009-06-28]
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe [2009-06-28]
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2009-06-28]

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: ACER
Event Code: 29
Message: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Record Number: 69691
Source Name: W32Time
Time Written: 20090704125419.000000+060
Event Type: error
User:

Computer Name: ACER
Event Code: 17
Message: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Record Number: 69690
Source Name: W32Time
Time Written: 20090704125419.000000+060
Event Type: error
User:

Computer Name: ACER
Event Code: 29
Message: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Record Number: 69689
Source Name: W32Time
Time Written: 20090704125416.000000+060
Event Type: error
User:

Computer Name: ACER
Event Code: 17
Message: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Record Number: 69688
Source Name: W32Time
Time Written: 20090704125416.000000+060
Event Type: error
User:

Computer Name: ACER
Event Code: 7000
Message: The General Purpose USB Driver (adildr.sys) service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


Record Number: 69662
Source Name: Service Control Manager
Time Written: 20090703105552.000000+060
Event Type: error
User:

=====Application event log=====

Computer Name: ACER
Event Code: 1517
Message: Windows saved user ACER\User registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1934
Source Name: Userenv
Time Written: 20080219104214.000000+000
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: ACER
Event Code: 1517
Message: Windows saved user ACER\User registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1905
Source Name: Userenv
Time Written: 20080215101339.000000+000
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: ACER
Event Code: 1001
Message: Fault bucket 240022574.

Record Number: 1888
Source Name: Application Error
Time Written: 20080213171448.000000+000
Event Type: error
User:

Computer Name: ACER
Event Code: 1000
Message: Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x045d20e0.

Record Number: 1887
Source Name: Application Error
Time Written: 20080213171442.000000+000
Event Type: error
User:

Computer Name: ACER
Event Code: 1517
Message: Windows saved user ACER\User registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1882
Source Name: Userenv
Time Written: 20080213114709.000000+000
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\Common Files\Ulead Systems\MPEG
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0403
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Edited by Khrystalar, 23 July 2009 - 05:49 PM.


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:41 PM

Posted 23 July 2009 - 06:36 PM

Hi Khrys :thumbup2:

It sounds like you are having a few problem and quite a few baddies there, so lets run combofix. If your computer won't
let you run it because of rebooting, try running it in safemode, if you have any problems let me no.

Thanks


We will begin with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#5 Khrystalar

Khrystalar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 24 July 2009 - 04:39 AM

Good morning! Ha, if I'd realised that you'd still be up at that time of night, I wouldn't have gone to bed so early... :D

Ok, I'll take the recommended action when I get home tonight; I'm at work right now, so I don't have access to the PC. Which at least means that I'm not likely to have a fatal crash half-way through writing this message!

Just a quick couple of questions, though - I've heard that ComboFix can conflict with AntiVirus products, and I can disable AVG from the System Tray, no problems; but as far as I know, this only disables the monitoring and reporting of the various AVG components. The components themselves keep on running (you can see some of them in the Task Manager). Is this likely to interfere with ComboFix, and if so, can you point me in the direction of something I can read that'll tell me how to disable the components themselves? I know it's not as simple as just killing the processes through Task Manager; they just keep restarting themselves.

Hey, just so you know - the PC actually didn't crash 15-20 minutes in, when I was writing my message to you, last night. So I thought "Great, I'll run MBAM again and get the full-scan report". So I did. And then the damn thing crashed, about 15 minutes into the scan. So it seems to be that this scan - and/or possibly something that AVG does in the background - triggers off the shutdown. Almost as if the sneaky little Trojans realise that I'm looking for them, and take some sort of emergency action to protect themselves.

Anyway, hope you're having a good day. :thumbup2:

Best wishes,

--
Khrys.

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:41 PM

Posted 24 July 2009 - 10:10 AM

Good Afternoon Khrys,

I am not familiar with the AVG interface as I have never used it, but a quick search brought up this.
let me no if this works, if not we will try something else before you run Combofix. Don't worry about MBAM
for now lets just see what Combofix comes up with.

Regards
Syler

unite.jpg


#7 Khrystalar

Khrystalar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 24 July 2009 - 06:57 PM

Good morning. :thumbup2:

Ok, thanks for the advice. I disabled AVG's Resident Shield as instructed in the link, and ran ComboFix; didn't notice any problems with the procedure, although I think there may still have been some AVG processes running. It's highly probable that these were just passive components such as the Link Scanner and E-Mail Scanner; the Resident Shield was almost certainly what I needed to disable, being the most likely program to interfere with something like ComboFix.

ComboFix did it's stuff; and on the way, deleted several files from my system (I didn't ask it to, it seemed to be part of the automatic process) which I'm sure will be evident from the logs below. I was actually highly suspicious of most of those particular files, having researched the problem DLLs on the web and seen them pop up frequently on the scan reports of other people who were suffering problems with the same viruses, so I'm glad they're gone.

I've had the PC on for about half an hour now (I went out for a cigarette in the middle of writing this message!) since the reboot performed by ComboFix, and as yet I've not had any warnings from AVG., and the system hasn't crashed. So I'm keeping my fingers crossed that the problem is at least partially solved; see what you think from the logs, below.

Can't thank you enough for your continued help. :)

Cheers,

--
Khrys.



ComboFix 09-07-23.04 - Khrys 25/07/2009 0:28.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.98 [GMT 1:00]
Running from: c:\documents and settings\Khrys\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2657483566-2493418000-2147295985-1003
c:\windows\Install.txt
c:\windows\Installer\145ce.msp
c:\windows\Installer\79c9bc.msp
c:\windows\Installer\79c9fa.msp
c:\windows\Installer\79ca38.msp
c:\windows\Installer\79ca76.msp
c:\windows\system32\bversion.dll
c:\windows\system32\C3A5
c:\windows\system32\C4D5
c:\windows\system32\Drivers\edmagtum.sys
c:\windows\system32\fhpatch.dll
c:\windows\system32\fiplock.dll
c:\windows\system32\Install.txt
c:\windows\system32\IPHACTION.dll
c:\windows\system32\iphy.dll
c:\windows\system32\IpSvchostF.dll
c:\windows\system32\tcpcon.dll
c:\windows\system32\TRSOCR.dat
c:\windows\system32bversion.dll

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSNCACHE
-------\Legacy_SOPIDKC
-------\Service_wrwft


((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2009-07-24 09:29 . 2009-06-28 07:12 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-24 09:29 . 2009-06-28 07:12 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-24 09:29 . 2009-06-28 07:12 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-24 09:29 . 2009-06-28 07:12 906520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-07-24 09:29 . 2009-06-28 07:12 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-24 09:29 . 2009-06-28 07:12 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-24 09:29 . 2009-06-28 07:12 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-07-24 09:29 . 2009-06-28 07:12 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-24 09:29 . 2009-06-28 07:12 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-24 09:29 . 2009-06-28 07:12 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-24 09:29 . 2009-06-28 07:12 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-24 09:27 . 2009-06-28 07:05 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-24 09:27 . 2009-06-28 07:05 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-23 22:35 . 2009-07-23 22:36 -------- d-----w- C:\rsit
2009-07-19 20:27 . 2009-07-24 16:21 94208 ----a-w- c:\windows\system32\TRSOCR.dll
2009-07-19 19:17 . 2009-07-19 19:17 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 00:17 . 2009-07-13 08:13 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-13 00:17 . 2009-07-13 00:17 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-07-12 10:49 . 2009-07-12 10:49 -------- d-sh--w- C:\found.000
2009-07-11 23:23 . 2008-04-13 19:30 1845632 ------w- c:\windows\system32\drivers\win32k.sys
2009-07-11 13:18 . 2009-07-11 13:18 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-10 14:23 . 2009-07-10 14:23 -------- d-sh--w- c:\documents and settings\Khrys\IETldCache
2009-07-10 14:17 . 2009-07-10 14:17 -------- d-sh--w- c:\documents and settings\User\IETldCache
2009-07-10 13:41 . 2009-05-07 15:32 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-10 13:41 . 2009-04-29 04:46 3068928 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-07-10 13:41 . 2009-04-29 04:46 666624 ----a-w- c:\windows\system32\wininet.dll
2009-07-10 13:41 . 2009-04-29 04:46 666624 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-07-10 13:41 . 2009-04-29 04:46 620032 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-07-10 13:41 . 2009-04-29 04:46 1499136 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2009-07-10 13:41 . 2009-04-29 04:46 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-07-10 13:41 . 2009-04-29 04:46 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-07-10 13:36 . 2008-04-14 00:12 584704 ----a-w- c:\windows\system32\rpcrt4.dll
2009-07-10 13:36 . 2009-02-09 11:13 1846784 ----a-w- c:\windows\system32\win32k.sys
2009-07-10 13:36 . 2009-02-09 11:13 1846784 ----a-w- c:\windows\system32\dllcache\win32k.sys
2009-07-06 09:53 . 2009-07-06 09:53 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-06-28 07:10 . 2009-06-28 07:10 -------- d-----w- c:\program files\Trend Micro
2009-06-27 13:30 . 2009-07-19 20:16 117760 ----a-w- c:\documents and settings\Khrys\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-27 13:28 . 2009-06-27 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-27 13:28 . 2009-06-27 13:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-27 13:28 . 2009-06-27 13:28 -------- d-----w- c:\documents and settings\Khrys\Application Data\SUPERAntiSpyware.com
2009-06-27 13:28 . 2009-06-27 13:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-27 10:49 . 2009-06-27 10:49 -------- d-----w- c:\program files\7-Zip
2009-06-27 10:45 . 2009-06-27 10:45 -------- d-----w- c:\documents and settings\Khrys\Application Data\Malwarebytes
2009-06-27 10:44 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 10:44 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-27 10:44 . 2009-06-27 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-27 10:44 . 2009-07-19 19:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 15:50 . 2009-07-24 14:47 -------- d--h--w- C:\$AVG8.VAULT$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 09:28 . 2008-05-20 09:41 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-11 16:30 . 2005-09-26 06:51 94208 ----a-w- c:\windows\DUMP686e.tmp
2009-06-28 07:12 . 2008-05-20 09:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-28 07:12 . 2007-04-08 11:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-27 11:06 . 2008-05-20 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-16 14:36 . 1980-01-01 07:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 1980-01-01 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 12:21 . 2006-06-03 12:34 4854 ----a-w- c:\documents and settings\User\Application Data\wklnhst.dat
2009-06-03 19:09 . 1980-01-01 07:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-09 17:04 . 2007-10-24 10:46 445 ----a-w- c:\windows\EntPack.dat
2009-05-02 20:11 . 2008-05-20 09:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-16 10:13 . 2009-07-16 10:13 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 07:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=c:\windows\pss\DSLMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Tiscali Uplink.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Tiscali Uplink.lnk
backup=c:\windows\pss\Tiscali Uplink.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SNDSrvc"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"Schedule"=2 (0x2)
"ERSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"\\\\Khrysbox\\C\\Program Files\\Winamp\\winamp.exe"=
"\\\\Khrysbox\\C\\Program Files\\Winamp\\winampa.exe"=
"\\\\Khrysbox\\C\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"d:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"\\\\Khrysbox\\C\\Program Files\\WarRock\\System\\WarRock.exe"=
"\\\\khrysbox\\C\\Program Files\\WarRock\\WRLauncher.exe"=
"\\\\khrysbox\\C\\Program Files\\WarRock\\WRUpdater.exe"=
"d:\\Program Files\\World of Warcraft\\WoW-2.4.1.8125-to-2.4.2.8278-enGB-downloader.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"d:\\Program Files\\Valve\\Steam\\SteamApps\\khrystalar\\counter-strike source\\hl2.exe"=
"d:\\Program Files\\Valve\\Steam\\SteamApps\\khrystalar\\synergy\\hl2.exe"=
"d:\\Program Files\\Valve\\Steam\\SteamApps\\khrystalar\\insurgency\\hl2.exe"=
"d:\\Program Files\\Valve\\Steam\\SteamApps\\khrystalar\\half-life 2 deathmatch\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\World of Warcraft\\Launcher.exe"=
"\\\\Khrysbox\\C\\Program Files\\Gnoozle\\Gnoozle.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader
"5340:TCP"= 5340:TCP:*:Disabled:WarRock TCP 5340
"5350:UDP"= 5350:UDP:*:Disabled:WarRock UDP 5350
"5351:UDP"= 5351:UDP:*:Disabled:WarRock UDP 5351

R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [01/01/1980 08:00 85888]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [20/05/2008 10:41 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [20/05/2008 10:41 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [07/07/2008 10:12 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07/07/2008 10:12 298776]
S2 toisfvet;poebunv sevcive;c:\windows\system32\svchost.exe -k toisfvet [01/01/1980 08:00 14336]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [07/01/2009 15:44 33752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
toisfvet REG_MULTI_SZ toisfvet
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://global.acer.com
uInternet Connection Wizard,ShellNext = https://signup.worldofwarcraft.com/trial/QS.htm
TCP: {6A3AA692-FA27-485A-8C22-E10A9EC76F66} = 212.139.132.25 212.139.132.24
FF - ProfilePath - c:\documents and settings\Khrys\Application Data\Mozilla\Firefox\Profiles\g8v2a3so.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/advanced_search?hl=en
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-25 00:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3872)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-24 0:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-24 23:35

Pre-Run: 19,311,357,952 bytes free
Post-Run: 22,692,274,176 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

234 --- E O F --- 2009-07-24 15:02



One more note, on anything in this (or previous) log that points to a system called "Khrysbox"; this is actually an old PC of mine that used to be networked to the PC that currently has issues. I sold that to a friend of mine over two years ago, now, though; I'm not quite sure what the references are doing showing up in these logs. Possibly some settings which got altered within the Firewall Settings to allow certain programs on the old machine to connect?

Cheers,

--
Khrys.

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:41 PM

Posted 25 July 2009 - 04:29 AM

Hi Khrys,

That worked to disable AVG combofix is reporting it was disabled, as for the Khrysbox entries since these are just leftover
that you have no need for I will remove them in this script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/241115/request-for-assistance-removing-trojanagent-and-hacktoolgcm/

Collect::
c:\windows\system32\TRSOCR.dll
c:\windows\system32\drivers\m5287.sys
Folder::
C:\found.000
File::
c:\windows\DUMP686e.tmp
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\\\Khrysbox\\C\\Program Files\\Winamp\\winamp.exe"=-
"\\\\Khrysbox\\C\\Program Files\\Winamp\\winampa.exe"=-
"\\\\Khrysbox\\C\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=-
"\\\\Khrysbox\\C\\Program Files\\WarRock\\System\\WarRock.exe"=-
"\\\\khrysbox\\C\\Program Files\\WarRock\\WRLauncher.exe"=-
"\\\\khrysbox\\C\\Program Files\\WarRock\\WRUpdater.exe"=-
"\\\\Khrysbox\\C\\Program Files\\Gnoozle\\Gnoozle.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5340:TCP"=-
"5350:UDP"=-
"5351:UDP"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"toisfvet"=-
Driver::
m5287

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#9 Khrystalar

Khrystalar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 25 July 2009 - 09:53 AM

Hi again. Big problems, I'm afraid. :thumbup2:

Ok, to start from the top - when I dropped your script onto ComboFix this morning, the first thing it did was tell me there was a new version of ComboFix and asked me if I wanted to update. I said yes, although it occurred to me after that I maybe should've asked you first. Anyway, I don't think that's actually part of the problem.

ComboFix updated and re-ran itself, and executed your script. Then it restarted the computer. Trouble is, it now won't boot Windows in any state, even Safe Mode. It gives a Blue Screen error telling me to check for viruses and remove any recently-installed hard-drive controllers. I think this is the problem - the m5287 driver that ComboFix removed was actually the driver for the SATA Hard-Drive in this machine.

This is as much my fault as it is yours; more so, probably, 'cos I really should've seen that coming. I knew I recognised the name of the driver when I saw it in your script, but I couldn't think where from. When I was using Recovery Console a couple of weeks ago, to recover from the BSoD's I was experiencing, I initially couldn't log onto my Windows installation because Recovery Console couldn't properly detect my Hard-Drive. It turns out that, like RAID and SCSI drives, my SATA drive isn't supported by the generic drivers that come built-in to Recovery Console; I had to press F6 when Recovery Console was loading in order to load third-party drivers as part of the startup.

Irritatingly, this can ONLY be done via a floppy drive; Recovery Console won't load drivers any other way. And I haven't seen a new machine in several years that's actually come with a Floppy drive as-standard; my father's certainly doesn't. I had to cannibalise an old PC to get a drive out of it, then plug it into a spare IDE port and then use that to load the drivers, which I downloaded from my motherboard manufacturer's site. And THAT was the m5287 driver.

On the plus side; the above story means that I now actually have the floppy drive plugged in, with a copy of the m5287 driver on it, still sealed in the machine so that it's there if I ever need to use Recovery Console again. If we need to replace the driver I at least have the latest version ready and waiting to go.

I did try copying the driver files from the floppy into c:\Windows\System32\Drivers, using the Recovery Console, in case that would help. But it didn't, so I deleted them.

I've now cycled over to a friend's place to borrow his PC and get this message typed. I can read any response you give using my laptop when I get home again; but because the way everything's wired up and where the phone points are in my house, the only way I can get an internet connection there right now is to crawl right to the back of the space underneath my dad's desk in his study and plug the USB modem directly into my laptop, then curl up there under the desk and attempt to work. Not the ideal conditions, so I thought I'd come here and at least write in relative comfort.

Anyway, I'm hoping there'll be some easy-ish way to reverse the changes made by ComboFix using the Recovery Console; so I await your further advice on the matter.

Hope you're well. :)

Best wishes,

--
Khrys.

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:41 PM

Posted 25 July 2009 - 10:54 AM

Argh, Im very sorry about that, it's entirely my fault I don't even no why I flagged it as bad :thumbup2: , I am kicking myself
hard for that. Thanks for the detailed information it really helps that we no what has cause the problem, restoring the
file and the registry should fix it so lets try this.

Boot into the recovery console and copy m5287.sys from your floppy to c:\Windows\System32\Drivers as you did before,
then copy the following lines into the recover console one by one, this will restore the registry.

cd erdnt\subs
batch erdnt.con
exit

Hopefully it will boot now, let me no, once again very sorry for my mistake :)

Regards
Syler

unite.jpg


#11 Khrystalar

Khrystalar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 25 July 2009 - 12:52 PM

Ok, thanks. I figured it might be something that simple, just a little extra step to get the drivers loaded as part of the bootup routine once I'd copied them. I'll follow your steps when I get back. Just so you know, that's likely to be at some point tomorrow afternoon, now. It's actually my birthday on Monday; my friends have realised and are now absolutely insisting that I stay with them for the evening and eat Chinese food, and probably get quite quite considerably drunk.

I mean, really. They had to get the thumb-screws out, and everything. :thumbup2:

Before I go, though, I'll re-iterate your warnings above for the passing reader; do NOT try and use this ComboFix thing on your own, and certainly don't try and run any of the scripts you find here, or anywhere else, through it thinking it'll help. These scripts are individually tailored to specific systems with specific problems; and as all this proves, it's easy enough to end up with a screwed-up system even when you do have somebody there to talk to and ask advice from. This tool is not a toy, nor is it an auto-fix.

I mention that largely because I've noticed through my research that this thread now often shows up high in the listings for various searches on the problem DLLs and the virus names; somebody on another forum particularly had posted a link to this discussion, while asking for advice, thinking that he had a very similar problem to the one I was describing.

Don't try this at home, kiddies...

Anyway, have a good weekend, and thanks for your continued advice. :)

Best wishes,

--
Khrys.

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:41 PM

Posted 25 July 2009 - 01:10 PM

Theirs no rush for you to reply I will be here :thumbup2: Enjoy your birthday and have a good time. Thanks for adding
the extra warning, goes to show why this tool should be used under supervision, all though in this case it
was my fault, anyway you said it well and hopefully people will read it.

Enjoy your weekend and have a happy birthday

Regards
Gary

Edited by syler, 25 July 2009 - 01:11 PM.

unite.jpg


#13 Khrystalar

Khrystalar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 26 July 2009 - 12:26 PM

Greetings, from the Land of the Every-So-Slightly Hung-Over. :thumbup2:

Ok, that worked; thanks for your advice. Had a heart-stopping moment to begin with, 'cos intially when I restarted the PC after restoring the Registry, I chose "Start Windows Normally" and got the same BSoD. Then I tried "Last Known Good" configuration, and everything fired up ok.

Ok, so when the system finally came back up, ComboFix completed whatever procedures it'd started yesterday and produced a log. Then it asked me to let it upload some Malware information, presumably to it's developer, so I let it. I'm not sure how much use either the log or the information will be, given the crash in the middle of the procedure; nonetheless, log is below for your perusal.

One quick question; I had a look in my Windows\System32 folder, none of the problem DLLs now seem to have re-appeared, which is good. I did notice, though; although TRSOCR.dll was removed, there are two other files - TRSOCR.ini and TRSOCR.dat - which were created at about the same time as the TRSOCR.dll file. In fact, I think that TRSOCR.dat was probably what was being downloaded by the other viruses; it's about 31Mb in size and when the PC was downloading stuff on startup, the counter showed me around about 31Mb of incoming data had been downloaded before the activity ceased. Anyway, my question; should we do something about these two files as well?

Anyway, thanks for your good wishes. Speak soon. :)

--
Khrys.




ComboFix 09-07-24.01 - Khrys 25/07/2009 13:13.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.132 [GMT 1:00]
Running from: c:\documents and settings\Khrys\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Khrys\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\DUMP686e.tmp"

file zipped: c:\windows\system32\drivers\m5287.sys
file zipped: c:\windows\system32\TRSOCR.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\found.000
c:\found.000\dir0000.chk\avglng.log.1
c:\found.000\dir0000.chk\avglng.log.5
c:\windows\DUMP686e.tmp
c:\windows\system32\drivers\m5287.sys
c:\windows\system32\TRSOCR.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_m5287


((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-24 09:29 . 2009-06-28 07:12 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-24 09:29 . 2009-06-28 07:12 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-24 09:29 . 2009-06-28 07:12 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-24 09:29 . 2009-06-28 07:12 906520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-07-24 09:29 . 2009-06-28 07:12 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-24 09:29 . 2009-06-28 07:12 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-24 09:29 . 2009-06-28 07:12 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-07-24 09:29 . 2009-06-28 07:12 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-24 09:29 . 2009-06-28 07:12 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-24 09:29 . 2009-06-28 07:12 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-24 09:29 . 2009-06-28 07:12 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-24 09:27 . 2009-06-28 07:05 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-24 09:27 . 2009-06-28 07:05 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-23 22:35 . 2009-07-23 22:36 -------- d-----w- C:\rsit
2009-07-19 19:17 . 2009-07-19 19:17 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 00:17 . 2009-07-13 08:13 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-13 00:17 . 2009-07-13 00:17 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-07-11 23:23 . 2008-04-13 19:30 1845632 ------w- c:\windows\system32\drivers\win32k.sys
2009-07-11 13:18 . 2009-07-11 13:18 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-10 14:23 . 2009-07-10 14:23 -------- d-sh--w- c:\documents and settings\Khrys\IETldCache
2009-07-10 14:17 . 2009-07-10 14:17 -------- d-sh--w- c:\documents and settings\User\IETldCache
2009-07-10 13:41 . 2009-05-07 15:32 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-10 13:41 . 2009-04-29 04:46 3068928 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-07-10 13:41 . 2009-04-29 04:46 666624 ----a-w- c:\windows\system32\wininet.dll
2009-07-10 13:41 . 2009-04-29 04:46 666624 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-07-10 13:41 . 2009-04-29 04:46 620032 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-07-10 13:41 . 2009-04-29 04:46 1499136 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2009-07-10 13:41 . 2009-04-29 04:46 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-07-10 13:41 . 2009-04-29 04:46 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-07-10 13:36 . 2008-04-14 00:12 584704 ----a-w- c:\windows\system32\rpcrt4.dll
2009-07-10 13:36 . 2009-02-09 11:13 1846784 ----a-w- c:\windows\system32\win32k.sys
2009-07-10 13:36 . 2009-02-09 11:13 1846784 ----a-w- c:\windows\system32\dllcache\win32k.sys
2009-07-06 09:53 . 2009-07-06 09:53 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-06-28 07:10 . 2009-06-28 07:10 -------- d-----w- c:\program files\Trend Micro
2009-06-27 13:30 . 2009-07-19 20:16 117760 ----a-w- c:\documents and settings\Khrys\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-27 13:28 . 2009-06-27 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-27 13:28 . 2009-06-27 13:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-27 13:28 . 2009-06-27 13:28 -------- d-----w- c:\documents and settings\Khrys\Application Data\SUPERAntiSpyware.com
2009-06-27 13:28 . 2009-06-27 13:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-27 10:49 . 2009-06-27 10:49 -------- d-----w- c:\program files\7-Zip
2009-06-27 10:45 . 2009-06-27 10:45 -------- d-----w- c:\documents and settings\Khrys\Application Data\Malwarebytes
2009-06-27 10:44 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 10:44 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-27 10:44 . 2009-06-27 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-27 10:44 . 2009-07-19 19:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 09:28 . 2008-05-20 09:41 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 07:12 . 2008-05-20 09:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-28 07:12 . 2007-04-08 11:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-27 11:06 . 2008-05-20 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-16 14:36 . 1980-01-01 07:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 1980-01-01 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 12:21 . 2006-06-03 12:34 4854 ----a-w- c:\documents and settings\User\Application Data\wklnhst.dat
2009-06-03 19:09 . 1980-01-01 07:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-09 17:04 . 2007-10-24 10:46 445 ----a-w- c:\windows\EntPack.dat
2009-05-02 20:11 . 2008-05-20 09:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-16 10:13 . 2009-07-16 10:13 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 07:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=c:\windows\pss\DSLMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Tiscali Uplink.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Tiscali Uplink.lnk
backup=c:\windows\pss\Tiscali Uplink.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SNDSrvc"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"Schedule"=2 (0x2)
"ERSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"d:\\Program Files\\World of Warcraft\\WoW-2.4.1.8125-to-2.4.2.8278-enGB-downloader.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"d:\\Program Files\\Valve\\Steam\\SteamApps\\khrystalar\\counter-strike source\\hl2.exe"=
"d:\\Program Files\\Valve\\Steam\\SteamApps\\khrystalar\\synergy\\hl2.exe"=
"d:\\Program Files\\Valve\\Steam\\SteamApps\\khrystalar\\insurgency\\hl2.exe"=
"d:\\Program Files\\Valve\\Steam\\SteamApps\\khrystalar\\half-life 2 deathmatch\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [20/05/2008 10:41 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [20/05/2008 10:41 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [07/07/2008 10:12 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07/07/2008 10:12 298776]
S2 toisfvet;poebunv sevcive;c:\windows\system32\svchost.exe -k toisfvet [01/01/1980 08:00 14336]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [07/01/2009 15:44 33752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://global.acer.com
uInternet Connection Wizard,ShellNext = https://signup.worldofwarcraft.com/trial/QS.htm
TCP: {6A3AA692-FA27-485A-8C22-E10A9EC76F66} = 212.139.132.25 212.139.132.24
FF - ProfilePath - c:\documents and settings\Khrys\Application Data\Mozilla\Firefox\Profiles\g8v2a3so.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/advanced_search?hl=en
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 18:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2236)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-07-26 18:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 17:10
ComboFix2.txt 2009-07-24 23:35

Pre-Run: 22,700,068,864 bytes free
Post-Run: 22,668,562,432 bytes free

197 --- E O F --- 2009-07-24 15:02
Upload was successful

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:41 PM

Posted 26 July 2009 - 06:33 PM

Hi Khrys,

That didn't go quite as planned then, I need to ask a few questions so I no where we are at. Are you able to start windows normally,
now that you have used LKGC or can you only boot using LKGC? Is the file, m5287.sys now back in the "drivers" folder?
As for you question, the TRSOCR files are all related and will need to be removed although they are not showing in the current log so I
I would like to see a new log then we can work from their.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Thanks

unite.jpg


#15 Khrystalar

Khrystalar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 26 July 2009 - 11:41 PM

Good morning! :thumbup2:

Ok, to bring you up to speed - and hopefully answer your questions - although the machine was working fine last night, when I tried to fire it up again this morning, I encountered the same BSoD error message warning me about a possible problem with my Hard-Drive Controller. I booted up with Recovery Console, thinking that perhaps I'd need to re-run the batch file you told me about yesterday. But as it happened, the registry was ok; it was the m5287.sys driver that had vanished again. (I'm guessing that when ComboFix was doing it's finishing-off stuff after I got the system started again yesterday, it realised that a file it'd already deleted in this cycle had come back, and deleted it again).

I copied the driver across from floppy, restarted the system. I chose LKGC straight away, this time, and the system booted fine. Upon seeing your questions, I restarted the computer again to check whether I'd need to keep using LKGC; but it booted up straight away this time, without me having to choose anything.

Logs are below; the "opened" window was just called "OTL.txt" though, so I hope I did everything ok and haven't managed to produce the wrong report! I didn't change any of the default options on OTL except to check the "Scan All Users" checkbox like you asked me to.

Hope you're well. Best wishes,

--
Khrys.



OTL logfile created on: 27/07/2009 05:25:01 - Run 1
OTL by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\Khrys\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

447.36 Mb Total Physical Memory | 60.46 Mb Available Physical Memory | 13.51% Memory free
958.76 Mb Paging File | 635.33 Mb Available in Paging File | 66.27% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35.61 Gb Total Space | 21.13 Gb Free Space | 59.34% Space Free | Partition Type: NTFS
Drive D: | 35.98 Gb Total Space | 5.17 Gb Free Space | 14.37% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER
Current User Name: Khrys
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2008/08/21 03:05:57 | 00,573,440 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2008/08/21 03:05:57 | 00,573,440 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2009/06/28 08:12:15 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/07/24 10:28:39 | 00,907,032 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/06/28 08:12:22 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/05/02 21:11:22 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2008/04/14 01:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/06/28 08:12:21 | 00,692,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/06/28 08:12:18 | 01,948,440 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/07/16 11:13:53 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/07/27 05:24:18 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Khrys\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2005/06/21 23:26:14 | 00,438,272 | ---- | M] (Acer Inc.) -- C:\Program Files\acer\Acer eConsole\MediaServerService.exe -- (Acer Media Server [Disabled | Stopped])
SRV - [2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/08/21 03:05:57 | 00,573,440 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2008/08/20 21:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\System32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2009/07/24 10:28:39 | 00,907,032 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/06/28 08:12:15 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2008/12/01 11:59:52 | 00,033,752 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper [On_Demand | Stopped])
SRV - [2008/04/14 01:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2008/10/05 19:43:17 | 00,066,872 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrA.exe -- (PnkBstrA [Disabled | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2004/03/02 09:26:58 | 00,050,007 | ---- | M] (Analog Deivces) -- C:\WINDOWS\System32\Drivers\adildr.sys -- (ADILOADER [Auto | Stopped])
DRV - [2004/03/02 09:24:16 | 00,127,065 | ---- | M] (Analog Devices Inc.) -- C:\WINDOWS\System32\DRIVERS\adiusbaw.sys -- (adiusbaw [On_Demand | Running])
DRV - [2005/02/23 22:58:56 | 00,011,776 | ---- | M] (Arcsoft, Inc.) -- C:\WINDOWS\System32\drivers\Afc.sys -- (Afc [On_Demand | Running])
DRV - [2004/06/29 09:07:18 | 01,268,204 | ---- | M] (Agere Systems) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
DRV - [2003/12/08 11:53:48 | 00,053,600 | ---- | M] (THOMSON) -- C:\WINDOWS\System32\DRIVERS\alcan5wn.sys -- (alcan5wn [On_Demand | Stopped])
DRV - [2003/12/08 11:53:46 | 00,070,688 | ---- | M] (THOMSON) -- C:\WINDOWS\System32\DRIVERS\alcaudsl.sys -- (alcaudsl [On_Demand | Stopped])
DRV - [2004/08/04 13:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Boot | Running])
DRV - [2008/08/21 05:52:41 | 03,299,840 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2009/07/24 10:28:43 | 00,335,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/06/28 08:12:22 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/05/02 21:11:28 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2005/01/08 01:07:16 | 00,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\drivers\HdAudio.sys -- (HdAudAddService [On_Demand | Stopped])
DRV - [2008/04/13 17:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/09/23 19:56:28 | 03,966,976 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2004/12/15 22:16:08 | 00,076,544 | ---- | M] (ULi Electronics Inc.) -- C:\WINDOWS\system32\drivers\m5287.sys -- (m5287 [Boot | Running])
DRV - [2001/08/17 21:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2005/06/18 15:43:22 | 00,006,144 | ---- | M] (NewTech Infosystems, Inc.) -- C:\WINDOWS\System32\DRIVERS\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
DRV - [2006/10/02 12:38:48 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\System32\drivers\pfc.sys -- (pfc [On_Demand | Running])
DRV - [2004/08/04 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2009/06/23 11:01:40 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/06/23 11:01:42 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/06/23 11:01:40 | 00,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 11:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/12/18 01:14:44 | 00,013,952 | ---- | M] () -- C:\WINDOWS\System32\drivers\UBHelper.sys -- (UBHelper [System | Running])
DRV - [2007/12/06 10:51:00 | 00,285,952 | ---- | M] (Marvell) -- C:\WINDOWS\System32\DRIVERS\yk51x86.sys -- (yukonwxp [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1682094971-2336772418-3190660400-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1682094971-2336772418-3190660400-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1682094971-2336772418-3190660400-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
IE - HKU\S-1-5-21-1682094971-2336772418-3190660400-1007\S-1-5-21-1682094971-2336772418-3190660400-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/advanced_search?hl=en"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.0.2
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5
FF - prefs.js..extensions.enabledItems: {723AAF16-AF1F-4404-A5D7-0BFE39766605}:0.3.3
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/06/28 08:13:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/07/16 11:14:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/07/16 11:14:02 | 00,000,000 | ---D | M]

[2008/09/17 18:13:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Khrys\Application Data\mozilla\Extensions
[2008/09/17 18:13:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Khrys\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/07/26 18:23:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Khrys\Application Data\mozilla\Firefox\Profiles\g8v2a3so.default\extensions
[2008/02/06 14:34:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Khrys\Application Data\mozilla\Firefox\Profiles\g8v2a3so.default\extensions\{723AAF16-AF1F-4404-A5D7-0BFE39766605}
[2009/06/27 11:35:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Khrys\Application Data\mozilla\Firefox\Profiles\g8v2a3so.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/06/27 11:35:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Khrys\Application Data\mozilla\Firefox\Profiles\g8v2a3so.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2008/10/02 09:09:54 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/07/16 11:14:02 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/16 11:13:50 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/07/16 11:13:50 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/07/16 11:13:56 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2003/07/14 22:56:52 | 00,013,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2006/12/18 04:18:30 | 00,077,824 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/07/16 11:13:57 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/16 11:13:57 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/16 11:13:57 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/16 11:13:57 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/16 11:13:57 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/16 11:13:57 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/16 11:13:57 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKU\S-1-5-21-1682094971-2336772418-3190660400-1007\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1682094971-2336772418-3190660400-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1682094971-2336772418-3190660400-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1682094971-2336772418-3190660400-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1682094971-2336772418-3190660400-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1682094971-2336772418-3190660400-1007_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1149324803055 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_02)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/06/18 15:43:40 | 00,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/07/27 05:24:18 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Khrys\Desktop\OTL.exe
[2009/07/26 18:11:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/07/25 00:34:36 | 02,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntoskrnl.exe
[2009/07/25 00:34:36 | 02,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntkrnlpa.exe
[2009/07/25 00:34:36 | 01,614,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfcfiles.dll
[2009/07/25 00:34:36 | 01,033,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\explorer.exe
[2009/07/25 00:34:36 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kernel32.dll
[2009/07/25 00:34:36 | 00,927,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mfc40u.dll
[2009/07/25 00:34:36 | 00,792,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comres.dll
[2009/07/25 00:34:36 | 00,666,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wininet.dll
[2009/07/25 00:34:36 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comctl32.dll
[2009/07/25 00:34:36 | 00,578,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\user32.dll
[2009/07/25 00:34:36 | 00,507,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\winlogon.exe
[2009/07/25 00:34:36 | 00,435,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntmssvc.dll
[2009/07/25 00:34:36 | 00,407,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\netlogon.dll
[2009/07/25 00:34:36 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rpcss.dll
[2009/07/25 00:34:36 | 00,361,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\tcpip.sys
[2009/07/25 00:34:36 | 00,295,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\termsrv.dll
[2009/07/25 00:34:36 | 00,182,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ndis.sys
[2009/07/25 00:34:36 | 00,171,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\srsvc.dll
[2009/07/25 00:34:36 | 00,142,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\aec.sys
[2009/07/25 00:34:36 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\services.exe
[2009/07/25 00:34:36 | 00,110,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\imm32.dll
[2009/07/25 00:34:36 | 00,088,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rasauto.dll
[2009/07/25 00:34:36 | 00,082,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ws2_32.dll
[2009/07/25 00:34:36 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\spoolsv.exe
[2009/07/25 00:34:36 | 00,051,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wuauclt.exe
[2009/07/25 00:34:36 | 00,036,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ip6fw.sys
[2009/07/25 00:34:36 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\msgsvc.dll
[2009/07/25 00:34:36 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\userinit.exe
[2009/07/25 00:34:36 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kbdclass.sys
[2009/07/25 00:34:36 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lpk.dll
[2009/07/25 00:34:36 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\powrprof.dll
[2009/07/25 00:34:36 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ctfmon.exe
[2009/07/25 00:34:36 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\svchost.exe
[2009/07/25 00:34:36 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lsass.exe
[2009/07/25 00:34:36 | 00,011,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\acpiec.sys
[2009/07/25 00:34:36 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfc.dll
[2009/07/25 00:34:36 | 00,004,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\beep.sys
[2009/07/25 00:34:36 | 00,002,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\null.sys
[2009/07/25 00:34:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache\cache
[2009/07/25 00:27:39 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/07/25 00:27:37 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/07/25 00:27:35 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/07/25 00:24:34 | 00,219,648 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/07/25 00:24:34 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/07/25 00:24:34 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/07/25 00:24:34 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/07/25 00:24:34 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/07/25 00:24:34 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/07/25 00:24:34 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/07/25 00:24:34 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/07/25 00:24:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/07/25 00:24:24 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/07/25 00:21:46 | 03,150,579 | R--- | C] () -- C:\Documents and Settings\Khrys\Desktop\ComboFix.exe
[2009/07/23 23:35:50 | 00,000,000 | ---D | C] -- C:\rsit
[2009/07/23 23:35:02 | 00,781,909 | ---- | C] () -- C:\Documents and Settings\Khrys\Desktop\RSIT.exe
[2009/07/23 14:22:09 | 00,000,841 | ---- | C] () -- C:\WINDOWS\Active Setup Log.BAK
[2009/07/19 21:27:28 | 00,000,095 | ---- | C] () -- C:\WINDOWS\System32\TRSOCR.ini
[2009/07/13 10:37:22 | 00,359,929 | ---- | C] () -- C:\Documents and Settings\Khrys\Desktop\dds.scr
[2009/07/12 14:16:54 | 46,915,9936 | -HS- | C] () -- C:\hiberfil.sys
[2009/07/12 00:23:55 | 01,845,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\win32k.sys
[2009/07/10 14:59:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2009/07/10 14:41:26 | 00,345,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\localspl.dll
[2009/07/10 14:41:10 | 03,068,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
[2009/07/10 14:41:10 | 03,068,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2009/07/10 14:41:10 | 01,499,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\shdocvw.dll
[2009/07/10 14:41:10 | 01,499,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shdocvw.dll
[2009/07/10 14:41:10 | 00,666,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wininet.dll
[2009/07/10 14:41:10 | 00,666,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2009/07/10 14:41:10 | 00,620,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\urlmon.dll
[2009/07/10 14:41:10 | 00,620,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2009/07/10 14:41:10 | 00,369,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\html.iec
[2009/07/10 14:41:10 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll
[2009/07/10 14:41:10 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieencode.dll
[2009/07/10 14:36:51 | 00,584,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rpcrt4.dll
[2009/07/10 14:36:42 | 01,846,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\win32k.sys
[2009/07/10 14:36:42 | 01,846,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2009/06/28 13:24:06 | 00,000,562 | ---- | C] () -- C:\Documents and Settings\Khrys\Desktop\Nailsetter.lnk
[2009/06/28 08:10:31 | 00,001,777 | ---- | C] () -- C:\Documents and Settings\Khrys\Desktop\HijackThis.lnk
[2009/06/28 08:10:30 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/06/27 14:30:00 | 00,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Khrys\Desktop\ATF-Cleaner.exe
[2009/06/27 14:28:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/06/27 14:28:42 | 00,000,823 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/06/27 14:28:38 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/06/27 14:28:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Khrys\Application Data\SUPERAntiSpyware.com
[2009/06/27 14:28:15 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/06/27 11:49:21 | 00,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2009/06/27 11:45:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Khrys\Application Data\Malwarebytes
[2009/06/27 11:44:55 | 00,000,739 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk
[2009/06/27 11:44:51 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/27 11:44:50 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/27 11:44:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/06/27 11:44:49 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/06/25 15:04:09 | 00,000,003 | ---- | C] () -- C:\WINDOWS\System32\AkKoOUJSqu.ini
[2008/11/23 13:00:35 | 00,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2008/10/05 19:43:29 | 00,138,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/07/27 09:23:49 | 00,005,606 | ---- | C] () -- C:\WINDOWS\System32\stci.dll
[2006/07/05 13:08:13 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/05 12:35:15 | 00,000,947 | ---- | C] () -- C:\WINDOWS\entpack.ini
[2006/06/03 23:31:50 | 00,000,251 | ---- | C] () -- C:\WINDOWS\prestopm.INI
[2006/06/03 15:57:04 | 00,000,155 | ---- | C] () -- C:\WINDOWS\adidsl.ini
[2006/06/03 15:57:04 | 00,000,021 | ---- | C] () -- C:\WINDOWS\Fast800.ini
[2006/06/03 15:56:59 | 00,000,894 | ---- | C] () -- C:\WINDOWS\adiras.ini
[2006/06/03 15:56:58 | 00,126,976 | ---- | C] () -- C:\WINDOWS\System32\coclassfast.dll
[2006/06/03 15:56:57 | 00,046,892 | ---- | C] () -- C:\WINDOWS\System32\adadix16.dll
[2006/06/03 13:07:11 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS6y.DLL
[2006/06/03 13:05:59 | 00,000,105 | ---- | C] () -- C:\WINDOWS\UMXADDIN.INI
[2006/06/03 13:05:58 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2006/06/03 13:05:51 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\PMSBFN32.DLL
[2006/06/03 13:04:32 | 00,000,074 | ---- | C] () -- C:\WINDOWS\PMINI.ini
[2006/06/03 12:56:54 | 00,000,398 | ---- | C] () -- C:\WINDOWS\System32\CNCMP60.INI
[2005/09/26 07:59:38 | 00,000,083 | ---- | C] () -- C:\WINDOWS\ALAUNCH.INI
[2005/09/26 07:59:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\eRLog.ini
[2005/06/18 17:32:11 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/06/18 15:43:56 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2005/06/18 15:43:22 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2005/06/18 15:43:22 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2005/06/18 15:43:22 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2005/06/18 15:43:22 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2005/06/18 15:36:38 | 00,008,073 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/06/18 15:30:45 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/12/18 01:14:44 | 00,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/12/27 00:12:30 | 00,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/04 07:46:38 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/31 00:33:56 | 00,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/24 06:04:36 | 00,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[2000/10/20 13:25:36 | 00,079,360 | ---- | C] () -- C:\WINDOWS\System32\acdbres.dll
[1980/01/01 08:00:00 | 00,000,723 | ---- | C] () -- C:\WINDOWS\win.ini
[1980/01/01 08:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[11 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/07/27 05:24:18 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Khrys\Desktop\OTL.exe
[2009/07/27 05:22:29 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/07/27 05:22:29 | 00,000,429 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2009/07/27 05:21:44 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/27 05:21:40 | 00,044,964 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2009/07/27 05:21:38 | 46,915,9936 | -HS- | M] () -- C:\hiberfil.sys
[2009/07/26 18:08:24 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/07/26 18:08:10 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/07/25 13:11:57 | 03,150,579 | R--- | M] () -- C:\Documents and Settings\Khrys\Desktop\ComboFix.exe
[2009/07/25 12:45:12 | 39,249,378 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/07/25 12:45:12 | 00,041,281 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/07/25 00:27:39 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/07/24 17:21:01 | 00,000,095 | ---- | M] () -- C:\WINDOWS\System32\TRSOCR.ini
[2009/07/24 16:02:10 | 00,000,947 | ---- | M] () -- C:\WINDOWS\entpack.ini
[2009/07/24 15:52:53 | 00,002,257 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Volo View Express.lnk
[2009/07/24 10:28:43 | 00,335,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/07/23 23:35:24 | 00,781,909 | ---- | M] () -- C:\Documents and Settings\Khrys\Desktop\RSIT.exe
[2009/07/23 14:25:25 | 00,000,841 | ---- | M] () -- C:\WINDOWS\Active Setup Log.BAK
[2009/07/23 14:14:37 | 00,442,244 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/07/23 14:14:37 | 00,384,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/07/23 14:14:37 | 00,054,280 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/07/23 14:14:27 | 00,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2009/07/23 14:14:07 | 00,000,723 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/07/19 20:17:45 | 05,563,060 | -H-- | M] () -- C:\Documents and Settings\Khrys\Local Settings\Application Data\IconCache.db
[2009/07/15 15:05:09 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/07/13 13:36:34 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/13 13:36:12 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/13 10:37:22 | 00,359,929 | ---- | M] () -- C:\Documents and Settings\Khrys\Desktop\dds.scr
[2009/07/13 05:48:54 | 00,219,648 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/07/12 20:27:47 | 00,293,272 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/07/07 16:10:56 | 24,539,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/07/01 11:42:39 | 00,463,779 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/06/28 13:24:06 | 00,000,562 | ---- | M] () -- C:\Documents and Settings\Khrys\Desktop\Nailsetter.lnk
[2009/06/28 08:12:22 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/06/28 08:12:22 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/06/28 08:10:31 | 00,001,777 | ---- | M] () -- C:\Documents and Settings\Khrys\Desktop\HijackThis.lnk
[2009/06/27 14:28:42 | 00,000,823 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/06/27 14:24:24 | 00,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Khrys\Desktop\ATF-Cleaner.exe
[2009/06/27 11:44:55 | 00,000,739 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk
< End of report >




******************************************************




OTL Extras logfile created on: 27/07/2009 05:25:02 - Run 1
OTL by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\Khrys\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

447.36 Mb Total Physical Memory | 60.46 Mb Available Physical Memory | 13.51% Memory free
958.76 Mb Paging File | 635.33 Mb Available in Paging File | 66.27% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35.61 Gb Total Space | 21.13 Gb Free Space | 59.34% Space Free | Partition Type: NTFS
Drive D: | 35.98 Gb Total Space | 5.17 Gb Free Space | 14.37% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER
Current User Name: Khrys
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"6112:TCP" = 6112:TCP:*:Enabled:Blizard Downloader
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader
"5340:TCP" = 5340:TCP:*:Disabled:WarRock TCP 5340
"5350:UDP" = 5350:UDP:*:Disabled:WarRock UDP 5350
"5351:UDP" = 5351:UDP:*:Disabled:WarRock UDP 5351

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Acer\Acer eConsole\eConsole.exe" = C:\Program Files\Acer\Acer eConsole\eConsole.exe:LocalSubNet:Enabled:eConsole -- (Acer Inc.)
"\\Khrysbox\C\Program Files\Winamp\winamp.exe" = \\Khrysbox\C\Program Files\Winamp\winamp.exe:*:Enabled:winamp.exe
"\\Khrysbox\C\Program Files\Winamp\winampa.exe" = \\Khrysbox\C\Program Files\Winamp\winampa.exe:*:Enabled:winampa.exe
"\\Khrysbox\C\Program Files\World of Warcraft\BackgroundDownloader.exe" = \\Khrysbox\C\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:BackgroundDownloader.exe
"D:\Program Files\World of Warcraft\BackgroundDownloader.exe" = D:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Acer\Acer eConsole\MediaServerService.exe" = C:\Program Files\Acer\Acer eConsole\MediaServerService.exe:LocalSubNet:Disabled:Acer Media Server -- (Acer Inc.)
"C:\Program Files\Acer\Acer eConsole\MediaSync.exe" = C:\Program Files\Acer\Acer eConsole\MediaSync.exe:LocalSubNet:Disabled:Media Synchoronizer -- (Acer Inc.)
"\\Khrysbox\C\Program Files\WarRock\System\WarRock.exe" = \\Khrysbox\C\Program Files\WarRock\System\WarRock.exe:*:Disabled:WarRock.exe
"\\khrysbox\C\Program Files\WarRock\WRLauncher.exe" = \\khrysbox\C\Program Files\WarRock\WRLauncher.exe:*:Disabled:WRLauncher.exe
"\\khrysbox\C\Program Files\WarRock\WRUpdater.exe" = \\khrysbox\C\Program Files\WarRock\WRUpdater.exe:*:Disabled:WRUpdater.exe
"D:\Program Files\World of Warcraft\WoW-2.4.1.8125-to-2.4.2.8278-enGB-downloader.exe" = D:\Program Files\World of Warcraft\WoW-2.4.1.8125-to-2.4.2.8278-enGB-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"D:\Program Files\Wolfenstein - Enemy Territory\ET.exe" = D:\Program Files\Wolfenstein - Enemy Territory\ET.exe:*:Enabled:ET -- ()
"D:\Program Files\Valve\Steam\SteamApps\khrystalar\counter-strike source\hl2.exe" = D:\Program Files\Valve\Steam\SteamApps\khrystalar\counter-strike source\hl2.exe:*:Enabled:hl2 -- ()
"D:\Program Files\Valve\Steam\SteamApps\khrystalar\synergy\hl2.exe" = D:\Program Files\Valve\Steam\SteamApps\khrystalar\synergy\hl2.exe:*:Enabled:hl2 -- ()
"D:\Program Files\Valve\Steam\SteamApps\khrystalar\insurgency\hl2.exe" = D:\Program Files\Valve\Steam\SteamApps\khrystalar\insurgency\hl2.exe:*:Enabled:hl2 -- ()
"D:\Program Files\Valve\Steam\SteamApps\khrystalar\half-life 2 deathmatch\hl2.exe" = D:\Program Files\Valve\Steam\SteamApps\khrystalar\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2 -- ()
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"D:\Program Files\World of Warcraft\Launcher.exe" = D:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"\\Khrysbox\C\Program Files\Gnoozle\Gnoozle.exe" = \\Khrysbox\C\Program Files\Gnoozle\Gnoozle.exe:*:Disabled:Gnoozle.exe


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{109AB81D-9732-40B3-9C1F-113A86CE6F93}" = Canon MP Navigator 1.0
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{18A5DFF2-8A95-49F3-873F-743CB5549F3D}" = Canon ScanGear Starter
"{1ECD6EC8-7BB2-4CD5-A384-BAA371BC4D21}" = Volo View Express
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"{3FF3DD04-F386-46B0-97FC-B86238B65487}" = Canon MP Drivers 6.0
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}" = SAGEM F@st 800-840
"{5BE42A03-E7B8-42A9-B1BB-FC48B03D58B8}" = Presto! PageManager 6.01
"{65CDEC30-4BF4-48FB-8059-9FC480E4E94F}" = Acer eMode Management
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{93B95BFE-1B4D-4A8C-92B6-5ECDB4466C95}" = AyrSuite Plus
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{B8A6F713-D72D-47AD-A92D-B5C0E13F98C1}" = NTI HomeVideo-Maker
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CEC336A0-86C7-40CA-838D-C11DC0AEC09E}" = Cactus Spam Filter
"{EC028E6B-F3F1-4192-B63E-A7C97302ED5A}" = Acer eConsole
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"ATI Display Driver" = ATI Display Driver
"AVG8Uninstall" = AVG 8.5
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"HijackThis" = HijackThis 2.0.2
"Indeo® Software" = Indeo® Software
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaNavigation.CDLabelPrint" = CD-LabelPrint
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Shockwave" = Shockwave
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wolfenstein - Enemy Territory" = Wolfenstein - Enemy Territory
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1682094971-2336772418-3190660400-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"tc08_bbc-GBR_BBC_MAIN" = BBC Mountainbike Challenge 08

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 26/02/2008 07:06:52 | Computer Name = ACER | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module termsrv.dll, version 5.1.2600.2180, fault address 0x00016a28.

Error - 26/02/2008 07:12:00 | Computer Name = ACER | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module termsrv.dll, version 5.1.2600.2180, fault address 0x00016a28.

Error - 29/02/2008 22:53:33 | Computer Name = ACER | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module ntdll.dll,
version 5.1.2600.2180, fault address 0x00010f29.

Error - 01/03/2008 03:10:35 | Computer Name = ACER | Source = Application Error | ID = 1004
Description = Faulting application winlogon.exe, version 0.0.0.0, faulting module
ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.

Error - 28/07/2008 06:11:01 | Computer Name = ACER | Source = Application Error | ID = 1000
Description = Faulting application wow.exe, version 2.4.3.8606, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 23/08/2008 17:43:56 | Computer Name = ACER | Source = Application Error | ID = 1000
Description = Faulting application wow.exe, version 2.4.3.8606, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 26/09/2008 00:33:18 | Computer Name = ACER | Source = EventSystem | ID = 4614
Description = The COM+ Event System detected an inconsistency in its internal state.
The assertion "GetLastError() == 122L" failed at line 162 of d:\comxp_sp2\com\com1x\src\events\shared\sectools.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 05/10/2008 18:47:26 | Computer Name = ACER | Source = Application Error | ID = 1000
Description = Faulting application et.exe, version 0.0.0.0, faulting module cgame_mp_x86.dll,
version 0.0.0.0, fault address 0x00026d19.

Error - 03/11/2008 10:14:43 | Computer Name = ACER | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module flash9d.ocx, version 9.0.47.0, fault address 0x00099a25.

Error - 22/11/2008 07:20:29 | Computer Name = ACER | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module mshtml.dll, version 6.0.2900.3395, fault address 0x0007a6e2.

[ System Events ]
Error - 27/07/2009 00:19:27 | Computer Name = ACER | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 27/07/2009 00:19:27 | Computer Name = ACER | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 27/07/2009 00:22:10 | Computer Name = ACER | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 27/07/2009 00:22:10 | Computer Name = ACER | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 27/07/2009 00:22:11 | Computer Name = ACER | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 27/07/2009 00:22:11 | Computer Name = ACER | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 27/07/2009 00:22:26 | Computer Name = ACER | Source = Service Control Manager | ID = 7000
Description = The General Purpose USB Driver (adildr.sys) service failed to start
due to the following error: %%1058

Error - 27/07/2009 00:22:26 | Computer Name = ACER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the poebunv sevcive service
to connect.

Error - 27/07/2009 00:22:44 | Computer Name = ACER | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 27/07/2009 00:22:44 | Computer Name = ACER | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.


< End of report >




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users