Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Alureon, browser redirects, wgalogon.dll hangs at startup


  • This topic is locked This topic is locked
22 replies to this topic

#1 rygo424

rygo424

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 19 August 2009 - 10:17 PM

Hi,

Several days ago my browser (Firefox) started redirecting my clicks as well as popping up bogus Windows Security messages. I tried IE and the problems were the same.
Also, occasionally my Latitude will hang on startup just prior to login (it says it is loading wgalogon.dll).

I typically use Spybot (about 2x per month), Ad-Aware (about 2x per month), and McAfee is installed and running.

Spybot: I attempted to run Spybot. It would not run. I attempted to uninstall/reinstall but am unable to navigate to safer-networking.org. hmmmm
Ad-Aware: Ran Ad-Aware, which found some tracking cookies but nothing else.
McAfee: Did not find anything

I have had success in the past using AVG in Safe Mode. I installed it, rebooted to safe mode, and ran a scan. It found Win32/Alureon and moved it to the Virus Vault.
Alas, the problems continued. This is about as far as I am comfortable going on my own. Any help would be greatly appreciated!

Attached please find the DDS logs, the RootRepeal log, and I threw in the AVG log for good measure.

Thanks,
- Rygo

Attached Files



BC AdBot (Login to Remove)

 


#2 rygo424

rygo424
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 21 August 2009 - 07:27 AM

:::::: DDS log as inline text instead of attachment for easier viewing (same log as the one attached to original post) :::::::

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 22:44:21.03 on Wed 08/19/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.255 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://unit.villanova.edu/support/slp/vuad
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com
Trusted Zone: villanova.edu
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238678844234
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238678826812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.136,85.255.112.145
TCP: {52E6D423-C3D7-49AA-A38B-1B8A3C72581C} = 85.255.112.136,85.255.112.145
TCP: {DF999188-BFDE-484E-9D70-D6C97CC9B248} = 85.255.112.136,85.255.112.145
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\129x5v17.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.villanova.edu/homepage/index.htm
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\129x5v17.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\real\realplayer enterprise\netscape6\nppl3260.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [2006-4-18 251578]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-19 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-19 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-19 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-19 108552]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-5-24 59904]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-19 297752]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-5-24 104000]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2007-11-26 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2007-11-26 29184]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-5-24 117024]
RUnknown ungrzfe;ungrzfe; [x]
S0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys --> c:\windows\system32\drivers\aac.sys [?]
S0 aarich;aarich;c:\windows\system32\drivers\aarich.sys --> c:\windows\system32\drivers\aarich.sys [?]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]

=============== Created Last 30 ================

2009-08-19 22:11 6,761,756,672 a------- C:\Backup2.bkf
2009-08-19 21:59 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 21:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-19 21:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 21:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-19 11:00 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-19 10:46 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-19 10:46 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-19 10:46 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-19 10:45 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-19 10:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-08-19 10:45 <DIR> --d----- c:\program files\AVG
2009-08-19 10:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-19 10:36 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVG8
2009-08-16 23:48 <DIR> --d----- c:\docume~1\admini~1\applic~1\Cropper
2009-08-16 21:12 <DIR> --d----- c:\program files\Fusion8Design
2009-08-16 20:09 <DIR> --d----- c:\program files\SourceTec
2009-08-16 18:50 <DIR> --d----- c:\program files\SpywareBlaster
2009-07-28 22:11 380,928 a------- c:\windows\system32\lame_enc.dll
2009-07-28 14:46 <DIR> --d----- c:\program files\NCH Software
2009-07-28 14:39 <DIR> --d----- c:\docume~1\admini~1\applic~1\AccurateRip
2009-07-28 14:39 5,433,520 a------- c:\windows\system32\SpoonUninstall.exe
2009-07-28 14:39 <DIR> --d----- c:\program files\Illustrate
2009-07-23 18:24 <DIR> --d----- c:\documents and settings\administrator\Incomplete

==================== Find3M ====================

2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-01 23:49 15,688 a------- c:\windows\system32\lsdelete.exe
2008-06-19 13:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061920080620\index.dat

============= FINISH: 22:44:56.56 ===============



#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:04 AM

Posted 31 August 2009 - 03:35 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 rygo424

rygo424
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 31 August 2009 - 08:22 PM

Thanks for the reply schrauber.

MY ORIGINAL PROBLEM

Several days ago my browser (Firefox) started redirecting my clicks as well as popping up bogus Windows Security messages. I tried IE and the problems were the same.
Also, occasionally my Latitude will hang on startup just prior to login (it says it is loading wgalogon.dll).

I typically use Spybot (about 2x per month), Ad-Aware (about 2x per month), and McAfee is installed and running.

Spybot: I attempted to run Spybot. It would not run. I attempted to uninstall/reinstall but am unable to navigate to safer-networking.org. hmmmm
Ad-Aware: Ran Ad-Aware, which found some tracking cookies but nothing else.
McAfee: Did not find anything

I have had success in the past using AVG in Safe Mode. I installed it, rebooted to safe mode, and ran a scan. It found Win32/Alureon and moved it to the Virus Vault.
Alas, the problems continued.


UPDATES
  • Since the original post I tried to install MBAM but was not able to get it to run successfully.
  • For unrelated reasons, I looked at my DNS settings and found that instead of being configured to "obtain DNS server address automatically" it had been set to static addresses of 85.255.112.136 and 85.255.112.145. I knew this wasn't right and so changed it back to "obtain automatically"
  • Since I made that change (this morning), I have not had any browser redirects
  • Also, I can now navigate to safer-networking.org and install Spybot, although the user interface never shows up when I start it. SpybotSD.exe is listed in the running processes in Task Mgr.
Making the DNS change seems to have mitigated the browser issue, but some part of the infection must still remain if Spybot is a no-go. Please help me finish cleaning my computer. Your help is greatly appreciated!

Thanks,
- Rygo

DDS log

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 20:55:45.71 on Mon 08/31/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.512 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://unit.villanova.edu/support/slp/vuad
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com
Trusted Zone: villanova.edu
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238678844234
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238678826812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.136,85.255.112.145
TCP: {DF999188-BFDE-484E-9D70-D6C97CC9B248} = 85.255.112.136,85.255.112.145
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\129x5v17.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.villanova.edu/homepage/index.htm
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\129x5v17.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\real\realplayer enterprise\netscape6\nppl3260.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

P2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2007-11-26 221191]
R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [2006-4-18 251578]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-19 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-19 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-19 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-19 108552]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-5-24 59904]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-19 297752]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-5-24 104000]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2007-11-26 29184]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-5-24 117024]
S0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys --> c:\windows\system32\drivers\aac.sys [?]
S0 aarich;aarich;c:\windows\system32\drivers\aarich.sys --> c:\windows\system32\drivers\aarich.sys [?]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]

=============== Created Last 30 ================

2009-08-24 17:54 4,876 a------- c:\windows\system32\d3d9caps.dat
2009-08-22 19:36 191 a------- C:\fun.bat
2009-08-19 22:11 6,761,756,672 a------- C:\Backup2.bkf
2009-08-19 21:59 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 21:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-19 21:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 21:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-19 11:00 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-19 10:46 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-19 10:46 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-19 10:46 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-19 10:45 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-19 10:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-08-19 10:45 <DIR> --d----- c:\program files\AVG
2009-08-19 10:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-19 10:36 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVG8
2009-08-16 23:48 <DIR> --d----- c:\docume~1\admini~1\applic~1\Cropper
2009-08-16 21:12 <DIR> --d----- c:\program files\Fusion8Design
2009-08-16 20:09 <DIR> --d----- c:\program files\SourceTec
2009-08-16 18:50 <DIR> --d----- c:\program files\SpywareBlaster

==================== Find3M ====================

2009-07-28 14:38 5,433,520 a------- c:\windows\system32\SpoonUninstall.exe
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2008-06-19 13:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061920080620\index.dat

============= FINISH: 20:56:22.15 ===============

Attached Files



#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:04 AM

Posted 04 September 2009 - 06:21 PM

Hi rygo424,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 rygo424

rygo424
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 05 September 2009 - 07:18 AM

Hi m0le,

Thanks for your help. Let me know how we should begin.

- Rygo

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:04 AM

Posted 05 September 2009 - 02:42 PM

Hey ryogo424,


The DDS log looks clean but let's check a few other areas of the PC to be sure.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Please also run MBAM

(If this won't run then please open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe extension to .bat, .com, .pif, or .scr)

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then finally a more detailed log than DDS...

We need to create an OTL Report
  • Please download OTL By OldTimer
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:[list]
    OTListIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#8 rygo424

rygo424
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 05 September 2009 - 10:30 PM

Hi m0le,

1. Attached is the RootRepeal log

2. I attempted to run MBAM. Nothing happened after I tried to run it. I renamed the .exe as suggested, ran the installer, and attempted to run again. Still nothing

3. Ran OTL. Those two reports are quoted below (and attached).


OTL.txt

OTL logfile created on: 9/5/2009 11:14:08 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.11 Mb Total Physical Memory | 276.36 Mb Available Physical Memory | 27.25% Memory free
1.65 Gb Paging File | 0.95 Gb Available in Paging File | 57.81% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 32.14 Gb Free Space | 57.52% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D135VS91
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006/11/01 13:48:12 | 00,020,480 | ---- | M] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
PRC - [2006/11/01 13:48:10 | 01,253,376 | ---- | M] (Dell Inc.) -- C:\WINDOWS\System32\bcmwltry.exe
PRC - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/08/19 10:45:33 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2009/03/31 13:19:39 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2006/11/17 04:06:00 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
PRC - [2007/11/26 20:00:00 | 00,221,191 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\VirusScan\Mcshield.exe
PRC - [2007/11/26 20:00:00 | 00,029,184 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
PRC - [2009/08/19 10:45:40 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2009/08/19 10:45:40 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2006/02/20 12:39:36 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
PRC - [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe
PRC - [2007/04/13 02:50:00 | 00,251,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
PRC - [2007/04/13 02:50:00 | 00,590,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CCM\CcmExec.exe
PRC - [2006/11/17 04:06:00 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
PRC - [2005/06/02 15:54:34 | 00,086,606 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2008/04/13 20:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2008/04/13 20:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2008/04/13 20:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/11/01 13:48:12 | 01,392,640 | ---- | M] (Dell Inc.) -- C:\WINDOWS\System32\WLTRAY.exe
PRC - [2009/03/31 13:19:39 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2005/10/07 14:13:38 | 00,176,128 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2009/07/13 14:03:10 | 00,292,128 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2004/09/22 08:00:00 | 00,098,304 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
PRC - [2006/11/17 04:06:00 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
PRC - [2006/11/17 04:06:00 | 00,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\McTray.exe
PRC - [2004/06/28 23:56:12 | 00,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\HidFind.exe
PRC - [2005/07/27 16:41:08 | 00,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apntex.exe
PRC - [2009/07/13 14:02:50 | 00,542,496 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/08/09 08:25:37 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/05 23:13:11 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2007/04/13 03:20:52 | 00,033,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/08/19 10:45:33 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2005/06/02 15:54:34 | 00,086,606 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8 [Auto | Running])
SRV - [2007/04/13 02:50:00 | 00,590,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CCM\CcmExec.exe -- (CcmExec [Auto | Running])
SRV - [2007/04/13 03:21:18 | 00,068,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/07/13 14:02:50 | 00,542,496 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/03/31 13:19:39 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/07/02 16:35:31 | 01,029,456 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [On_Demand | Stopped])
SRV - [2006/11/17 04:06:00 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe -- (McAfeeFramework [Auto | Running])
SRV - [2007/11/26 20:00:00 | 00,221,191 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\VirusScan\Mcshield.exe -- (McShield [Auto | Running])
SRV - [2007/11/26 20:00:00 | 00,029,184 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe -- (McTaskManager [Auto | Running])
SRV - [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
SRV - [2006/02/20 12:39:36 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe -- (NICCONFIGSVC [Auto | Running])
SRV - [2006/01/19 10:14:00 | 00,143,428 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Stopped])
SRV - [2007/08/24 04:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2006/11/01 13:48:12 | 00,020,480 | ---- | M] () -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc [Auto | Running])
SRV - [2005/10/06 18:12:30 | 00,855,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS [On_Demand | Stopped])
SRV - [2007/04/13 02:50:00 | 00,251,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe -- (Wuser32 [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2004/06/15 12:06:20 | 00,251,578 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\DRIVERS\a320raid.sys -- (a320raid [Boot | Running])
DRV - [2005/09/28 20:57:18 | 00,113,847 | R--- | M] (Alps Electric Co., Ltd.) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys -- (ApfiltrService [On_Demand | Running])
DRV - [2005/11/14 13:41:10 | 00,016,128 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\NICCONFIGSVC\Appdrv.sys -- (Appdrv [On_Demand | Running])
DRV - [2009/08/19 10:46:10 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/08/19 10:46:09 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/08/19 10:46:10 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2005/11/10 11:25:14 | 00,142,720 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\b57xp32.sys -- (b57w2k [On_Demand | Running])
DRV - [2006/10/12 16:28:42 | 00,604,928 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\bcmwl5.sys -- (BCM43XX [On_Demand | Running])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008/04/13 12:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/12/01 02:40:56 | 00,936,960 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSX_DPV.sys -- (HSF_DPV [On_Demand | Running])
DRV - [2005/12/01 02:40:12 | 00,192,512 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSXHWAZL.sys -- (HSXHWAZL [On_Demand | Running])
DRV - [2005/12/13 19:09:34 | 01,364,574 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2005/04/25 09:28:14 | 00,871,040 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2006/02/09 02:50:00 | 00,008,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\idisw2km.sys -- (idisw2km [On_Demand | Running])
DRV - [2006/02/09 02:50:00 | 00,011,744 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\kbstuff5.sys -- (kbstuff [On_Demand | Running])
DRV - [2009/03/09 15:06:56 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2005/10/05 00:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2007/11/26 20:00:00 | 00,117,024 | ---- | M] (McAfee Inc.) -- C:\WINDOWS\System32\drivers\naiavf5x.sys -- (NaiAvFilter1 [On_Demand | Running])
DRV - [2007/11/26 20:00:00 | 00,059,904 | ---- | M] (McAfee Inc.) -- C:\WINDOWS\System32\drivers\mvstdi5x.sys -- (NaiAvTdi1 [System | Running])
DRV - [2006/01/19 10:14:00 | 03,595,296 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
DRV - [2001/08/22 08:42:58 | 00,013,632 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI [System | Running])
DRV - [2007/04/13 02:50:00 | 00,023,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CCM\prepdrv.sys -- (prepdrvr [On_Demand | Running])
DRV - [2004/08/12 09:26:42 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/05/02 12:29:07 | 00,080,552 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\sscdbus.sys -- (sscdbus [On_Demand | Stopped])
DRV - [2009/05/02 12:29:07 | 00,011,944 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\sscdmdfl.sys -- (sscdmdfl [On_Demand | Stopped])
DRV - [2009/05/02 12:29:07 | 00,106,792 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\sscdmdm.sys -- (sscdmdm [On_Demand | Stopped])
DRV - [2009/05/02 12:29:07 | 00,086,824 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\sscdserd.sys -- (sscdserd [On_Demand | Stopped])
DRV - [2005/11/16 16:36:00 | 01,047,816 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\System32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
DRV - [2002/08/29 15:29:12 | 00,036,096 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\symmpi.sys -- (Symmpi [Boot | Running])
DRV - [2009/06/05 11:42:38 | 00,039,424 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2008/04/13 14:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2005/05/13 18:27:56 | 00,028,672 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\usbccid.sys -- (USBCCID [On_Demand | Running])
DRV - [2005/12/01 02:40:08 | 00,669,696 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSX_CNXT.sys -- (winachsf [On_Demand | Running])
DRV - [2007/11/26 20:00:00 | 00,008,320 | ---- | M] (McAfee, Inc) -- C:\WINDOWS\System32\drivers\EntDrv51.sys -- (EntDrv51 [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1508312232-3963068204-619120153-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1508312232-3963068204-619120153-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1508312232-3963068204-619120153-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-1508312232-3963068204-619120153-500\S-1-5-21-1508312232-3963068204-619120153-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1508312232-3963068204-619120153-500\S-1-5-21-1508312232-3963068204-619120153-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.villanova.edu/homepage/index.htm"
FF - prefs.js..extensions.enabledItems: {77b819fa-95ad-4f2c-ac7c-486b356188a9}:1.5.20090525
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {FCAB6FDD-5585-425b-95C1-5ED856F3FD08}:5.4
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5
FF - prefs.js..extensions.enabledItems: avg@igeared:2.507.024.001
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.13

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/31 13:19:41 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/08/19 10:45:33 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/08/19 10:45:47 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/16 23:48:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/09 08:25:42 | 00,000,000 | ---D | M]

[2009/02/16 23:04:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions
[2008/10/06 09:30:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/02/16 23:04:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\mozswing@mozswing.org
[2009/09/05 08:14:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\129x5v17.default\extensions
[2009/06/14 20:43:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\129x5v17.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2009/08/16 23:49:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\129x5v17.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}
[2009/09/05 08:14:00 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/09 08:25:42 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/31 13:20:22 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/08/09 08:25:37 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/09 08:25:37 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/03/31 13:19:40 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/08/09 08:25:38 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/06/08 21:10:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/06/08 21:10:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/06/08 21:10:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/06/08 21:10:57 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/06/08 21:10:57 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/06/08 21:10:57 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/06/08 21:10:57 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/03/30 00:12:26 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/03/30 00:12:26 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/08/19 10:53:27 | 00,001,489 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg_igeared.xml
[2009/03/30 00:12:26 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/03/30 00:12:26 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/03/30 00:12:26 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/03/30 00:12:26 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-1508312232-3963068204-619120153-500\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe (Dell Inc.)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SysTray] C:\WINDOWS\System32\systray.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1508312232-3963068204-619120153-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1508312232-3963068204-619120153-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1508312232-3963068204-619120153-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeStartMenu = 0
O7 - HKU\S-1-5-21-1508312232-3963068204-619120153-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-21-1508312232-3963068204-619120153-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1508312232-3963068204-619120153-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1508312232-3963068204-619120153-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKU\S-1-5-21-1508312232-3963068204-619120153-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-21-1508312232-3963068204-619120153-500_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - c:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1508312232-3963068204-619120153-500\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1508312232-3963068204-619120153-500\..Trusted Domains: villanova.edu ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1508312232-3963068204-619120153-500\..Trusted Domains: 56 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1238678844234 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1238678826812 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 65.32.5.111 65.32.5.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.136,85.255.112.145
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/02/28 09:15:56 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2ecdadfc-7398-11dd-891f-001422fa4363}\Shell\AutoRun\command - "" = G:\PortableVault.exe -- File not found
O33 - MountPoints2\{b33b83ff-306f-11de-8b8d-001422fa4363}\Shell - "" = AutoRun
O33 - MountPoints2\{b33b83ff-306f-11de-8b8d-001422fa4363}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (/p) - File not found
O34 - HKLM BootExecute: (\??\C:) - File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2 C:\Documents and Settings\Administrator\Application Data\*.tmp files]
[2009/09/05 23:13:10 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/09/05 23:11:16 | 03,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2009/09/05 18:59:28 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/05 18:59:27 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/05 18:59:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/05 18:59:26 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/03 11:48:21 | 00,047,104 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\taxi.doc
[2009/09/02 16:11:53 | 00,029,184 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\travel.doc
[2009/08/31 21:01:28 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/08/31 20:16:59 | 00,036,864 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\hold mail.doc
[2009/08/30 19:41:59 | 00,000,000 | ---D | C] -- C:\Program Files\FLV Player
[2009/08/30 11:16:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Cropper Captures
[2009/08/29 00:03:42 | 00,011,699 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Kathycackle.mp3
[2009/08/28 11:56:22 | 03,638,272 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Philosophy.ppt
[2009/08/24 21:39:40 | 00,000,544 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\To Do.lnk
[2009/08/24 21:39:22 | 00,016,896 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Todo.xls
[2009/08/24 17:54:58 | 00,004,876 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/08/23 15:41:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\_ACC 2450 Advanced Accounting
[2009/08/22 10:28:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\_MGT 3301 - Policy Formulation
[2009/08/22 10:27:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\_ACC 2430 Audit
[2009/08/22 10:25:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\_BL 2185 - Contracts
[2009/08/22 10:25:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\_ACC 2460 Cost Accounting
[2009/08/19 22:11:50 | 24,667,89375 | ---- | C] () -- C:\Backup2.bkf
[2009/08/19 21:51:26 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/08/19 21:51:25 | 10,634,44480 | -HS- | C] () -- C:\hiberfil.sys
[2009/08/19 11:00:55 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/08/19 10:53:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
[2009/08/19 10:46:11 | 00,011,952 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/08/19 10:46:10 | 00,335,240 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/08/19 10:46:10 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/08/19 10:46:09 | 00,027,784 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/08/19 10:45:53 | 40,634,818 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/08/19 10:45:52 | 00,083,167 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/08/19 10:45:50 | 00,463,779 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/08/19 10:45:49 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/08/19 10:45:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/08/19 10:45:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/08/19 10:45:33 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/08/19 10:45:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/08/19 10:36:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVG8
[2009/08/19 09:33:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\BDOSCAN8
[2009/08/16 23:48:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Cropper
[2009/08/16 21:12:11 | 00,000,000 | ---D | C] -- C:\Program Files\Fusion8Design
[2009/08/16 20:09:23 | 00,000,000 | ---D | C] -- C:\Program Files\SourceTec
[2009/08/16 18:50:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/08/16 18:50:48 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2009/08/16 11:08:51 | 00,000,276 | -H-- | C] () -- C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
[2009/08/14 15:36:15 | 00,384,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Remington 870 - cleaning.doc
[2009/08/10 21:31:57 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/07/28 22:11:02 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2009/04/10 16:35:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2009/03/01 15:15:53 | 00,000,058 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2009/01/05 15:44:10 | 00,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/09/03 11:16:28 | 00,006,656 | ---- | C] () -- C:\WINDOWS\System32\CNMVS56.DLL
[2007/03/21 10:07:48 | 00,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2007/03/05 14:34:28 | 00,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/05/05 10:34:55 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/05/05 10:34:20 | 00,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/04/20 13:39:45 | 00,000,325 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/04/18 23:08:56 | 00,004,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\WINIO.SYS
[2006/04/18 22:35:42 | 00,000,496 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2006/04/18 22:05:25 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/04/18 20:51:29 | 00,004,652 | ---- | C] () -- C:\WINDOWS\parts.ini
[2006/04/18 20:51:15 | 00,000,445 | ---- | C] () -- C:\WINDOWS\IB.ini
[2006/01/19 10:14:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/01/19 10:14:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/01/19 10:14:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/01/19 10:14:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/01/19 10:14:00 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/02/28 10:03:23 | 00,000,526 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/02/28 10:03:15 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2 C:\Documents and Settings\Administrator\Application Data\*.tmp files]
[2009/09/05 23:13:11 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/09/05 23:11:19 | 03,942,048 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2009/09/05 20:00:00 | 00,000,276 | -H-- | M] () -- C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
[2009/09/05 18:56:43 | 00,000,328 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2009/09/05 18:56:39 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/05 18:53:24 | 40,634,818 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/09/05 18:53:24 | 00,083,167 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/09/05 18:44:55 | 00,000,496 | ---- | M] () -- C:\WINDOWS\SMSCFG.ini
[2009/09/05 18:44:25 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/05 18:44:21 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/05 18:44:20 | 10,634,44480 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/05 18:43:08 | 05,859,732 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/09/03 16:55:18 | 00,027,136 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Inc Stmt.xls
[2009/09/03 16:54:05 | 00,412,160 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Financials.xls
[2009/09/03 14:15:58 | 00,047,104 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\taxi.doc
[2009/09/02 16:11:53 | 00,029,184 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\travel.doc
[2009/08/31 20:16:59 | 00,036,864 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\hold mail.doc
[2009/08/29 00:05:49 | 00,011,699 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Kathycackle.mp3
[2009/08/28 14:09:15 | 03,638,272 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Philosophy.ppt
[2009/08/27 13:02:32 | 00,016,896 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Todo.xls
[2009/08/25 10:52:53 | 00,076,288 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Tentative Schedule.xls
[2009/08/24 21:39:40 | 00,000,544 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\To Do.lnk
[2009/08/24 17:54:58 | 00,004,876 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/08/24 13:17:17 | 00,000,526 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/08/24 13:17:17 | 00,000,273 | RHS- | M] () -- C:\boot.ini
[2009/08/24 13:17:17 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/19 22:32:23 | 24,667,89375 | ---- | M] () -- C:\Backup2.bkf
[2009/08/19 10:52:46 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/08/19 10:52:46 | 00,463,779 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/08/19 10:46:11 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/08/19 10:46:10 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/08/19 10:46:10 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/08/19 10:46:09 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/08/14 15:41:28 | 00,384,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Remington 870 - cleaning.doc
[2009/08/13 23:42:49 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >




Extras.txt

OTL Extras logfile created on: 9/5/2009 11:14:09 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.11 Mb Total Physical Memory | 276.36 Mb Available Physical Memory | 27.25% Memory free
1.65 Gb Paging File | 0.95 Gb Available in Paging File | 57.81% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 32.14 Gb Free Space | 57.52% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D135VS91
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1508312232-3963068204-619120153-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" = C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Real\RealPlayer Enterprise\realplay.exe" = C:\Program Files\Real\RealPlayer Enterprise\realplay.exe:*:Disabled:RealPlayer Enterprise -- (RealNetworks, Inc.)
"C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe" = C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe:*:Enabled:Wuser32 -- (Microsoft Corporation)
"C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe" = C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe:*:Enabled:naPrdMgr -- (McAfee, Inc.)
"C:\Program Files\Respondus LockDown Browser\LockDown.exe" = C:\Program Files\Respondus LockDown Browser\LockDown.exe:*:Enabled:LockDown Browser -- File not found
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Disabled:SopCast Adver -- File not found
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Disabled:SopCast Main Application -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0A146245-DB79-4197-BF5D-FE1A699A2CC7}" = Camera Window DS
"{1F528948-0E80-4C96-B455-DE4167CB1DF7}" = Internal Network Card Power Management
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{366FFC89-C800-4366-B903-B9C4314109A5}" = Garmin WebUpdater
"{4A39A27F-005B-407E-8CF5-F4D8065658E4}" = SMS Advanced Client
"{4DBBF091-FACD-422C-B43C-786335BD5398}" = MovieEdit Task
"{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}" = Camera Window DVC
"{5DF3D1BB-894E-4DCD-8275-159AC9829B43}" = McAfee VirusScan Enterprise
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.7
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}" = Camera Window MC
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{838A1BC9-95CA-4880-9BE3-2A7D23600A2B}" = Macromedia Shockwave Player
"{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}" = PhotoStitch
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{901F8ED7-13E8-43EF-B738-2FE89B0588EB}" = Camera Access Library
"{903B0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Professional 2003
"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes
"{9E2EB8B9-A938-47A2-AB22-6EEEDC7DC44D}" = Cropper
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A1D0D14A-B776-4907-BC00-5149F2298086}" = Camera Support Core Library
"{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}" = Camera Window DVC
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}" = RAW Image Task 2.2
"{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}" = Canon PhotoRecord
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon ZoomBrowser EX (E)
"{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E9ED0801-253D-4FE9-AB20-F63DEFE72547}" = SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 1.0.5
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3
"AVG8Uninstall" = AVG Free 8.5
"AVIcodec" = AVIcodec (remove only)
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CANONBJ_Deinstall_CNMCP56.DLL" = Canon i860
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"FLV Player" = FLV Player 2.0 (build 25)
"FreeUndelete" = FreeUndelete
"Glary Utilities_is1" = Glary Utilities 2.15.0.738
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{0A146245-DB79-4197-BF5D-FE1A699A2CC7}" = Canon Camera Window DSLR 5 for ZoomBrowser EX
"InstallShield_{4DBBF091-FACD-422C-B43C-786335BD5398}" = Canon MovieEdit Task for ZoomBrowser EX
"InstallShield_{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"InstallShield_{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}" = Canon Camera Window MC 6 for ZoomBrowser EX
"InstallShield_{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}" = Canon Utilities PhotoStitch 3.1
"InstallShield_{901F8ED7-13E8-43EF-B738-2FE89B0588EB}" = Canon Camera Access Library
"InstallShield_{A1D0D14A-B776-4907-BC00-5149F2298086}" = Canon Camera Support Core Library
"InstallShield_{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"InstallShield_{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}" = Canon RAW Image Task for ZoomBrowser EX
"InstallShield_{E9ED0801-253D-4FE9-AB20-F63DEFE72547}" = SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Anti-Spyware Enterprise Module" = McAfee Anti-Spyware Enterprise Module
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.13)" = Mozilla Firefox (3.0.13)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PROPLUS" = Microsoft Office Professional Plus 2007
"RealPlayer Enterprise 6.0" = RealPlayer Enterprise
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMCSetup" = Windows Media Connect

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1508312232-3963068204-619120153-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/24/2009 10:59:24 AM | Computer Name = D135VS91 | Source = SmsClient | ID = 10007
Description = The program for advertisement "VUA204B9" failed ("VUA001C5" - "Microsoft
Update - October 2008 Addtional"). The failure description was "11204". User context:
NT AUTHORITY\SYSTEM Possible cause: The program generated an installation status
Management Information Format (MIF) file with a status value of Failed. Solution:
For more information about the failure, refer to the documentation for the program
you are distributin

Error - 8/24/2009 10:59:24 AM | Computer Name = D135VS91 | Source = SmsClient | ID = 11412
Description = Scan component failed(type = Microsoft Update): Error while trying
to execute SmsWusHandler.ex

Error - 8/24/2009 10:59:24 AM | Computer Name = D135VS91 | Source = SmsClient | ID = 11204
Description = Software updates evaluation failed: could not run the scan component
of the specified software update inventory tool on the client computer. The scan
component program could not be found in the client cache or it returned failure
status. Possible cause: The scan component was removed from the client cache. Solution:
Re-run the advertisement for the scan component on the client computer. This
will update the cache and might fix the problem. Possible cause: Unknown scan component
failure. Solution: Review the status of the scan component of the specified software
update inventory tool on this clien

Error - 8/24/2009 10:59:24 AM | Computer Name = D135VS91 | Source = SmsClient | ID = 10007
Description = The program for advertisement "VUA204D4" failed ("VUA001D0" - "Microsoft
Update - January 2009"). The failure description was "11204". User context: NT
AUTHORITY\SYSTEM Possible cause: The program generated an installation status Management
Information Format (MIF) file with a status value of Failed. Solution: For more
information about the failure, refer to the documentation for the program you are
distributin

Error - 8/25/2009 10:32:17 AM | Computer Name = D135VS91 | Source = SmsClient | ID = 10053
Description = The program for advertisement "VUA204B7 has failed because content
download for the package "VUA001C4" - "4" has failed. Possible cause: The content
can not be found on the network, or the content could not be accessed. Solution:
Check to ensure this content has been made available on a distribution point. Check
to ensure the access control list allows this program to be accessed. Check to
make sure that the file system path for the content, including the path to the cache
directory, is not greater than 255 character

Error - 8/26/2009 4:17:11 PM | Computer Name = D135VS91 | Source = SmsClient | ID = 10021
Description = The program for advertisement "VUA204B9" failed ("VUA001C5" - "Microsoft
Update - October 2008 Addtional"). The program was able to be executed but the
system was restarted unexpectedly before the program could be completed or before
status could be recorded. No installation status MIF was found after the system
restarted. Possible cause: The program performs a restart of the client computer
when it completes, but the 'After running' setting in the program's properties
is not set to Program restarts computer, or the client machine was restarted while
the program was running. Solution: Verify the above. If the program does a restart
when it completes, even if it only requires a restart in some cases, modify the
program's properties and set 'After running' to 'Program restarts computer

Error - 8/26/2009 7:59:01 PM | Computer Name = D135VS91 | Source = SmsClient | ID = 10007
Description = The program for advertisement "VUA204B7" failed ("VUA001C4" - "Microsoft
Update - October 2008"). The failure description was "11204". User context: NT
AUTHORITY\SYSTEM Possible cause: The program generated an installation status Management
Information Format (MIF) file with a status value of Failed. Solution: For more
information about the failure, refer to the documentation for the program you are
distributin

Error - 8/29/2009 11:37:12 AM | Computer Name = D135VS91 | Source = SmsClient | ID = 10021
Description = The program for advertisement "VUA204B9" failed ("VUA001C5" - "Microsoft
Update - October 2008 Addtional"). The program was able to be executed but the
system was restarted unexpectedly before the program could be completed or before
status could be recorded. No installation status MIF was found after the system
restarted. Possible cause: The program performs a restart of the client computer
when it completes, but the 'After running' setting in the program's properties
is not set to Program restarts computer, or the client machine was restarted while
the program was running. Solution: Verify the above. If the program does a restart
when it completes, even if it only requires a restart in some cases, modify the
program's properties and set 'After running' to 'Program restarts computer

Error - 9/3/2009 8:17:40 AM | Computer Name = D135VS91 | Source = SmsClient | ID = 10007
Description = The program for advertisement "VUA204D4" failed ("VUA001D0" - "Microsoft
Update - January 2009"). The failure description was "11204". User context: NT
AUTHORITY\SYSTEM Possible cause: The program generated an installation status Management
Information Format (MIF) file with a status value of Failed. Solution: For more
information about the failure, refer to the documentation for the program you are
distributin

Error - 9/5/2009 6:31:03 PM | Computer Name = D135VS91 | Source = SmsClient | ID = 10021
Description = The program for advertisement "VUA2034A" failed ("VUA00141" - "Microsoft
Updates Tool"). The program was able to be executed but the system was restarted
unexpectedly before the program could be completed or before status could be recorded.
No installation status MIF was found after the system restarted. Possible cause:
The program performs a restart of the client computer when it completes, but the
'After running' setting in the program's properties is not set to Program restarts
computer, or the client machine was restarted while the program was running. Solution:
Verify the above. If the program does a restart when it completes, even if it only
requires a restart in some cases, modify the program's properties and set 'After
running' to 'Program restarts computer

[ System Events ]
Error - 9/3/2009 4:44:51 PM | Computer Name = D135VS91 | Source = ipnathlp | ID = 30013
Description = The DHCP allocator has disabled itself on IP address 12.185.224.66,
since
the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses
are being allocated to DHCP clients. To enable the DHCP allocator on this IP address,
please
change the scope to include the IP address, or change the IP address to fall within
the scope.

Error - 9/3/2009 5:11:16 PM | Computer Name = D135VS91 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
vmscsi

Error - 9/4/2009 12:06:59 AM | Computer Name = D135VS91 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
vmscsi

Error - 9/4/2009 12:13:23 AM | Computer Name = D135VS91 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
vmscsi

Error - 9/4/2009 9:28:06 AM | Computer Name = D135VS91 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
vmscsi

Error - 9/4/2009 11:43:37 AM | Computer Name = D135VS91 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 9/4/2009 10:33:17 PM | Computer Name = D135VS91 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
vmscsi

Error - 9/5/2009 6:30:30 PM | Computer Name = D135VS91 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
vmscsi

Error - 9/5/2009 6:35:55 PM | Computer Name = D135VS91 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the McShield service.

Error - 9/5/2009 6:44:46 PM | Computer Name = D135VS91 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
vmscsi


< End of report >

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:04 AM

Posted 06 September 2009 - 05:27 AM

MBAM is being blocked by a rootkit which RootRepeal has found.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Once this has been done please run MBAM. Please delete your copy and then follow these instructions.

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 rygo424

rygo424
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 06 September 2009 - 06:01 PM

Hi m0le,

Thanks again for your help. Here are the results..

1. Ran combo-fix.exe.
1a. It seemed to have a problem at one point. It complained that the "system could not find the file temp04" and Pev.cfxxe encountered an error and had to close.
1b. After that, it said that it found a rootkit and to note the following files:
c:\windows\systrem32\ESQULnrnwmiovbiecwqorcyykvefkufgrrqib.dll
c:\windows\systrem32\drivers\ESQULdaubwdranuhvaptdbncksubkohiecnmn.sys
c:\windows\systrem32\ESQULildsxhsilqermawaorxvprldsthymenr.dll
1c. Then it required a reboot, which I did. Combo-fix ran again on startup and eventually went back to my normal desktop, although I could not find the c:\combofix.txt log that you mentioned.

2. Uninstalled existing copy of MBAM, downloaded the new, installed, and ran MBAM (first time it ran since this issue started! :thumbup2: )
2a. It found 5 issues, which are contained in the log below:

Malwarebytes' Anti-Malware 1.40
Database version: 2749
Windows 5.1.2600 Service Pack 3

9/6/2009 5:29:39 PM
mbam-log-2009-09-06 (17-29-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 144699
Time elapsed: 24 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\fias4051 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULnrnwmiovbiecwqorcyykvefkufgrrqib.dll.vir (Trojan.Alureon) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ESQULdaubwdranuhvaptdbncksubkohiecnmn.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.



#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:04 AM

Posted 06 September 2009 - 06:08 PM

The Combofix log is important so we should try and find it.

Please go to Start >Run > and copy/paste the following, then press Enter

C:\QooBox\ComboFix-quarantined-files.txt

A log file should open. Please post that in your next reply.

Though it looks like MBAM removed the ESQUL rootkit files from the quarantine folder already. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#12 rygo424

rygo424
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 06 September 2009 - 09:46 PM

That file wasn't found.
In that directory, the only file is "LogA" which I pasted below. Maybe it's related to the Pev.cfxxe stopping hard??
Should I run combofix again to get another log?

\Registry\Machine\System\CurrentControlSet\Services\vkquwexg

*******************

Script file located at: \??\C:\Combo-Fix\ComboDel.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\QooBox
*******************

Beginning to process script file:

File move operation C:\WINDOWS\system32\ESQULnrnwmiovbiecwqorcyykvefkufgrrqib.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\ESQULnrnwmiovbiecwqorcyykvefkufgrrqib.dll.vir completed successfully.
File move operation C:\WINDOWS\system32\drivers\ESQULdaubwdranuhvaptdbncksubkohiecnmn.sys|C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ESQULdaubwdranuhvaptdbncksubkohiecnmn.sys.vir completed successfully.
File move operation C:\WINDOWS\system32\ESQULildsxhsilqermawaorxuprldstlymenr.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\ESQULildsxhsilqermawaorxuprldstlymenr.dll.vir completed successfully.
Program C:\Combo-Fix\C.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


\Registry\Machine\System\CurrentControlSet\Services\vkquwexg

*******************


Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!
//////////////////////////////////////////


\Registry\Machine\System\CurrentControlSet\Services\vkquwexg

*******************


Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:04 AM

Posted 07 September 2009 - 11:57 AM

Thanks for posting that. It shows that Combofix caught the rootkit.

Let's run a clean-up scan from an online scanner.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#14 rygo424

rygo424
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 07 September 2009 - 04:57 PM

Hi m0le,

The saga continues. Here are the results of the ESET Scan:

C:\Documents and Settings\Administrator\My Documents\My Installations\Glary Utilities\gusetupnew.exe a variant of Win32/Induc.A virus deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULildsxhsilqermawaorxuprldstlymenr.dll.vir Win32/TrojanClicker.Agent.NGF trojan cleaned by deleting - quarantined
C:\quarantine\Av-test.txt.Vir Eicar test file cleaned by deleting - quarantined



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:04 AM

Posted 07 September 2009 - 05:14 PM

Good results there. There's an infected file which has been removed and ESET also deleted some quarantined files.

We can clear out your temp files and cookies and then we should be ready for the final instructions, unless there's any other issues you still have.

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users