Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit rotscx* on win2k


  • Please log in to reply
5 replies to this topic

#1 b0kater1

b0kater1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 23 September 2009 - 10:25 PM

Hi, I'm hoping someone can help me trust my PC again.

I was recently dealing with a podmena infection that I think is gone, but I then noticed the rotscx* files and registry entries in procmon (saved the boot run of procmon, if needed).

It seems like MalwareBytes Anti-Malware actually broke the rootkit, although the registry entry(ies?) is still there.

I don't know enough about all this to be comfortable that my PC isn't still infected, and am skeptical of svchost.exe trying to access the internet. I cut its access via the firewall (the free ZoneAlarm) after all this started, and have been looking at the destination IPs a bit (not that they really told me anything).

Trying to clean up the PC also netted me a consistent svchost.exe error message:

svchost.exe has generated errors and will be closed by Windows.
You will need to restart the program.

An error log is being created.

I was never able to find these mythical error logs. Screenshot is available if needed.

Regarding the rootrepeal output, I did get the error "DeviceIoControl Error! Error code = 0x0" when running it. Don't know if it is significant or not. Screenshot captured for this as well.

dds.txt is below, and attach.txt and ark.txt are attached.

Thanks for any help you can provide,
b0kater

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 22:22:37.35 on Tue 09/22/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1401 [GMT -4:00]


============== Running Processes ===============

F:\WINNT\system32\Ati2evxx.exe
F:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
F:\Program Files\Cobian Backup 9\cbService.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
F:\WINNT\system32\Ati2evxx.exe
F:\WINNT\Explorer.EXE
F:\WINNT\system32\CTHELPER.EXE
F:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\winnt\system32\blank.htm
uStart Page = hxxp://www.google.com/ig?hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.1121.2472\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {339BB23F-A864-48C0-A59F-29EA915965EC} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] c:\winnt\UpdReg.EXE
mRun: [Jet Detection] c:\program files\creative\sbaudigy\program\ADGJDet.exe
mRun: [CTStartup] c:\program files\creative\splash screen\CTEaxSpl.EXE /run
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [NeroCheck] c:\winnt\system32\NeroCheck.exe
mRun: [iPodWatcher] c:\program files\ipod\bin\iPodWatcher.exe
mRun: [POINTER] point32.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: f:\docume~1\admini~1\startm~1\programs\startup\bhodem~1.lnk - c:\program files\bhodemon 2\BHODemon.exe
StartupFolder: f:\docume~1\admini~1\startm~1\programs\startup\lbrpau~1.lnk - c:\documents and settings\administrator\application data\microsoft\installer\{b52243a6-c486-4a7b-842f-e861a76fbdef}\IconB52243A6.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear wg311v2 adapter\wlancfg5.exe
mPolicies-explorer: <NO NAME> =
IE: c:\progra~1\common~1\btlink\btlink.dll//iemenu
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Edit with &XML Spy - c:\program files\altova\xmlspy\spy.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {521D3212-021E-4212-B5DA-26B25A954DC2} - hxxps://live.lehman.com/GIS/Portal/SPT/CABs/VLLoadEdit.CAB
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37918.7455555556
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_04-win.cab
DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mwmuk.webex.com/mwmuk/tool/systemcheck/ieatgpc.cab
DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - hxxp://download.redswoosh.net/Installer/104/rsinstaller.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\4azll94k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en#min5
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\winnt\system32\macromed\flash\NPSWF32.dll
FF - plugin: f:\documents and settings\administrator\application data\mozilla\firefox\profiles\4azll94k.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;f:\winnt\system32\drivers\Si3112r.sys [2003-7-21 85265]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;f:\winnt\system32\drivers\avgldx86.sys [2009-9-9 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;f:\winnt\system32\drivers\avgmfx86.sys [2009-9-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;f:\winnt\system32\drivers\avgtdix.sys [2009-9-9 108552]
R1 vsdatant;vsdatant;f:\winnt\system32\vsdatant.sys [2004-3-26 394952]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-9 297752]
R2 CobianBackupAmanita;Cobian Backup 9 service;f:\program files\cobian backup 9\cbService.exe [2009-9-21 583168]
R2 Iprip;Network Security;f:\winnt\system32\svchost.exe -k netsvcs [1999-12-7 7952]
R2 vsmon;TrueVector Internet Monitor;c:\winnt\system32\zonelabs\vsmon.exe -service --> c:\winnt\system32\zonelabs\vsmon.exe -service [?]
R3 usbhub20;USB 2.0 Root Hub Support;f:\winnt\system32\drivers\usbhub20.sys [2003-10-25 49776]
S3 DualPow;Thrustmaster FireStorm™ Dual Power 2;f:\winnt\system32\drivers\dualpow2.sys --> f:\winnt\system32\drivers\DualPow2.sys [?]
S3 ESSIDSET;ESSIDSET;c:\winnt\system32\ESSIDSET.SYS [2004-12-11 9376]
S3 getPlusHelper;getPlus® Helper;f:\winnt\system32\svchost.exe -k getPlusHelper [1999-12-7 7952]
S3 SaiH0460;SaiH0460;f:\winnt\system32\drivers\SaiH0460.sys [2005-11-3 176640]
S3 vdev;VPN-1 SecureClient Virtual Ethernet Adapter;f:\winnt\system32\drivers\vdev.sys [2004-4-5 16396]

============== File Associations ===============

chm.file="c:\winnt\hh.exe" %1

=============== Created Last 30 ================

2009-09-22 18:15 16,384 a------t f:\winnt\system32\Perflib_Perfdata_43c.dat
2009-09-22 18:08 16,384 a------t f:\winnt\system32\Perflib_Perfdata_284.dat
2009-09-21 16:40 <DIR> --d----- c:\program files\Cobian Backup 9
2009-09-21 16:31 30,768 -------- f:\winnt\system32\drivers\disk.sys
2009-09-18 11:07 16,384 -------t f:\winnt\system32\Perflib_Perfdata_a24.dat
2009-09-18 11:04 16,384 -------t f:\winnt\system32\Perflib_Perfdata_970.dat
2009-09-12 16:42 41,631 -------- f:\winnt\system32\certstore.dat
2009-09-12 11:36 <DIR> --d----- f:\docume~1\admini~1\applic~1\Malwarebytes
2009-09-12 11:36 38,224 -------- f:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-12 11:36 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-12 11:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 11:36 18,520 -------- f:\winnt\system32\drivers\mbam.sys
2009-09-09 14:54 <DIR> --d-h--- F:\$AVG8.VAULT$
2009-09-09 13:00 11,952 -------- f:\winnt\system32\avgrsstx.dll
2009-09-09 13:00 108,552 -------- f:\winnt\system32\drivers\avgtdix.sys
2009-09-09 13:00 335,240 -------- f:\winnt\system32\drivers\avgldx86.sys
2009-09-09 13:00 <DIR> --d----- f:\winnt\system32\drivers\Avg
2009-09-09 13:00 <DIR> a-d----- f:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-09-09 13:00 <DIR> a-d----- f:\docume~1\alluse~1\applic~1\avg8
2009-09-09 13:00 <DIR> --d----- c:\program files\AVG
2009-09-09 12:56 <DIR> --d----- f:\docume~1\admini~1\applic~1\AVG8
2009-09-09 09:03 431 -------- f:\winnt\wininit.ini
2009-09-08 21:23 320 -------- f:\winnt\system32\jlksf
2009-09-06 12:01 16,384 -------t f:\winnt\system32\Perflib_Perfdata_33c.dat
2009-09-01 11:53 <DIR> --d----- f:\docume~1\admini~1\applic~1\Splitscreen Studios
2009-09-01 11:48 <DIR> --d----- f:\docume~1\admini~1\applic~1\PirateGalaxy

==================== Find3M ====================

2009-08-15 09:36 16,384 -------t f:\winnt\system32\Perflib_Perfdata_2bc.dat
2009-08-05 01:04 90,164 -------- f:\winnt\system32\atl.dll
2009-07-31 08:13 16,384 -------t f:\winnt\system32\Perflib_Perfdata_320.dat
2009-07-27 07:27 165,136 -------- f:\winnt\system32\t2embed.dll
2009-07-27 07:27 81,168 -------- f:\winnt\system32\fontsub.dll
2009-07-25 05:23 411,368 -------- f:\winnt\system32\deploytk.dll
2009-07-13 09:13 78,608 -------- f:\winnt\system32\avifil32.dll
2009-07-13 02:18 233,472 -------- f:\winnt\system32\wmpdxm.dll
2009-07-10 12:49 601,088 -------- f:\winnt\system32\INETCOMM.DLL
2009-07-10 12:49 47,616 -------- f:\winnt\system32\INETRES.DLL
2009-07-10 12:49 229,376 -------- f:\winnt\system32\MSOEACCT.DLL
2009-07-10 12:49 91,136 -------- f:\winnt\system32\MSOERT2.DLL
2009-07-10 12:47 44,032 -------- f:\winnt\system32\MSIDENT.DLL
2009-06-26 11:53 576,512 -------- f:\winnt\system32\WININET.DLL
2004-07-02 13:19 40,960 -------- f:\winnt\inf\wg311v2\imdinst.exe
2004-06-18 00:35 424,825 -------- f:\winnt\inf\wg311v2\netwg311_2K.sys
2004-04-04 14:07 84,912 -------- f:\winnt\inf\wg311v2\FwRad17.bin
2004-04-04 14:07 83,320 -------- f:\winnt\inf\wg311v2\FwRad16.bin
2004-02-04 13:53 62,865 -------- f:\winnt\inf\wg311v2\odysseyIM3.sys
2004-02-04 13:53 12,739 -------- f:\winnt\inf\wg311v2\odNetInstall.dll
2003-10-25 18:51 21,952 ----h--- c:\program files\folder.htt
2003-10-25 18:51 271 ----h--- c:\program files\desktop.ini
1999-12-07 08:00 32,528 -------- f:\winnt\inf\wbfirdma.sys

============= FINISH: 22:23:33.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:32 PM

Posted 10 October 2009 - 10:33 AM

Hello b0kater1

Welcome to Welcome to BleepingComputer :(
=====================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 b0kater1

b0kater1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 12 October 2009 - 09:22 PM

Hi kahdah,

Thanks for your help.

Below is the contents of the OTL.Txt

OTL logfile created on: 10/10/2009 23:07:02 - Run 1
OTL by OldTimer - Version 3.0.19.0 Folder = F:\Documents and Settings\Administrator\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 66.76% Memory free
3.85 Gb Paging File | 3.32 Gb Available in Paging File | 86.38% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = F: | %SystemRoot% = F:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 50.35 Gb Free Space | 67.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 19.39 Gb Total Space | 5.94 Gb Free Space | 30.62% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WARCHILD
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Microsoft Hardware\Mouse\point32.exe (Microsoft Corporation)
PRC - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe ()
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
PRC - C:\WINNT\System32\CTsvcCDA.exe (Creative Technology Ltd)
PRC - C:\WINNT\System32\MsPMSPSv.exe (Microsoft Corporation)
PRC - C:\WINNT\System32\svchost.exe (Microsoft Corporation)
PRC - C:\WINNT\system32\ZoneLabs\vsmon.exe (Zone Labs, LLC)
PRC - F:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - F:\Program Files\Cobian Backup 9\cbService.exe (Luis Cobian)
PRC - F:\WINNT\Explorer.EXE (Microsoft Corporation)
PRC - F:\WINNT\System32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - F:\WINNT\System32\CTHELPER.EXE (Creative Technology Ltd)
PRC - F:\WINNT\System32\MSTask.exe (Microsoft Corporation)
PRC - F:\WINNT\System32\stisvc.exe (Microsoft Corporation)
PRC - F:\WINNT\System32\WBEM\WinMgmt.exe (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (Ati HotKey Poller [Auto | Running]) -- F:\WINNT\System32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (ATI Smart [Auto | Stopped]) -- C:\WINNT\system32\ati2sgag.exe ()
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (cisvc [On_Demand | Stopped]) -- C:\WINNT\System32\cisvc.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (CobianBackupAmanita [Auto | Running]) -- F:\Program Files\Cobian Backup 9\cbService.exe (Luis Cobian)
SRV - (Creative Service for CDROM Access [Auto | Running]) -- C:\WINNT\System32\CTsvcCDA.exe (Creative Technology Ltd)
SRV - (dmadmin [On_Demand | Stopped]) -- F:\WINNT\System32\dmadmin.exe (VERITAS Software Corp.)
SRV - (EventSystem [On_Demand | Running]) -- C:\WINNT\System32\es.dll (Microsoft Corporation)
SRV - (Fax [On_Demand | Stopped]) -- F:\WINNT\System32\faxsvc.exe (Microsoft Corporation)
SRV - (getPlusHelper [On_Demand | Stopped]) -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (Irmon [Disabled | Stopped]) -- F:\WINNT\System32\irmon.dll (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (mnmsrvc [On_Demand | Stopped]) -- C:\WINNT\System32\mnmsrvc.exe (Microsoft Corporation)
SRV - (MSDTC [On_Demand | Stopped]) -- C:\WINNT\System32\msdtc.exe (Microsoft Corporation)
SRV - (MSIServer [On_Demand | Stopped]) -- C:\WINNT\system32\msiexec.exe (Microsoft Corporation)
SRV - (RemoteRegistry [Disabled | Stopped]) -- F:\WINNT\System32\regsvc.exe (Microsoft Corporation)
SRV - (Schedule [Auto | Running]) -- F:\WINNT\System32\MSTask.exe (Microsoft Corporation)
SRV - (StiSvc [Auto | Running]) -- F:\WINNT\System32\stisvc.exe (Microsoft Corporation)
SRV - (UtilMan [On_Demand | Stopped]) -- F:\WINNT\System32\UtilMan.exe (Microsoft Corporation)
SRV - (vsmon [Auto | Running]) -- C:\WINNT\system32\ZoneLabs\vsmon.exe (Zone Labs, LLC)
SRV - (WinMgmt [Auto | Running]) -- F:\WINNT\System32\WBEM\WinMgmt.exe (Microsoft Corporation)
SRV - (WMDM PMSP Service [Auto | Running]) -- C:\WINNT\System32\MsPMSPSv.exe (Microsoft Corporation)
SRV - (WmdmPmSN [On_Demand | Stopped]) -- C:\WINNT\system32\mspmsnsv.dll (Microsoft Corporation)
SRV - (wuauserv [Auto | Running]) -- C:\WINNT\system32\wuauserv.dll (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ati2mtag [On_Demand | Running]) -- F:\WINNT\System32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (AvgLdx86 [System | Running]) -- F:\WINNT\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- F:\WINNT\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX [System | Running]) -- F:\WINNT\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (Cdr4_2K [System | Running]) -- F:\WINNT\System32\drivers\cdr4_2K.sys (Sonic Solutions)
DRV - (Cdralw2k [System | Running]) -- F:\WINNT\System32\drivers\cdralw2k.sys (Sonic Solutions)
DRV - (ctac32k [On_Demand | Running]) -- F:\WINNT\System32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (ctaud2k [On_Demand | Running]) -- F:\WINNT\System32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (ctdvda2k [On_Demand | Stopped]) -- F:\WINNT\System32\drivers\ctdvda2k.sys (Creative Technology Ltd)
DRV - (ctprxy2k [On_Demand | Running]) -- F:\WINNT\System32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ctsfm2k [On_Demand | Running]) -- F:\WINNT\System32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (Diskperf [Boot | Running]) -- F:\WINNT\System32\drivers\diskperf.sys (Microsoft Corporation)
DRV - (dmboot [Disabled | Stopped]) -- F:\WINNT\System32\drivers\dmboot.sys (VERITAS Software Corp.)
DRV - (dmio [Boot | Running]) -- F:\WINNT\System32\drivers\dmio.sys (VERITAS Software Corp.)
DRV - (dmload [Boot | Running]) -- F:\WINNT\System32\drivers\dmload.sys (VERITAS Software Corp.)
DRV - (E1000 [On_Demand | Running]) -- F:\WINNT\System32\DRIVERS\e1000nt5.sys (Intel Corporation)
DRV - (EFS [Disabled | Running]) -- F:\WINNT\System32\drivers\efs.sys (Microsoft Corporation)
DRV - (emupia [On_Demand | Running]) -- F:\WINNT\System32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (ENTECH [On_Demand | Stopped]) -- C:\WINNT\system32\DRIVERS\ENTECH.SYS (EnTech Taiwan)
DRV - (ESSIDSET [On_Demand | Stopped]) -- C:\WINNT\system32\ESSIDSET.SYS (MELCO INC.)
DRV - (gameenum [On_Demand | Running]) -- F:\WINNT\System32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (ha10kx2k [On_Demand | Running]) -- F:\WINNT\System32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (hap16v2k [On_Demand | Stopped]) -- F:\WINNT\System32\drivers\hap16v2k.sys (Creative Technology Ltd)
DRV - (IPFilter [On_Demand | Running]) -- F:\WINNT\System32\DRIVERS\IPFilter.sys (Microsoft Corporation)
DRV - (irsir [On_Demand | Running]) -- F:\WINNT\System32\DRIVERS\irsir.sys (Microsoft Corporation)
DRV - (lhidflt2 [On_Demand | Stopped]) -- F:\WINNT\System32\DRIVERS\lhidflt2.sys (Logitech)
DRV - (lkbdflt2 [On_Demand | Running]) -- F:\WINNT\System32\DRIVERS\lkbdflt2.sys (Logitech)
DRV - (lmouflt2 [On_Demand | Running]) -- F:\WINNT\System32\DRIVERS\lmouflt2.sys (Logitech)
DRV - (MPE [On_Demand | Stopped]) -- F:\WINNT\System32\DRIVERS\MPE.sys (Microsoft Corporation)
DRV - (MxlW2k [On_Demand | Running]) -- F:\WINNT\System32\drivers\MxlW2k.sys (MusicMatch, Inc.)
DRV - (Nbf [Auto | Running]) -- F:\WINNT\System32\DRIVERS\nbf.sys (Microsoft Corporation)
DRV - (NetDetect [On_Demand | Stopped]) -- F:\WINNT\system32\drivers\netdtect.sys (Microsoft Corporation)
DRV - (netwg311 [On_Demand | Stopped]) -- F:\WINNT\System32\DRIVERS\netwg311.sys (Texas Instruments)
DRV - (NPPTNT2 [System | Running]) -- C:\WINNT\system32\npptNT2.sys (INCA Internet Co., Ltd.)
DRV - (NwlnkIpx [Auto | Running]) -- F:\WINNT\System32\DRIVERS\nwlnkipx.sys (Microsoft Corporation)
DRV - (NwlnkNb [Auto | Running]) -- F:\WINNT\System32\DRIVERS\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx [Auto | Running]) -- F:\WINNT\System32\DRIVERS\nwlnkspx.sys (Microsoft Corporation)
DRV - (odysseyIM3 [On_Demand | Running]) -- F:\WINNT\System32\DRIVERS\odysseyIM3.sys (Funk Software, Inc.)
DRV - (ossrv [On_Demand | Running]) -- F:\WINNT\System32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (P1131VID [On_Demand | Stopped]) -- F:\WINNT\System32\DRIVERS\P1131Vid.sys (Creative Technology Ltd.)
DRV - (PalmUSBD [On_Demand | Stopped]) -- F:\WINNT\System32\drivers\PalmUSBD.sys (Palm, Inc.)
DRV - (Parallel [On_Demand | Running]) -- F:\WINNT\System32\DRIVERS\parallel.sys (Microsoft Corporation)
DRV - (PfModNT [Auto | Running]) -- C:\WINNT\System32\PfModNT.sys (Creative Technology Ltd.)
DRV - (PQNTDrv [System | Running]) -- F:\WINNT\System32\drivers\PQNTDRV.sys ()
DRV - (Ptilink [On_Demand | Running]) -- F:\WINNT\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- F:\WINNT\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (RCA [On_Demand | Stopped]) -- F:\WINNT\System32\drivers\RCA.sys (Microsoft Corporation)
DRV - (SaiH0460 [On_Demand | Stopped]) -- F:\WINNT\System32\DRIVERS\SaiH0460.sys (Saitek)
DRV - (SecDrv [Auto | Running]) -- C:\WINNT\system32\drivers\SECDRV.SYS (Macrovision Europe Ltd)
DRV - (Si3112r [Boot | Running]) -- F:\WINNT\system32\DRIVERS\si3112r.sys (Silicon Image, Inc)
DRV - (srescan [Boot | Running]) -- F:\WINNT\system32\ZoneLabs\srescan.sys (Zone Labs, LLC)
DRV - (uhcd [On_Demand | Running]) -- F:\WINNT\System32\DRIVERS\uhcd.sys (Microsoft Corporation)
DRV - (usbhub20 [On_Demand | Running]) -- F:\WINNT\System32\DRIVERS\usbhub20.sys (Microsoft Corporation)
DRV - (vdev [On_Demand | Stopped]) -- F:\WINNT\System32\DRIVERS\vdev.sys (Check Point Software Technologies Ltd.)
DRV - (vsdatant [System | Running]) -- F:\WINNT\System32\vsdatant.sys (Zone Labs, LLC)

========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?hl=en#min5"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 44
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5
FF - prefs.js..extensions.enabledItems: avg@igeared:2.609.002.003
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.07
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.3
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.102
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.14

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/02/08 19:30:04 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/09/09 13:00:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/10/06 21:53:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/11 00:47:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/12 23:04:02 | 00,000,000 | ---D | M]

[2009/01/29 21:33:23 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\mozilla\Extensions
[2009/01/29 21:33:23 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/10/10 12:00:51 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\4azll94k.default\extensions
[2009/10/05 23:14:07 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\4azll94k.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/09/12 23:03:49 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\4azll94k.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2009/10/06 00:12:59 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\4azll94k.default\extensions\foxfilter@inspiredeffect.net
[2009/10/04 20:47:45 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\4azll94k.default\extensions\personas@christopher.beard
[2009/10/10 23:02:51 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/03 23:16:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/02/08 18:11:29 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2009/02/08 19:30:26 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/09/09 12:49:44 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/09/11 00:47:51 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/11 00:47:51 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/07/25 05:23:01 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/09/11 00:47:52 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/02/23 23:15:19 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/02/23 23:15:19 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/02/23 23:15:19 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/02/23 23:15:19 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/02/23 23:15:19 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/02/23 23:15:19 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/02/23 23:15:19 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/09/03 11:53:00 | 00,030,912 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\mozilla firefox\plugins\np_gp.dll
[2008/12/02 04:04:40 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/12/02 04:04:40 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/09/09 13:07:56 | 00,001,489 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg_igeared.xml
[2008/12/02 04:04:40 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/12/02 04:04:40 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/12/02 04:04:40 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/12/02 04:04:40 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml

O1 HOSTS File: (732 bytes) - F:\WINNT\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (UberButton Class) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (YahooTaggedBM Class) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (Yahoo! Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - F:\WINNT\System32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - F:\WINNT\System32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - F:\WINNT\System32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AsioReg] F:\WINNT\System32\CTASIO.DLL (Creative Technology Ltd)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [CTHelper] F:\WINNT\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe File not found
O4 - HKLM..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [POINTER] File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] F:\WINNT\System32\mobsync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [UpdReg] C:\WINNT\UpdReg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [WINDVDPatch] F:\WINNT\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: F:\Documents and Settings\Administrator\Start Menu\Programs\Startup\BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe (Definitive Solutions, Inc.)
O4 - Startup: F:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LBRP Auto-Select Default.lnk = C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{B52243A6-C486-4A7B-842F-E861A76FBDEF}\IconB52243A6.exe ()
O4 - Startup: F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: F:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = _ [binary data]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2008/04/21 22:25:19 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm ()
O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2008/04/21 22:25:19 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2008/04/21 22:25:19 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2008/04/21 22:25:19 | 00,000,000 | ---D | M]
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - F:\WINNT\System32\rnr20.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - F:\WINNT\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - F:\WINNT\System32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - F:\WINNT\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - F:\WINNT\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000036 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000037 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000038 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000039 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000040 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000041 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000042 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000043 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000044 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000045 - F:\WINNT\System32\msafd.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {521D3212-021E-4212-B5DA-26B25A954DC2} https://live.lehman.com/GIS/Portal/SPT/CABs/VLLoadEdit.CAB (Reg Error: Key error.)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...7918.7455555556 (Reg Error: Key error.)
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (YahooYMailTo Class)
O16 - DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.3.1/...-131_04-win.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://mwmuk.webex.com/mwmuk/tool/systemcheck/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} http://download.redswoosh.net/Installer/104/rsinstaller.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 167.206.245.129 167.206.245.130
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - F:\WINNT\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - F:\WINNT\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - F:\WINNT\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - F:\WINNT\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\relatedlinks {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - Reg Error: Key error. File not found
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - F:\WINNT\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - F:\WINNT\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - F:\WINNT\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\System32\msdxm.ocx ()
O18 - Protocol\Filter: - application/octet-stream - No CLSID value found
O18 - Protocol\Filter: - application/x-complus - No CLSID value found
O18 - Protocol\Filter: - application/x-msdownload - No CLSID value found
O18 - Protocol\Filter: - Class Install Handler - No CLSID value found
O18 - Protocol\Filter: - deflate - No CLSID value found
O18 - Protocol\Filter: - gzip - No CLSID value found
O18 - Protocol\Filter: - lzdhtml - No CLSID value found
O18 - Protocol\Filter: - text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - F:\WINNT\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (F:\WINNT\system32\userinit.exe) - F:\WINNT\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - F:\WINNT\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - F:\WINNT\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - F:\WINNT\System32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - F:\WINNT\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - F:\WINNT\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - F:\WINNT\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - F:\WINNT\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - F:\WINNT\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - F:\WINNT\System32\WlNotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - F:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O21 - SSODL: Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} - C:\WINNT\system32\NETSHELL.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - F:\WINNT\System32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - F:\WINNT\System32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - F:\WINNT\System32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - F:\WINNT\System32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O27 - HKLM IFEO\Your Image File Name Here without a path: Debugger - F:\WINNT\System32\ntsd.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - F:\WINNT\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - F:\WINNT\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - F:\WINNT\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - F:\WINNT\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - F:\WINNT\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - F:\WINNT\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - F:\WINNT\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - F:\WINNT\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - F:\WINNT\System32\schannel.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/10/25 18:52:32 | 00,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/10/25 18:52:32 | 00,000,000 | -H-- | M] () - F:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - F:\WINNT\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/12 11:36:14 | 00,000,000 | ---D | C] -- F:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/12 23:03:56 | 00,000,000 | ---D | C] -- F:\Documents and Settings\All Users\Application Data\NOS
[2009/09/12 11:36:19 | 00,000,000 | ---D | C] -- F:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/09/21 16:40:15 | 00,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 9
[2009/09/12 11:36:14 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/12 23:03:56 | 00,000,000 | ---D | C] -- C:\Program Files\NOS
[2009/10/10 23:02:20 | 00,520,192 | ---- | C] (OldTimer Tools) -- F:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/09/21 16:31:19 | 00,030,768 | ---- | C] (Microsoft Corporation) -- F:\WINNT\System32\drivers\disk.sys
[2009/09/21 16:31:12 | 00,021,552 | ---- | C] (Microsoft Corporation) -- F:\WINNT\System32\drivers\USBSTOR.SYS
[2009/09/21 15:36:54 | 00,472,064 | ---- | C] ( ) -- F:\Documents and Settings\Administrator\Desktop\RootRepeal.exe
[2009/09/12 12:14:09 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- F:\Documents and Settings\Administrator\Desktop\HJTInstall.exe
[2009/09/12 11:36:15 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- F:\WINNT\System32\drivers\mbamswissarmy.sys
[2009/09/12 11:36:14 | 00,018,520 | ---- | C] (Malwarebytes Corporation) -- F:\WINNT\System32\drivers\mbam.sys
[2005/12/02 09:18:20 | 00,049,152 | ---- | C] ( ) -- F:\WINNT\System32\a3d.dll

========== Files - Modified Within 30 Days ==========

[6 F:\WINNT\System32\*.tmp files]
[3 F:\WINNT\*.tmp files]
[2009/10/10 23:02:21 | 00,520,192 | ---- | M] (OldTimer Tools) -- F:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/10/10 17:18:24 | 04,072,118 | ---- | M] () -- F:\WINNT\{00000003-00000000-00000006-00001102-00000004-00511102}.CDF
[2009/10/10 17:18:24 | 04,072,118 | ---- | M] () -- F:\WINNT\{00000003-00000000-00000006-00001102-00000004-00511102}.BAK
[2009/10/10 08:20:12 | 00,352,921 | -H-- | M] () -- F:\WINNT\System32\vsconfig.xml
[2009/10/10 08:19:04 | 00,016,384 | ---- | M] () -- F:\WINNT\System32\Perflib_Perfdata_448.dat
[2009/10/10 08:18:22 | 00,002,222 | ---- | M] () -- F:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LBRP Auto-Select Default.lnk
[2009/10/10 08:07:40 | 42,619,516 | ---- | M] () -- F:\WINNT\System32\drivers\Avg\incavi.avm
[2009/10/10 08:07:40 | 00,023,211 | ---- | M] () -- F:\WINNT\System32\drivers\Avg\microavi.avg
[2009/10/10 08:05:41 | 00,000,006 | -H-- | M] () -- F:\WINNT\tasks\SA.DAT
[2009/10/10 08:05:39 | 00,016,384 | ---- | M] () -- F:\WINNT\System32\Perflib_Perfdata_28c.dat
[2009/10/09 06:51:28 | 00,023,412 | ---- | M] () -- F:\WINNT\System32\BMXCtrlState-{00000003-00000000-00000006-00001102-00000004-00511102}.rfx
[2009/10/09 06:51:28 | 00,023,412 | ---- | M] () -- F:\WINNT\System32\BMXBkpCtrlState-{00000003-00000000-00000006-00001102-00000004-00511102}.rfx
[2009/10/09 06:51:28 | 00,018,672 | ---- | M] () -- F:\WINNT\System32\BMXStateBkp-{00000003-00000000-00000006-00001102-00000004-00511102}.rfx
[2009/10/09 06:51:28 | 00,018,672 | ---- | M] () -- F:\WINNT\System32\BMXState-{00000003-00000000-00000006-00001102-00000004-00511102}.rfx
[2009/10/09 06:51:28 | 00,001,080 | ---- | M] () -- F:\WINNT\System32\settingsbkup.sfm
[2009/10/09 06:51:28 | 00,001,080 | ---- | M] () -- F:\WINNT\System32\settings.sfm
[2009/10/09 06:51:28 | 00,000,024 | ---- | M] () -- F:\WINNT\System32\DVCStateBkp-{00000003-00000000-00000006-00001102-00000004-00511102}.dat
[2009/10/09 06:51:28 | 00,000,024 | ---- | M] () -- F:\WINNT\System32\DVCState-{00000003-00000000-00000006-00001102-00000004-00511102}.dat
[2009/10/07 01:07:27 | 01,114,302 | -H-- | M] () -- F:\WINNT\ShellIconCache
[2009/09/30 17:29:42 | 00,492,629 | ---- | M] () -- F:\WINNT\System32\drivers\Avg\miniavi.avg
[2009/09/23 22:53:18 | 00,032,494 | ---- | M] () -- F:\Documents and Settings\Administrator\Desktop\rootrepeal error.bmp
[2009/09/22 23:21:35 | 00,012,305 | ---- | M] () -- F:\Documents and Settings\Administrator\Desktop\root.zip
[2009/09/22 23:20:49 | 00,054,454 | ---- | M] () -- F:\Documents and Settings\Administrator\Desktop\svchost.bmp
[2009/09/22 22:26:18 | 00,000,000 | ---- | M] () -- F:\Documents and Settings\Administrator\Desktop\settings.dat
[2009/09/21 15:37:54 | 00,359,932 | ---- | M] () -- F:\Documents and Settings\Administrator\Desktop\dds.scr
[2009/09/21 15:36:25 | 00,472,064 | ---- | M] ( ) -- F:\Documents and Settings\Administrator\Desktop\RootRepeal.exe
[2009/09/18 11:07:01 | 00,016,384 | ---- | M] () -- F:\WINNT\System32\Perflib_Perfdata_a24.dat
[2009/09/18 11:04:42 | 00,016,384 | ---- | M] () -- F:\WINNT\System32\Perflib_Perfdata_970.dat
[2009/09/13 22:32:12 | 00,000,453 | ---- | M] () -- F:\Documents and Settings\Administrator\Desktop\My Documents.lnk
[2009/09/12 23:04:13 | 00,000,518 | ---- | M] () -- F:\Documents and Settings\All Users\Desktop\Resume Adobe Downloads.lnk
[2009/09/12 12:14:06 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- F:\Documents and Settings\Administrator\Desktop\HJTInstall.exe
[2009/09/11 23:13:10 | 01,615,429 | R--- | M] () -- F:\Documents and Settings\Administrator\Desktop\new_drive_config.zip

========== Files - No Company Name ==========
[2009/10/10 08:19:04 | 00,016,384 | ---- | C] () -- F:\WINNT\System32\Perflib_Perfdata_448.dat
[2009/10/10 08:05:38 | 00,016,384 | ---- | C] () -- F:\WINNT\System32\Perflib_Perfdata_28c.dat
[2009/09/23 22:53:15 | 00,032,494 | ---- | C] () -- F:\Documents and Settings\Administrator\Desktop\rootrepeal error.bmp
[2009/09/22 23:20:47 | 00,054,454 | ---- | C] () -- F:\Documents and Settings\Administrator\Desktop\svchost.bmp
[2009/09/22 23:05:56 | 00,012,305 | ---- | C] () -- F:\Documents and Settings\Administrator\Desktop\root.zip
[2009/09/22 22:26:18 | 00,000,000 | ---- | C] () -- F:\Documents and Settings\Administrator\Desktop\settings.dat
[2009/09/21 15:38:05 | 00,359,932 | ---- | C] () -- F:\Documents and Settings\Administrator\Desktop\dds.scr
[2009/09/18 11:07:01 | 00,016,384 | ---- | C] () -- F:\WINNT\System32\Perflib_Perfdata_a24.dat
[2009/09/18 11:04:42 | 00,016,384 | ---- | C] () -- F:\WINNT\System32\Perflib_Perfdata_970.dat
[2009/09/12 23:04:13 | 00,000,518 | ---- | C] () -- F:\Documents and Settings\All Users\Desktop\Resume Adobe Downloads.lnk
[2009/09/11 23:11:09 | 01,615,429 | R--- | C] () -- F:\Documents and Settings\Administrator\Desktop\new_drive_config.zip
[2009/09/09 09:03:23 | 00,000,431 | ---- | C] () -- F:\WINNT\wininit.ini
[2009/06/15 22:09:18 | 00,051,304 | ---- | C] () -- F:\WINNT\System32\drivers\atnt40k.sys
[2009/06/07 18:53:22 | 00,247,560 | ---- | C] () -- F:\WINNT\System32\prgiso.dll
[2009/06/07 18:53:20 | 04,244,744 | ---- | C] () -- F:\WINNT\System32\qtp-mt334.dll
[2009/06/07 18:53:20 | 00,013,576 | ---- | C] () -- F:\WINNT\System32\wnaspi32.dll
[2009/02/16 23:00:46 | 00,000,102 | ---- | C] () -- F:\WINNT\VSWizard.ini
[2008/09/01 21:21:18 | 00,001,010 | ---- | C] () -- F:\WINNT\ATICIM.INI
[2007/08/17 21:39:04 | 00,796,312 | ---- | C] () -- F:\WINNT\System32\libeay32_0.9.6l.dll
[2006/06/18 00:57:19 | 00,043,520 | ---- | C] () -- F:\WINNT\System32\CmdLineExt03.dll
[2005/12/02 09:18:14 | 00,000,166 | ---- | C] () -- F:\WINNT\System32\KILL.INI
[2005/04/02 23:29:01 | 00,000,048 | ---- | C] () -- F:\WINNT\PerWin.ini
[2004/11/09 12:06:27 | 00,000,000 | ---- | C] () -- F:\WINNT\QuickInstall.INI
[2004/10/31 15:04:25 | 00,354,816 | ---- | C] () -- F:\WINNT\System32\psisdecd.dll
[2004/10/13 16:06:05 | 00,000,011 | ---- | C] () -- F:\WINNT\OSA.INI
[2004/10/12 21:30:21 | 00,018,048 | ---- | C] () -- F:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2004/09/25 11:20:22 | 00,000,385 | ---- | C] () -- F:\WINNT\NJCOM.INI
[2004/09/12 17:43:59 | 00,000,236 | ---- | C] () -- F:\WINNT\hegames.ini
[2004/09/01 11:49:17 | 03,375,104 | ---- | C] () -- F:\WINNT\System32\qt-mt331.dll
[2004/05/11 23:22:54 | 00,000,044 | ---- | C] () -- F:\WINNT\webica.ini
[2004/04/25 21:29:25 | 00,001,831 | ---- | C] () -- F:\WINNT\cdPlayer.ini
[2004/04/08 17:05:36 | 00,000,153 | ---- | C] () -- F:\WINNT\mercury.ini
[2004/04/05 18:55:49 | 00,004,133 | ---- | C] () -- F:\WINNT\entrust.ini
[2004/03/28 22:27:49 | 00,126,976 | ---- | C] () -- F:\WINNT\System32\sspnt2kxp.dll
[2003/12/19 18:00:41 | 00,012,288 | ---- | C] () -- F:\WINNT\System32\iPodSrv_es.dll
[2003/11/11 19:11:50 | 00,000,632 | ---- | C] () -- F:\WINNT\CoD.INI
[2003/10/26 14:54:47 | 00,001,065 | ---- | C] () -- F:\WINNT\winamp.ini
[2003/10/26 00:31:03 | 00,003,972 | ---- | C] () -- F:\WINNT\System32\drivers\PciBus.sys
[2003/10/25 21:57:00 | 00,003,252 | ---- | C] () -- F:\WINNT\System32\drivers\PQNTDRV.sys
[2003/10/25 21:40:08 | 00,000,985 | ---- | C] () -- F:\WINNT\ODBC.INI
[2003/10/25 20:45:54 | 00,005,515 | ---- | C] () -- F:\WINNT\System32\ENSDEF.INI
[2003/10/25 20:38:46 | 00,000,256 | ---- | C] () -- F:\WINNT\SBWIN.INI
[2003/10/25 20:38:35 | 00,000,231 | ---- | C] () -- F:\WINNT\AC3API.INI
[2003/10/25 20:38:11 | 00,034,914 | ---- | C] () -- F:\WINNT\System32\Emu10kx.ini
[2003/10/25 20:38:11 | 00,000,029 | ---- | C] () -- F:\WINNT\System32\ctzapxx.ini
[2003/10/25 19:30:02 | 00,104,960 | ---- | C] () -- F:\WINNT\System32\LGUICOM.DLL
[2003/10/25 19:30:02 | 00,000,488 | ---- | C] () -- F:\WINNT\Cmousecc.ini
[2003/10/25 19:23:09 | 00,126,976 | R--- | C] () -- F:\WINNT\System32\e1000msg.dll
[2003/10/25 19:21:05 | 00,000,169 | ---- | C] () -- F:\WINNT\RtlRack.ini
[2003/10/25 18:51:53 | 00,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2003/10/25 18:51:53 | 00,000,271 | -H-- | C] () -- C:\Program Files\desktop.ini
[2003/10/25 18:40:02 | 00,000,040 | ---- | C] () -- F:\WINNT\nero.INI
[2003/04/04 09:55:52 | 00,307,200 | R--- | C] () -- F:\WINNT\System32\XmlSpyLib.dll
[2002/07/16 15:43:59 | 00,077,824 | ---- | C] () -- F:\WINNT\System32\hookmod.dll
[2002/06/17 21:36:10 | 00,482,816 | ---- | C] () -- F:\WINNT\System32\VFCodec.dll
[1999/12/07 08:00:00 | 00,176,400 | ---- | C] () -- F:\WINNT\System32\qcut.dll
[1999/12/07 08:00:00 | 00,033,552 | ---- | C] () -- F:\WINNT\System32\efsadu.dll
[1999/12/07 08:00:00 | 00,007,265 | ---- | C] () -- F:\WINNT\System32\iasperf.ini
[1999/12/07 08:00:00 | 00,001,505 | ---- | C] () -- F:\WINNT\System32\faxperf.ini
[1999/12/07 08:00:00 | 00,000,773 | ---- | C] () -- F:\WINNT\win.ini
[1999/12/07 08:00:00 | 00,000,231 | ---- | C] () -- F:\WINNT\system.ini
[1999/12/07 08:00:00 | 00,000,023 | ---- | C] () -- F:\WINNT\welcome.ini
[1999/09/25 06:36:24 | 00,088,816 | ---- | C] () -- F:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 06:36:22 | 00,017,424 | ---- | C] () -- F:\WINNT\System32\drivers\lvsound.sys
[1997/06/13 22:56:08 | 00,056,832 | ---- | C] () -- F:\WINNT\System32\iyvu9_32.dll

========== LOP Check ==========

[2009/09/12 11:36:19 | 00,000,000 | -H-D | M] -- F:\Documents and Settings\Administrator\Application Data
[2004/11/16 00:11:42 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\Arcsoft
[2006/07/09 15:54:57 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\ATI
[2004/05/11 23:22:44 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\ICAClient
[2003/10/25 19:26:43 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\InterTrust
[2005/03/31 23:18:10 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\Intuit
[2003/11/04 21:27:43 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\Leadertech
[2006/12/08 23:41:50 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\Magic Match
[2009/09/01 11:48:07 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\PirateGalaxy
[2008/12/19 19:29:45 | 00,000,000 | RH-D | M] -- F:\Documents and Settings\Administrator\Application Data\SecuROM
[2009/09/01 11:53:43 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\Splitscreen Studios
[2008/12/20 12:45:32 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\SPORE
[2008/12/19 15:57:30 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\SPORE Creature Creator
[2004/09/12 22:29:25 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\TextPad
[2007/09/07 21:53:29 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\Ventrilo
[2008/07/18 16:22:16 | 00,000,000 | ---D | M] -- F:\Documents and Settings\Administrator\Application Data\Verizon
[2009/09/12 23:03:56 | 00,000,000 | -H-D | M] -- F:\Documents and Settings\All Users\Application Data
[2004/08/20 10:26:27 | 00,000,000 | ---D | M] -- F:\Documents and Settings\All Users\Application Data\{70FE9869-8D38-4EB3-8541-A735C2285CF7}
[2009/09/09 13:00:18 | 00,000,000 | ---D | M] -- F:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2003/10/25 20:08:08 | 00,000,000 | ---D | M] -- F:\Documents and Settings\All Users\Application Data\CyberLink
[2005/03/31 23:18:54 | 00,000,000 | ---D | M] -- F:\Documents and Settings\All Users\Application Data\Intuit
[2008/07/14 22:11:55 | 00,000,000 | ---D | M] -- F:\Documents and Settings\All Users\Application Data\MailFrontier
[2009/05/10 10:52:04 | 00,000,000 | ---D | M] -- F:\Documents and Settings\All Users\Application Data\PopCap Games
[2004/08/31 19:43:24 | 00,000,000 | ---D | M] -- F:\Documents and Settings\All Users\Application Data\Support.com
[2008/07/18 16:18:11 | 00,000,000 | ---D | M] -- F:\Documents and Settings\All Users\Application Data\Verizon
[1999/12/07 08:00:00 | 00,000,065 | RH-- | M] () -- F:\WINNT\Tasks\desktop.ini
[2009/10/10 08:05:41 | 00,000,006 | -H-- | M] () -- F:\WINNT\Tasks\SA.DAT

========== Purity Check ==========


< End of report >

Next is the Extras.Txt file.

OTL Extras logfile created on: 10/10/2009 23:07:02 - Run 1
OTL by OldTimer - Version 3.0.19.0 Folder = F:\Documents and Settings\Administrator\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 66.76% Memory free
3.85 Gb Paging File | 3.32 Gb Available in Paging File | 86.38% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = F: | %SystemRoot% = F:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 50.35 Gb Free Space | 67.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 19.39 Gb Total Space | 5.94 Gb Free Space | 30.62% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WARCHILD
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINNT\hh.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINNT\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINNT\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htafile [open] -- C:\WINNT\System32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1 File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "F:\Winamp\winamp.exe" /BOOKMARK "%1" File not found
Directory [Winamp.Enqueue] -- "F:\Winamp\winamp.exe" /ADD "%1" File not found
Directory [Winamp.Play] -- "F:\Winamp\winamp.exe" "%1" File not found
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00020409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Standard
"{020700E4-A96B-4769-BA56-2106150F7B98}" = iPod for Windows
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1C263E36-DF93-436F-9F0A-F41D82F490CB}" = Palm Desktop
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}" = Star Wars®: Knights of the Old Republic ™
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{36495C59-089C-49D1-BD15-9E5BD86DC9A1}" = ItsDeductible Express
"{3E713D52-C967-41FB-AA24-3A92CC1025A4}" = Remote Desktop Connection
"{4E7E8E6A-15F1-4E26-9352-26AD235131E9}" = Documents To Go
"{578FA426-47C0-4A3F-98A4-01ACD26B7556}" = LEGO Star Wars II
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.30
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{69F0982C-F08D-49E0-B8FB-FD636FD4DE40}" = XMLSPY 5 Special Edition for WebLogic
"{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs
"{7148F0A8-6813-11D6-A77B-00B0D0142070}" = Java 2 Runtime Environment, SE v1.4.2_07
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75AD7D33-EF26-4609-9D8D-CBF7F9AC5E08}" = Freedom Force
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7C503E58-B2BC-11D5-978A-0050BA84F5F7}" = Neverwinter Nights
"{8270831B-8F2F-4B65-8E2C-9712054C38D1}" = ATI Catalyst Control Center
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{936D42B8-FE51-41D5-A74A-6182F6CDB17B}" = NETGEAR WG311v2 802.11g Wireless PCI Adapter
"{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}" = Sound Blaster Audigy
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{AA8E3FF9-91E3-4C78-8A82-997838BC8BE3}" = LimeWire
"{ABEA93FA-8D65-11D2-98AB-00C04F79C5D1}" = Microsoft IntelliPoint
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B510A987-487E-4C66-9F4F-D386AC275715}" = TextPad 4.7
"{B52243A6-C486-4A7B-842F-E861A76FBDEF}" = Remote Printer Client
"{CBE0FCA1-4E95-11D4-9875-00105ACE7734}" = Logitech User's Guide
"{CEAF3507-FCB3-11D2-850C-00C0F01410B1}" = Majesty
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E2B71D23-52F0-49AD-AC56-6DAB4CF9443C}" = Sound Blaster Audigy Web 2K/XP
"{E46601FA-2CA8-4F48-B743-DE27D8A30416}" = ML-1430 Series
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"ACDSee Trial Version" = ACDSee Trial Version
"ActiveTouchMeetingClient" = WebEx
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AVG8Uninstall" = AVG Free 8.5
"BeTrapped!" = BeTrapped! (remove only)
"BHODemon_is1" = BHODemon 2.0.0.23
"Bookworm Adventures Deluxe 1.0" = Bookworm Adventures Deluxe 1.0
"Citrix Web Client" = Citrix Web Client
"CobBackup9" = Cobian Backup 9
"Creative PC-CAM Center" = Creative PC-CAM Center
"Creative PD1131" = Creative WebCam NX Pro Driver (1.03.03.0326)
"Creative WebCam Monitor" = Creative WebCam Monitor
"Creative WebCam NX Pro User's Guide English" = Creative WebCam NX Pro User's Guide (English)
"Darwinia_is1" = Darwinia v1.42
"Dungeon Keeper II" = Dungeon Keeper 2
"Feeding Frenzy" = Feeding Frenzy
"Feeding Frenzy 2 Deluxe 1.0" = Feeding Frenzy 2 Deluxe 1.0
"GTK 2.0" = GTK+ Runtime 2.4.13 rev a (remove only)
"InstallShield_{020700E4-A96B-4769-BA56-2106150F7B98}" = iPod for Windows
"InstallShield_{578FA426-47C0-4A3F-98A4-01ACD26B7556}" = LEGO Star Wars II
"InstallShield_{936D42B8-FE51-41D5-A74A-6182F6CDB17B}" = NETGEAR WG311v2 802.11g Wireless PCI Adapter
"InstallShield_{AA8E3FF9-91E3-4C78-8A82-997838BC8BE3}" = LimeWire
"IPIX Netscape Plugin Viewer" = IPIX Netscape Plugin Viewer
"Java 2 Platform, Enterprise Edition 1.4 SDK" = Java 2 Platform, Enterprise Edition 1.4 SDK
"JRE 1.3.1_04" = Java 2 Runtime Environment Standard Edition v1.3.1_04
"JUDE Community_is1" = JUDE Community 2.4
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.0.14)" = Mozilla Firefox (3.0.14)
"mudmagic" = MudMagic (remove only)
"MUSICMATCH iPod Plug-in" = MUSICMATCH iPod Plug-in
"MUSICMATCH Jukebox" = MUSICMATCH Jukebox
"Nero - Burning Rom!UninstallKey" = Ahead Nero Burning ROM
"NJStar Chinese Word Processor" = NJStar Chinese Word Processor
"NJStar Communicator" = NJStar Communicator
"OpenAL" = OpenAL
"PartitionMagic 6.0" = PartitionMagic 6.0
"Plants vs. Zombies" = Plants vs. Zombies
"Platypus 1.0" = Platypus 1.0
"PROSet" = Intel® PRO Network Adapters and Drivers
"Q828026" = Windows Media Player Hotfix [See wm828026 for more information]
"Q903235" = Internet Explorer Q903235
"QuickTime" = QuickTime
"Renegade" = Command & Conquer Renegade
"RSNet EDN" = Red Swoosh EDN Client (remove only)
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.3
"Starcraft" = Starcraft
"Total Annihilation" = Total Annihilation
"TurboTax Premier 2004" = TurboTax Premier 2004
"UnityWebPlayer" = Unity Web Player
"Update Rollup 1" = Update Rollup 1 for Windows 2000 SP4
"Vim 7.1" = Vim 7.1 (self-installing)
"WinAce Archiver 2.0" = WinAce Archiver 2.0
"Winamp" = Winamp
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMP7" = Windows Media Player system update (9 Series)
"World of Warcraft" = World of Warcraft
"Yahoo! Customizations" = Yahoo! extras
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"YInstHelper" = Yahoo! Install Manager
"ZoneAlarm" = ZoneAlarm
"ZoneAlarmSB Uninstall" = ZoneAlarm Spy Blocker

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"mudmagic" = MudMagic (remove only)
"Pirate Galaxy" = Pirate Galaxy

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/10/2009 8:08:12 | Computer Name = WARCHILD | Source = Perflib | ID = 1008
Description = The Open Procedure for service "Nbf" in DLL "F:\WINNT\system32\perfctrs.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/10/2009 8:08:12 | Computer Name = WARCHILD | Source = Perflib | ID = 1008
Description = The Open Procedure for service "PerfDisk" in DLL "F:\WINNT\system32\perfdisk.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/10/2009 8:08:12 | Computer Name = WARCHILD | Source = Perflib | ID = 1008
Description = The Open Procedure for service "Nbf" in DLL "F:\WINNT\system32\perfctrs.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/10/2009 8:08:12 | Computer Name = WARCHILD | Source = Perflib | ID = 1008
Description = The Open Procedure for service "PerfDisk" in DLL "F:\WINNT\system32\perfdisk.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/10/2009 8:08:12 | Computer Name = WARCHILD | Source = Perflib | ID = 1008
Description = The Open Procedure for service "Nbf" in DLL "F:\WINNT\system32\perfctrs.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/10/2009 8:08:12 | Computer Name = WARCHILD | Source = Perflib | ID = 1008
Description = The Open Procedure for service "PerfDisk" in DLL "F:\WINNT\system32\perfdisk.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/10/2009 8:08:12 | Computer Name = WARCHILD | Source = Perflib | ID = 1008
Description = The Open Procedure for service "Nbf" in DLL "F:\WINNT\system32\perfctrs.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/10/2009 8:08:12 | Computer Name = WARCHILD | Source = Perflib | ID = 1008
Description = The Open Procedure for service "PerfDisk" in DLL "F:\WINNT\system32\perfdisk.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/10/2009 8:08:12 | Computer Name = WARCHILD | Source = Perflib | ID = 1008
Description = The Open Procedure for service "Nbf" in DLL "F:\WINNT\system32\perfctrs.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/10/2009 8:08:12 | Computer Name = WARCHILD | Source = Perflib | ID = 1008
Description = The Open Procedure for service "PerfDisk" in DLL "F:\WINNT\system32\perfdisk.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

[ System Events ]
Error - 10/8/2009 20:53:38 | Computer Name = WARCHILD | Source = Service Control Manager | ID = 7000
Description = The TrueVector Internet Monitor service failed to start due to the
following error: %%1053

Error - 10/8/2009 20:55:10 | Computer Name = WARCHILD | Source = Service Control Manager | ID = 7022
Description = The Network Security service hung on starting.

Error - 10/8/2009 22:52:22 | Computer Name = WARCHILD | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor
service to connect.

Error - 10/8/2009 22:52:22 | Computer Name = WARCHILD | Source = Service Control Manager | ID = 7000
Description = The TrueVector Internet Monitor service failed to start due to the
following error: %%1053

Error - 10/8/2009 22:53:54 | Computer Name = WARCHILD | Source = Service Control Manager | ID = 7022
Description = The Network Security service hung on starting.

Error - 10/9/2009 6:18:18 | Computer Name = WARCHILD | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor
service to connect.

Error - 10/9/2009 6:18:19 | Computer Name = WARCHILD | Source = Service Control Manager | ID = 7000
Description = The TrueVector Internet Monitor service failed to start due to the
following error: %%1053

Error - 10/9/2009 6:19:52 | Computer Name = WARCHILD | Source = Service Control Manager | ID = 7022
Description = The Network Security service hung on starting.

Error - 10/10/2009 8:06:12 | Computer Name = WARCHILD | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor
service to connect.

Error - 10/10/2009 8:06:12 | Computer Name = WARCHILD | Source = Service Control Manager | ID = 7000
Description = The TrueVector Internet Monitor service failed to start due to the
following error: %%1053


< End of report >

And the last one is the results.log from GMER.

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-11 00:49:27
Windows 5.0.2195 Service Pack 4
Running: szrbsn00.exe; Driver: F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugtyqpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xB77A0040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xB779C930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xB77A7A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xB77A0510]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xB77A0600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xB779CF20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xB77A86E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xB77A8440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xB77A88B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xB779CD70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xB77A8CB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xB779FC00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xB77A9080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xB779D120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xB77A8140]

---- Kernel code sections - GMER 1.0.15 ----

? srescan.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B77A4CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B77A4E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B77A51C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B77A5320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B77A4CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B77A51C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B77A5320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B77A4E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B77A4CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B77A5320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B77A51C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] [B77A4E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] [B77A4CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisOpenAdapter] [B77A51C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisCloseAdapter] [B77A5320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\nbf.sys[NDIS.SYS!NdisCloseAdapter] [B77A5320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\nbf.sys[NDIS.SYS!NdisOpenAdapter] [B77A51C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\nbf.sys[NDIS.SYS!NdisDeregisterProtocol] [B77A4E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\nbf.sys[NDIS.SYS!NdisRegisterProtocol] [B77A4CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [B77A5320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [B77A51C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [B77A4CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [B77A4E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [B77B2330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [B779D670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B779D5C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B779D770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [B779D2D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- User IAT/EAT - GMER 1.0.15 ----

IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [23021346] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[252] @ F:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Regards,
b0kater1

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:32 PM

Posted 13 October 2009 - 07:04 AM

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 b0kater1

b0kater1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 14 October 2009 - 10:15 PM

kahdah,

ComboFix didn't seem to try and install the Recovery Console for some reason. Possibly since this is WIN2K? It obviously noticed it's missing, from the one line below. I'm assuming I can (and should) install it manually?

Here's the contents of the ComboFix.txt file.

ComboFix 09-10-14.06 - Administrator 10/14/2009 22:40.1.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1607 [GMT -4:00]
Running from: f:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Toolbar
c:\program files\Toolbar\rw.wzg
c:\program files\Toolbar\xzxsv.wzg
c:\program files\Toolbar\yildhvi.olt
c:\winnt\Downloaded Program Files\MyWebEx
c:\winnt\Downloaded Program Files\MyWebEx\419\atarm.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atas32.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atasanot.exe
c:\winnt\Downloaded Program Files\MyWebEx\419\atasctrl.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atasnt40.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atcarmcl.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atdl2006.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atjpeg60.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atkbctl.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atlchat.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atmemmgr.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atnetext.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atpack.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atres.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\attp.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\atwbxui6.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\h264dec.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\h264enc.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\mmssl32.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\msess.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\mticket.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\mutiltpd.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\mvc.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\mwm.ini
c:\winnt\Downloaded Program Files\MyWebEx\419\mwmcliun.exe
c:\winnt\Downloaded Program Files\MyWebEx\419\mwmproxy.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\mwmres.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\mwmupd.exe
c:\winnt\Downloaded Program Files\MyWebEx\419\raurl.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\uilibres.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll
c:\winnt\Downloaded Program Files\MyWebEx\419\webexmgr.dll
f:\winnt\Web\default.htt

f:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_MNDISK
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-15 02:56 . 2009-10-15 02:56 16384 ----atw- f:\winnt\system32\Perflib_Perfdata_274.dat
2009-09-21 20:40 . 2009-09-21 20:40 -------- d-----w- c:\program files\Cobian Backup 9
2009-09-21 20:31 . 2003-06-19 19:05 30768 ------w- f:\winnt\system32\drivers\disk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 02:54 . 2005-12-02 23:26 24 ----a-w- f:\winnt\system32\DVCStateBkp-{00000003-00000000-00000006-00001102-00000004-00511102}.dat
2009-10-15 02:54 . 2005-12-02 23:26 24 ----a-w- f:\winnt\system32\DVCState-{00000003-00000000-00000006-00001102-00000004-00511102}.dat
2009-09-23 21:38 . 2009-09-09 17:00 -------- d---a-w- f:\documents and settings\All Users\Application Data\avg8
2009-09-13 03:04 . 2009-09-13 03:03 -------- d-----w- f:\documents and settings\All Users\Application Data\NOS
2009-09-13 03:03 . 2009-09-13 03:03 -------- d-----w- c:\program files\NOS
2009-09-12 15:36 . 2009-09-12 15:36 -------- d-----w- f:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-12 15:36 . 2009-09-12 15:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 15:36 . 2009-09-12 15:36 -------- d-----w- f:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-10 18:54 . 2009-09-12 15:36 38224 ------w- f:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-09-12 15:36 18520 ------w- f:\winnt\system32\drivers\mbam.sys
2009-09-09 17:00 . 2009-09-09 17:00 11952 ------w- f:\winnt\system32\avgrsstx.dll
2009-09-09 17:00 . 2009-09-09 17:00 108552 ------w- f:\winnt\system32\drivers\avgtdix.sys
2009-09-09 17:00 . 2009-09-09 17:00 335240 ------w- f:\winnt\system32\drivers\avgldx86.sys
2009-09-09 17:00 . 2009-09-09 17:00 27784 ------w- f:\winnt\system32\drivers\avgmfx86.sys
2009-09-09 17:00 . 2009-09-09 17:00 -------- d---a-w- f:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-09 17:00 . 2009-09-09 17:00 -------- d-----w- c:\program files\AVG
2009-09-09 16:56 . 2009-09-09 16:56 -------- d-----w- f:\documents and settings\Administrator\Application Data\AVG8
2009-09-09 16:49 . 2009-02-24 03:42 -------- d-----w- c:\program files\GRETECH
2009-09-09 16:49 . 2005-03-13 20:42 -------- d-----w- c:\program files\Java
2009-09-09 13:19 . 2009-01-28 21:37 -------- d-----w- c:\program files\BHODemon 2
2009-09-09 13:04 . 2004-07-24 03:54 -------- d---a-w- f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-09 12:39 . 2004-07-24 03:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-05 06:36 . 1999-12-07 12:00 55056 ------w- f:\winnt\system32\msasn1.dll
2009-09-01 15:53 . 2009-09-01 15:53 -------- d-----w- f:\documents and settings\Administrator\Application Data\Splitscreen Studios
2009-09-01 15:48 . 2009-09-01 15:48 -------- d-----w- f:\documents and settings\Administrator\Application Data\PirateGalaxy
2009-08-27 19:51 . 2009-08-27 19:51 576512 ----a-w- f:\winnt\system32\WININET.DLL
2009-08-21 21:06 . 2003-10-26 01:10 247326 ------w- f:\winnt\system32\strmdll.dll
2009-08-05 05:04 . 2009-08-05 05:04 90164 ------w- f:\winnt\system32\atl.dll
2009-07-27 11:27 . 1999-12-07 12:00 81168 ------w- f:\winnt\system32\fontsub.dll
2009-07-27 11:27 . 1999-12-07 12:00 165136 ------w- f:\winnt\system32\t2embed.dll
2009-07-25 09:23 . 2009-02-08 23:30 411368 ------w- f:\winnt\system32\deploytk.dll
2003-10-25 22:51 . 2003-10-25 22:51 21952 ---h--w- c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2003-06-19 19:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . f:\winnt\ServicePackFiles\i386\asyncmac.sys
[-] 2003-06-19 19:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . f:\winnt\system32\drivers\asyncmac.sys

[-] 1999-12-07 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . f:\winnt\system32\dllcache\beep.sys
[-] 1999-12-07 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . f:\winnt\system32\drivers\beep.sys

[-] 2003-06-19 19:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . f:\winnt\ServicePackFiles\i386\kbdclass.sys
[-] 2003-06-19 19:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . f:\winnt\system32\drivers\kbdclass.sys

[-] 2003-06-19 19:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . f:\winnt\ServicePackFiles\i386\ndis.sys
[-] 2003-06-19 19:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . f:\winnt\system32\drivers\ndis.sys

[-] 1999-12-07 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . f:\winnt\system32\dllcache\null.sys
[-] 1999-12-07 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . f:\winnt\system32\drivers\null.sys

[-] 2003-06-19 19:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . f:\winnt\ServicePackFiles\i386\imm32.dll
[-] 2003-06-19 19:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . f:\winnt\system32\imm32.dll

[-] 2003-06-19 19:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . f:\winnt\ServicePackFiles\i386\lpk.dll
[-] 2003-06-19 19:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . f:\winnt\system32\lpk.dll

[-] 2003-06-19 19:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . f:\winnt\ServicePackFiles\i386\powrprof.dll
[-] 2003-06-19 19:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . f:\winnt\system32\powrprof.dll

[-] 1999-12-07 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . f:\winnt\system32\svchost.exe
[-] 1999-12-07 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . f:\winnt\system32\dllcache\svchost.exe

[-] 2003-06-19 19:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . f:\winnt\ServicePackFiles\i386\userinit.exe
[-] 2003-06-19 19:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . f:\winnt\system32\USERINIT.EXE

[-] 2003-06-19 19:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . f:\winnt\ServicePackFiles\i386\ws2_32.dll
[-] 2003-06-19 19:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . f:\winnt\system32\ws2_32.dll

[-] 2003-06-19 19:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . f:\winnt\explorer.exe
[-] 2003-06-19 19:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . f:\winnt\ServicePackFiles\i386\explorer.exe

[-] 2003-06-19 19:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . f:\winnt\ServicePackFiles\i386\msvcrt.dll
[-] 2003-06-19 19:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . f:\winnt\system32\msvcrt.dll

[-] 2003-06-19 19:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . f:\winnt\ServicePackFiles\i386\appmgmts.dll
[-] 2003-06-19 19:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . f:\winnt\system32\appmgmts.dll

[-] 2003-06-19 19:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . f:\winnt\ServicePackFiles\i386\agp440.sys
[-] 2003-06-19 19:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . f:\winnt\system32\drivers\agp440.sys

[-] 2003-06-19 19:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . f:\winnt\ServicePackFiles\i386\acpiec.sys
[-] 2003-06-19 19:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . f:\winnt\system32\drivers\acpiec.sys

[-] 2002-11-27 00:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . f:\winnt\system32\mspmsnsv.dll

[-] 2003-06-19 19:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . f:\winnt\ServicePackFiles\i386\ntmssvc.dll
[-] 2003-06-19 19:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . f:\winnt\system32\ntmssvc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\winnt\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 28672]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"NeroCheck"="c:\winnt\system32\NeroCheck.exe" [2001-07-09 155648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-02-24 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-06 2023704]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Synchronization Manager"="mobsync.exe" - f:\winnt\system32\mobsync.exe [2003-06-19 111376]
"WINDVDPatch"="CTHELPER.EXE" - f:\winnt\system32\CTHELPER.EXE [2002-02-07 40960]
"CTHelper"="CTHELPER.EXE" - f:\winnt\system32\CTHELPER.EXE [2002-02-07 40960]
"AsioReg"="CTASIO.DLL" - f:\winnt\system32\CTASIO.DLL [2002-03-22 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

f:\documents and settings\Administrator\Start Menu\Programs\Startup\
BHODemon 2.0.lnk - c:\program files\BHODemon 2\BHODemon.exe [2005-6-19 946176]
LBRP Auto-Select Default.lnk - c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{B52243A6-C486-4A7B-842F-E861A76FBDEF}\IconB52243A6.exe [2008-1-31 177152]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
NETGEAR WG311v2 Smart Configuration.lnk - c:\program files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 450560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-09 17:00 11952 ------w- f:\winnt\system32\avgrsstx.dll

R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;f:\winnt\system32\drivers\Si3112r.sys [7/21/2003 9:27 85265]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;f:\winnt\system32\drivers\avgldx86.sys [9/9/2009 13:00 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;f:\winnt\system32\drivers\avgtdix.sys [9/9/2009 13:00 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/9/2009 13:00 297752]
R2 CobianBackupAmanita;Cobian Backup 9 service;f:\program files\Cobian Backup 9\cbService.exe [9/21/2009 16:41 583168]
R3 usbhub20;USB 2.0 Root Hub Support;f:\winnt\system32\drivers\usbhub20.sys [10/25/2003 21:10 49776]
S3 DualPow;Thrustmaster FireStorm™ Dual Power 2;f:\winnt\system32\DRIVERS\DualPow2.sys --> f:\winnt\system32\DRIVERS\DualPow2.sys [?]
S3 ESSIDSET;ESSIDSET;c:\winnt\system32\ESSIDSET.SYS [12/11/2004 11:34 9376]
S3 getPlusHelper;getPlus® Helper;f:\winnt\System32\svchost.exe -k getPlusHelper [12/7/1999 8:00 7952]
S3 SaiH0460;SaiH0460;f:\winnt\system32\drivers\SaiH0460.sys [11/3/2005 10:52 176640]
S3 vdev;VPN-1 SecureClient Virtual Ethernet Adapter;f:\winnt\system32\drivers\vdev.sys [4/5/2004 18:55 16396]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
c:\winnt\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{26923b43-4d38-484f-9b9e-de460746276c}]
"c:\winnt\system32\shmgrate.exe" OCInstallUserConfigIE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
"c:\winnt\system32\shmgrate.exe" OCInstallUserConfigOE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
rundll32.exe advpack.dll,LaunchINFSection c:\winnt\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
rundll32.exe advpack.dll,LaunchINFSection c:\winnt\INF\wmp.inf,PerUserStub

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
c:\winnt\system32\Rundll32.exe c:\winnt\system32\mscories.dll,Install
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\winnt\System32\blank.htm
uStart Page = hxxp://www.google.com/ig?hl=en
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: c:\progra~1\COMMON~1\BTLINK\btlink.dll//iemenu
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Edit with &XML Spy - c:\program files\Altova\xmlspy\spy.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {521D3212-021E-4212-B5DA-26B25A954DC2} - hxxps://live.lehman.com/GIS/Portal/SPT/CABs/VLLoadEdit.CAB
FF - ProfilePath - f:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4azll94k.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en#min5
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\winnt\system32\Macromed\Flash\NPSWF32.dll
FF - plugin: f:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4azll94k.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-iPodWatcher - c:\program files\iPod\Bin\iPodWatcher.exe
HKLM-Run-POINTER - point32.exe
AddRemove-Bookworm Adventures Deluxe 1.0 - f:\program files\PopCap Games\Bookworm Adventures Deluxe\PopUninstall.exe
AddRemove-Darwinia_is1 - f:\program files\Cinemaware Marquee\Darwinia\unins000.exe
AddRemove-Renegade - c:\westwood\Renegade\Uninstll.exe
AddRemove-Total Annihilation - f:\cavedog\TOTALA\setup.exe
AddRemove-Winamp - f:\winamp\UninstWA.exe
AddRemove-Yahoo! Internet Mail - c:\winnt\system32\regsvr32
AddRemove-YInstHelper - c:\winnt\system32\regsvr32



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 22:57
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run?N???>lg?>l????j??xP"?x????4??????x4??????x4????????a;l4????????&/?t???d?N?d?N?d?N?????????Ln?w??I?d?N?d?N?????A?>l?a;l??H?d???d?N?d?N?d?N???;l????d?N?~?;ld?N??&/???;l?&/??C@?x?????7lx??????xd?N???@

scanning hidden files ...


f:\winnt\system32\Perflib_Perfdata_2d4.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-776561741-725345543-500\Software\SecuROM\License information*]
"datasecu"=hex:71,77,0b,49,6d,bd,87,34,61,3a,8f,8a,ca,80,78,b1,dc,87,f4,0b,93,
7a,5c,e4,bd,b2,77,5f,d5,13,19,55,ce,08,d5,c9,ef,16,52,08,d5,94,a5,7f,67,7b,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(228)
f:\winnt\system32\Ati2evxx.dll
f:\winnt\system32\wzcdlg.dll
f:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(2004)
f:\winnt\AppPatch\AcLayers.DLL
f:\winnt\system32\SHDOCVW.DLL
f:\winnt\system32\ctagent.dll
c:\progra~1\Yahoo!\MESSEN~1\MSVCR71.dll
.
Completion time: 2009-10-15 23:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-15 03:03

Pre-Run: 6,112,088,064 bytes free
Post-Run: 6,642,941,952 bytes free

283 --- E O F --- 2009-10-14 10:55

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:32 PM

Posted 15 October 2009 - 07:33 AM

Yes you are right don't worry with the Recovery Console.

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
Please go HERE to run Panda's ActiveScan 2.0
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the yellow bar to install the active x control.
  • Then click Install.
  • It will begin to download and scan.
  • When the scan completes, click on the Export now button then save the file to your desktop.
  • Close Active scan 2.0
  • Please post the contents of the log here in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users