Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think my VISTA 64 bit desktop is infected


  • This topic is locked This topic is locked
26 replies to this topic

#1 FloridaMark

FloridaMark

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 23 September 2009 - 10:45 PM

Hi-

I am suspecting that I have some virus or malware infections affecting my Windows Vista 64 bit desktop system. One to two weeks ago I noticed that my Internet connection seemed to be dramatically slower than usual. At about the same time my AVG Resident Shield detected I:\BOOTEX\thumbcache_131.exe (Trojan Horse downloader.Generic8.BPUE detected on open, Process name C:\Windows\explorer.exe) when I plugged in my thumb drive. I selected the option to move the threat to the Virus Vault but every time I eject the thumbdrive and reconnect it I would get the same threat detection and have to remove the offending file again. This leads me to believe that I have a virus or malware on my system that AVG is not detecting and that every time I plug my thumb drive in the malware re-infects it again.

I tried to follow the Prep Guide but was unable to get DDS to run in the 64 bit OS. I posted in "BleepingComputer.com > Security > Am I infected? What do I do?" and garmanma suggested I try running RSIT which I did.

Since AVG is not detecting anything I am afraid that I have a RootKit infection and I don’t have any idea how to detect or clean the problem. Since I originally posted this on "Am I infected" the thumb drive is not longer getting infected when I plug it in and my Internet connection is faster.

This desktop computer is different from the notebook computer I posted about a week or so ago. I am running Windows Vista Home Premium 64 bit OS with SP1, 4 GB Ram, Intel Core 2 Duo E8400 CPU at 3 Ghz

Any help is really appreciated.

Thanks,

Mark :(


Here is the RSIT report...

Logfile of random's system information tool 1.06 (written by random/random)
Run by Mark at 2009-09-23 22:01:49
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 19 GB (16%) free of 125 GB
Total RAM: 4093 MB (43% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:04 PM, on 9/23/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files (x86)\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files (x86)\AVG\AVG8\avgcsrvx.exe
C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Mark\Desktop\RSIT.exe
C:\Program Files (x86)\trend micro\Mark.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files (x86)\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard..lnk = C:\Program Files (x86)\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://postitem.auctionarms.com/ImageUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ndcsupport.webex.com/client/T26L/su...rt/ieatgpc1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BDF1E85-2A33-4D1C-9866-47DD4DA5FF47}: NameServer = 75.116.127.154 75.116.63.154
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BDF1E85-2A33-4D1C-9866-47DD4DA5FF47}: NameServer = 75.116.127.154 75.116.63.154
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Advantage Database Server (Advantage) - iAnywhere Solutions, Inc. - C:\Program Files (x86)\Advantage 9.0\Server\ADS.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\Windows\SysWOW64\atashost.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\SysWOW64\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9217 bytes

======Scheduled tasks folder======

C:\Windows\tasks\User_Feed_Synchronization-{27EEEB8D-747E-4B5D-9DB3-02DA4EFBECA6}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files (x86)\AVG\AVG8\avgssie.dll [2009-09-05 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll [2009-04-25 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-04-22 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-04-25 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}]
HP Smart BHO Class - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2008-10-16 505136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll [2009-04-25 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=C:\PROGRA~2\AVG\AVG8\avgtray.exe [2009-09-05 2007832]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"=C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe []
"swg"=C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-12-10 39408]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
NETGEAR WG111v2 Smart Wizard..lnk - C:\Program Files (x86)\NETGEAR\WG111v2\WG111v2.exe

C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
VZAccess Manager.lnk - C:\Program Files (x86)\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\atashost]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=
"NoActiveDesktopChanges"=
"ForceActiveDesktopOn"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47ec92b8-c6d8-11dd-863b-806e6f6e6963}]
shell\AutoRun\command - D:\SOAPWAREDEMO.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{484ee695-c7e4-11dd-bf72-f22976b60403}]
shell\AutoRun\command - E:\Launch.exe /run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0084261-cc48-11dd-8160-a173e04adabb}]
shell\AutoRun\command - BOOTEX\thumbcache_131.exe
shell\explore\command - BOOTEX/thumbcache_131.exe
shell\open\command - .////BOOTEX/thumbcache_131.exe


======List of files/folders created in the last 1 months======

2009-09-23 22:01:49 ----D---- C:\rsit
2009-09-23 22:01:49 ----D---- C:\Program Files (x86)\trend micro
2009-09-07 22:27:25 ----A---- C:\Windows\ads.ini

======List of files/folders modified in the last 1 months======

2009-09-23 22:18:46 ----D---- C:\Windows\Prefetch
2009-09-23 22:03:41 ----D---- C:\Windows\Temp
2009-09-23 22:01:49 ----RD---- C:\Program Files (x86)
2009-09-23 19:40:15 ----HD---- C:\$AVG8.VAULT$
2009-09-23 18:31:29 ----SHD---- C:\System Volume Information
2009-09-23 01:14:56 ----A---- C:\Windows\RTacDbg.txt
2009-09-23 00:57:52 ----D---- C:\Windows\System32
2009-09-23 00:56:00 ----D---- C:\Windows
2009-09-11 23:00:10 ----D---- C:\Program Files (x86)\FTP Commander
2009-09-08 17:13:20 ----D---- C:\Windows\winsxs
2009-09-07 21:48:32 ----D---- C:\Windows\SysWOW64

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx64;AVG Free AVI Loader Driver x64; C:\Windows\System32\Drivers\avgldx64.sys []
R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64; C:\Windows\System32\Drivers\avgmfx64.sys []
R1 AvgTdiA;AVG8 Network Redirector; C:\Windows\System32\Drivers\avgtdia.sys []
R3 Dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys []
R3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys []
R3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys []
R3 gdrv;gdrv; \??\C:\Windows\gdrv.sys [2009-09-23 24072]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys []
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys []
R3 ksthunk;Kernel Streaming Thunks; C:\Windows\system32\drivers\ksthunk.sys []
R3 motccgp;Motorola USB Composite Device Driver; C:\Windows\system32\DRIVERS\motccgp.sys []
R3 motccgpfl;MotCcgpFlService; C:\Windows\system32\DRIVERS\motccgpfl.sys []
R3 motmodem;Motorola USB CDC ACM Driver; C:\Windows\system32\DRIVERS\motmodem.sys []
R3 motport;Motorola USB Diagnostic Port; C:\Windows\system32\DRIVERS\motport.sys []
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys []
R3 Point64;Microsoft IntelliPoint Filter Driver; C:\Windows\system32\DRIVERS\point64k.sys []
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh64.sys []
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver; C:\Windows\system32\DRIVERS\wg111v2.sys []
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys []
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys []
S3 GVTDrv64;GVTDrv64; \??\C:\Windows\GVTDrv64.sys [2009-01-03 30528]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys []
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys []
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys []
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys []
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys []
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys []
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Advantage;Advantage Database Server; C:\Program Files (x86)\Advantage 9.0\Server\ADS.EXE [2009-03-27 2895872]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 atashost;WebEx Service Host for Support Center; C:\Windows\SysWOW64\atashost.exe [2009-07-27 20376]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~2\AVG\AVG8\avgemc.exe [2009-09-05 908056]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe [2009-09-05 297752]
R2 Bonjour Service;Bonjour Service; C:\Program Files (x86)\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 GEST Service;GEST Service for program management.; C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe [2008-09-24 68136]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 HPSLPSVC;HP Network Devices Support; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [2008-01-24 73728]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
R2 NMSAccessU;NMSAccessU; C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe [2008-10-20 71096]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe []
R2 ProtexisLicensing;ProtexisLicensing; C:\Windows\SysWOW64\PSIService.exe [2007-06-05 177704]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
R2 SQLBrowser;SQL Server Browser; C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-25 153952]
R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-20 21504]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-20 21504]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2008-07-27 93184]
S3 gusvc;Google Updater Service; C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 iPod Service;iPod Service; C:\Program Files (x86)\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 NBService;NBService; C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-09-17 800040]
S3 NMIndexingService;NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2008-01-20 19968]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S4 msvsmon90;Visual Studio 2008 Remote Debugger; C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe [2007-11-07 4466688]

-----------------EOF-----------------

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:32 PM

Posted 24 September 2009 - 04:00 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 FloridaMark

FloridaMark
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 24 September 2009 - 06:44 PM

Hi Sam...

Thanks for responding.

MBAM found three items and did require a reboot. I mentioned in my earlier post that the infected file quit showing up on my thumbdrive now when I plug it in but I figured I had some kind of infection that AVG was not catching because it kept showing up before.

The MBAM log info is...

Malwarebytes' Anti-Malware 1.41
Database version: 2857
Windows 6.0.6001 Service Pack 1

9/24/2009 7:25:21 PM
mbam-log-2009-09-24 (19-25-21).txt

Scan type: Quick Scan
Objects scanned: 86793
Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Mark\Documents\downloads\svchost.xex (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Users\Mark\Documents\downloads\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:32 PM

Posted 25 September 2009 - 07:23 AM

I also need to see the OTL report please.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 FloridaMark

FloridaMark
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 25 September 2009 - 08:18 AM

Opps... duh.

I was so pleased with the MBAM that I overlooked the OTL.

Here it is...

OTL logfile created on: 9/25/2009 9:12:24 AM - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Users\Mark\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 1.53 Gb Available Physical Memory | 38.15% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 122.07 Gb Total Space | 19.77 Gb Free Space | 16.20% Space Free | Partition Type: NTFS
Drive D: | 75.66 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
Drive F: | 292.97 Gb Total Space | 263.36 Gb Free Space | 89.89% Space Free | Partition Type: NTFS
Drive G: | 516.47 Gb Total Space | 421.08 Gb Free Space | 81.53% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IRON-MAN
Current User Name: Mark
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/03/27 16:56:00 | 02,895,872 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files (x86)\Advantage 9.0\Server\ADS.EXE
PRC - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/27 16:45:56 | 00,020,376 | ---- | M] (WebEx Communications, Inc.) -- C:\Windows\SysWOW64\atashost.exe
PRC - [2009/09/05 23:43:31 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgwdsvc.exe
PRC - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Bonjour\mDNSResponder.exe
PRC - [2008/09/24 18:35:14 | 00,068,136 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
PRC - [2008/01/24 13:36:22 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
PRC - [2008/11/24 23:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/10/20 22:18:26 | 00,071,096 | ---- | M] () -- C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
PRC - [2007/06/05 14:20:32 | 00,177,704 | ---- | M] () -- C:\Windows\SysWOW64\PSIService.exe
PRC - [2007/05/13 22:54:36 | 00,272,024 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
PRC - [2008/11/24 23:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2009/09/05 23:43:43 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgemc.exe
PRC - [2009/09/05 23:43:48 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgcsrvx.exe
PRC - [2008/12/10 23:32:17 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2006/06/06 13:10:26 | 01,085,440 | ---- | M] () -- C:\Program Files (x86)\NETGEAR\WG111v2\WG111v2.exe
PRC - [2009/09/05 23:43:36 | 02,007,832 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgtray.exe
PRC - [2009/01/30 09:26:04 | 01,790,056 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files (x86)\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
PRC - [2009/03/06 02:06:00 | 12,707,696 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
PRC - [2009/09/05 23:43:48 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgcsrvx.exe
PRC - [2009/04/24 12:08:04 | 00,634,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
PRC - [2008/10/16 18:26:40 | 00,116,016 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
PRC - [2009/04/24 12:08:04 | 00,634,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
PRC - [2009/04/17 03:35:18 | 00,408,424 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
PRC - [2009/09/05 23:43:48 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgcsrvx.exe
PRC - [2008/11/13 10:33:54 | 00,097,128 | ---- | M] (Microsoft Corp.) -- C:\Program Files (x86)\Microsoft\Office Live\OfficeLiveSignIn.exe
PRC - [2009/09/25 09:09:00 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Users\Mark\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2007/11/07 10:11:22 | 04,466,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe -- (msvsmon90 [Disabled | Stopped])
SRV:64bit: - [2008/11/25 12:45:40 | 00,153,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [Auto | Running])
SRV:64bit: - [2008/01/20 22:47:32 | 00,383,544 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Running])
SRV:64bit: - [2008/01/20 22:52:15 | 01,216,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Running])
SRV - [2009/03/27 16:56:00 | 02,895,872 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files (x86)\Advantage 9.0\Server\ADS.EXE -- (Advantage [Auto | Running])
SRV - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2009/07/27 16:45:56 | 00,020,376 | ---- | M] (WebEx Communications, Inc.) -- C:\Windows\SysWOW64\atashost.exe -- (atashost [Auto | Running])
SRV - [2009/09/05 23:43:43 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/09/05 23:43:31 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/27 14:03:13 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/27 14:01:49 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64 [On_Demand | Stopped])
SRV - [2008/01/20 22:51:36 | 00,344,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])
SRV - [2008/01/20 22:51:36 | 00,153,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])
SRV - [2006/11/02 11:03:48 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])
SRV - [2008/06/19 21:17:12 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/09/24 18:35:14 | 00,068,136 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe -- (GEST Service [Auto | Running])
SRV - [2008/10/16 19:23:30 | 00,217,088 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08 [On_Demand | Running])
SRV - [2008/10/16 19:24:24 | 00,135,168 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc [Auto | Running])
SRV - [2008/10/16 19:31:12 | 00,906,752 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC [Auto | Running])
SRV - [2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/06/19 21:16:53 | 00,859,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/11/20 14:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2006/11/02 05:46:05 | 00,018,944 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\keyiso.dll -- (KeyIso [On_Demand | Running])
SRV - [2008/01/24 13:36:22 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2006/11/02 09:34:14 | 00,000,000 | ---D | M] -- C:\Windows\SysWow64\Msdtc -- (MSDTC [Unknown | Stopped])
SRV - [2008/11/24 23:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS [Auto | Running])
SRV - [2008/11/24 23:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2007/09/17 10:36:18 | 00,800,040 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
SRV - [2008/01/20 22:48:28 | 00,592,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\netlogon.dll -- (Netlogon [On_Demand | Stopped])
SRV - [2007/06/27 19:04:00 | 00,279,848 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])
SRV - [2008/10/20 22:18:26 | 00,071,096 | ---- | M] () -- C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU [Auto | Running])
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/06/05 14:20:32 | 00,177,704 | ---- | M] () -- C:\Windows\SysWOW64\PSIService.exe -- (ProtexisLicensing [Auto | Running])
SRV - [2007/05/13 22:54:36 | 00,272,024 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe -- (RichVideo [Auto | Running])
SRV - [2008/11/24 23:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [Auto | Running])
SRV - [2006/11/02 02:35:15 | 00,060,994 | ---- | M] () -- C:\Windows\SysWow64\Wbem\vds.mof -- (vds [On_Demand | Stopped])
SRV - [2006/11/02 02:35:15 | 00,055,846 | ---- | M] () -- C:\Windows\SysWow64\Wbem\vss.mof -- (VSS [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV:64bit: - [2009/09/05 23:43:49 | 00,427,016 | ---- | M] () -- C:\Windows\SysNative\Drivers\avgldx64.sys -- (AvgLdx64 [System | Running])
DRV:64bit: - [2009/09/05 23:43:51 | 00,033,416 | ---- | M] () -- C:\Windows\SysNative\Drivers\avgmfx64.sys -- (AvgMfx64 [System | Running])
DRV:64bit: - [2009/05/17 09:51:59 | 00,133,640 | ---- | M] () -- C:\Windows\SysNative\Drivers\avgtdia.sys -- (AvgTdiA [System | Running])
DRV:64bit: - [2008/04/17 14:12:54 | 00,019,304 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV:64bit: - [2006/11/02 01:28:10 | 00,273,920 | ---- | M] () -- C:\Windows\SysNative\drivers\HdAudio.sys -- (HdAudAddService [On_Demand | Stopped])
DRV:64bit: - [2008/08/22 00:50:32 | 00,019,456 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\motccgp.sys -- (motccgp [On_Demand | Running])
DRV:64bit: - [2008/08/22 00:50:02 | 00,009,216 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\motccgpfl.sys -- (motccgpfl [On_Demand | Running])
DRV:64bit: - [2007/06/20 20:57:36 | 00,029,184 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\motmodem.sys -- (motmodem [On_Demand | Running])
DRV:64bit: - [2007/06/20 20:57:40 | 00,029,184 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\motport.sys -- (motport [On_Demand | Running])
DRV:64bit: - [2008/06/10 16:04:27 | 00,036,424 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\point64k.sys -- (Point64 [On_Demand | Running])
DRV:64bit: - [2007/06/25 06:37:14 | 00,108,032 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169 [On_Demand | Running])
DRV:64bit: - [2007/12/26 03:46:26 | 00,340,992 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\wg111v2.sys -- (RTL8187 [On_Demand | Running])
DRV:64bit: - [2008/01/20 22:47:28 | 00,046,080 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb [On_Demand | Stopped])
DRV - [2009/09/24 19:36:31 | 00,024,072 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\Windows\gdrv.sys -- (gdrv [On_Demand | Running])
DRV - [2009/01/03 09:45:49 | 00,030,528 | ---- | M] () -- C:\Windows\GVTDrv64.sys -- (GVTDrv64 [On_Demand | Stopped])
DRV - [2006/09/18 17:35:23 | 00,001,088 | ---- | M] () -- C:\Windows\SysWow64\Wbem\mpsdrv.mof -- (mpsdrv [On_Demand | Running])
DRV - [2006/09/18 17:36:40 | 00,003,066 | ---- | M] () -- C:\Windows\SysWow64\Wbem\tcpip.mof -- (Tcpip [Boot | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1599347378-186534776-3278552042-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-21-1599347378-186534776-3278552042-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-1599347378-186534776-3278552042-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1599347378-186534776-3278552042-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1599347378-186534776-3278552042-1000\S-1-5-21-1599347378-186534776-3278552042-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/04 14:36:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2009/05/04 21:20:34 | 00,000,000 | ---D | M]


O1 HOSTS File: (761 bytes) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-1599347378-186534776-3278552042-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files (x86)\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.DLL (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.DLL (Microsoft Corporation)
O4 - HKU\S-1-5-21-1599347378-186534776-3278552042-1000..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-1599347378-186534776-3278552042-1000..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
O4 - Startup: C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VZAccess Manager.lnk = C:\Program Files (x86)\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe (Smith Micro Software, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\SysNative\NLAapi.dll ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\SysNative\napinsp.dll ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\SysNative\pnrpnsp.dll ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\SysNative\pnrpnsp.dll ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\SysNative\winrnr.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\SysNative\mswsock.dll ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\SysWow64\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\SysWow64\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\SysWow64\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\SysWow64\pnrpnsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://postitem.auctionarms.com/ImageUploader5.cab (Image Uploader Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://ndcsupport.webex.com/client/T26L/su...rt/ieatgpc1.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll ()
O18:64bit: - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysNative\msvidctl.dll ()
O18:64bit: - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll ()
O18:64bit: - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll ()
O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll ()
O18:64bit: - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysNative\inetcomm.dll ()
O18:64bit: - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll ()
O18:64bit: - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll ()
O18:64bit: - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysNative\msvidctl.dll ()
O18:64bit: - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter: - application/octet-stream - C:\Windows\SysNative\mscoree.dll ()
O18:64bit: - Protocol\Filter: - application/x-complus - C:\Windows\SysNative\mscoree.dll ()
O18:64bit: - Protocol\Filter: - application/x-msdownload - C:\Windows\SysNative\mscoree.dll ()
O18:64bit: - Protocol\Filter: - deflate - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Filter: - gzip - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18:64bit: - Protocol\Filter: - x-sdch - Reg Error: Key error. File not found
O18 - Protocol\Filter: - text/xml - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20:64bit: - AppInit_DLLs: (avgrssta.dll) - C:\Windows\SysNative\avgrssta.dll ()
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (RtlGina2.dll) - C:\Windows\SysWow64\RtlGina2.dll ()
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/27 21:36:00 | 00,000,049 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{47ec92b8-c6d8-11dd-863b-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{47ec92b8-c6d8-11dd-863b-806e6f6e6963}\Shell\AutoRun\command - "" = D:\SOAPWAREDEMO.EXE -- [2008/06/05 21:40:00 | 00,843,776 | R--- | M] (Timo Haberkern)
O33 - MountPoints2\{484ee695-c7e4-11dd-bf72-f22976b60403}\Shell\AutoRun\command - "" = E:\Launch.exe -- File not found
O33 - MountPoints2\{d0084261-cc48-11dd-8160-a173e04adabb}\Shell\AutoRun\command - "" = BOOTEX\thumbcache_131.exe
O33 - MountPoints2\{d0084261-cc48-11dd-8160-a173e04adabb}\Shell\explore\command - "" = BOOTEX/thumbcache_131.exe
O33 - MountPoints2\{d0084261-cc48-11dd-8160-a173e04adabb}\Shell\open\command - "" = .////BOOTEX/thumbcache_131.exe
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\Launch.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\SysWow64\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/25 09:11:38 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Users\Mark\Desktop\OTL.exe
[2009/09/24 19:10:47 | 00,000,000 | ---D | C] -- C:\Users\Mark\AppData\Roaming\Malwarebytes
[2009/09/24 19:10:45 | 00,000,848 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/24 19:10:42 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2009/09/24 19:10:41 | 00,022,104 | ---- | C] () -- C:\Windows\SysNative\drivers\mbam.sys
[2009/09/24 19:10:41 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/09/24 19:10:41 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2009/09/24 19:09:11 | 03,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Mark\Desktop\mbam-setup.exe
[2009/09/23 22:01:49 | 00,000,000 | ---D | C] -- C:\rsit
[2009/09/23 22:01:49 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\trend micro
[2009/09/23 22:00:36 | 00,781,909 | ---- | C] () -- C:\Users\Mark\Desktop\RSIT.exe
[2009/09/23 21:57:47 | 00,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\Runscanner.net
[2009/09/23 21:56:20 | 01,643,776 | ---- | C] (Runscanner.net) -- C:\Users\Mark\Desktop\RunScanner.exe
[2009/09/23 00:48:48 | 00,000,182 | ---- | C] () -- C:\Users\Mark\Desktop\Download Dr.Web CureIt! Free anti-virus scanner, cures computers viruses..url
[2009/09/23 00:48:41 | 00,000,188 | ---- | C] () -- C:\Users\Mark\Desktop\SUPERAntiSpyware.com Remove Malware Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!.url
[2009/09/21 21:32:33 | 65,743,511 | ---- | C] () -- C:\Users\Mark\Desktop\SOAPware demo.zip
[2009/09/21 21:24:37 | 00,057,856 | ---- | C] () -- C:\Users\Mark\Documents\Mark Beans Memo-Original.doc
[2009/09/17 08:42:19 | 00,004,997 | ---- | C] () -- C:\Users\Mark\Desktop\QuickBooks Test-091709.iif
[2009/09/17 08:35:29 | 00,000,223 | ---- | C] () -- C:\Users\Mark\Desktop\A guide and tutorial on using ComboFix.url
[2009/09/07 22:27:25 | 00,000,336 | ---- | C] () -- C:\Windows\ads.ini
[2009/08/27 00:18:42 | 00,038,436 | ---- | C] () -- C:\Users\Mark\AppData\Roaming\Comma Separated Values (Windows).ADR
[2009/08/27 00:18:36 | 00,505,188 | ---- | C] () -- C:\Users\Mark\Documents\Mark's Contacts.CSV
[2009/05/13 00:00:00 | 00,014,056 | ---- | C] () -- C:\Windows\vmdcr.dll
[2009/05/11 00:00:00 | 00,014,056 | ---- | C] () -- C:\Windows\amcdr.dll
[2009/05/02 00:00:00 | 00,014,056 | ---- | C] () -- C:\Windows\SysWow64\jrdgl.dll
[2009/04/29 00:00:00 | 00,014,056 | ---- | C] () -- C:\Windows\SysWow64\rkeyds.sys
[2009/04/27 00:00:00 | 00,014,056 | ---- | C] () -- C:\Windows\SysWow64\emlks.dll
[2009/02/20 02:38:28 | 00,000,510 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2009/01/31 20:24:02 | 00,002,828 | -HS- | C] () -- C:\Windows\SysWow64\KGyGaAvL.sys
[2009/01/31 20:24:02 | 00,000,088 | RHS- | C] () -- C:\Windows\SysWow64\3312FDD298.sys
[2008/12/16 00:35:41 | 00,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2008/12/13 09:16:23 | 00,005,254 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2008/12/10 12:21:03 | 00,000,272 | ---- | C] () -- C:\Windows\lgfwup.ini
[2008/12/10 12:10:56 | 00,030,528 | ---- | C] () -- C:\Windows\GVTDrv64.sys
[2008/12/10 12:01:22 | 00,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2008/11/21 17:47:52 | 03,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2008/11/21 17:45:16 | 00,000,416 | ---- | C] () -- C:\Windows\SysWow64\dtu100.dll.manifest
[2008/11/21 17:45:16 | 00,000,416 | ---- | C] () -- C:\Windows\SysWow64\dpl100.dll.manifest
[2008/11/21 17:44:16 | 00,012,288 | ---- | C] () -- C:\Windows\SysWow64\DivXWMPExtType.dll
[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/06/11 10:02:32 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/06/11 10:02:32 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/06/11 10:02:32 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2008/06/05 09:58:26 | 00,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/01/20 22:50:05 | 00,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2008/01/20 22:49:49 | 00,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2006/11/02 08:34:27 | 00,000,254 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 08:34:27 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/05/03 18:44:32 | 00,036,864 | ---- | C] () -- C:\Windows\SysWow64\RtlGina2.dll
[2003/08/07 15:01:50 | 00,237,568 | ---- | C] () -- C:\Windows\SysWow64\lame_enc.dll

========== Files - Modified Within 30 Days ==========

[2009/09/25 09:10:01 | 00,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{27EEEB8D-747E-4B5D-9DB3-02DA4EFBECA6}.job
[2009/09/25 09:09:00 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Users\Mark\Desktop\OTL.exe
[2009/09/25 07:42:56 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/09/24 21:36:29 | 00,003,840 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/09/24 21:36:29 | 00,003,840 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/09/24 19:42:19 | 02,836,560 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2009/09/24 19:42:19 | 00,880,610 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2009/09/24 19:42:19 | 00,005,270 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2009/09/24 19:37:18 | 00,002,111 | ---- | M] () -- C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VZAccess Manager.lnk
[2009/09/24 19:36:31 | 00,024,072 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\Windows\gdrv.sys
[2009/09/24 19:36:29 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/09/24 19:10:45 | 00,000,848 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/24 18:59:17 | 41,731,982 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
[2009/09/23 21:59:33 | 00,781,909 | ---- | M] () -- C:\Users\Mark\Desktop\RSIT.exe
[2009/09/23 01:08:17 | 00,046,264 | ---- | M] () -- C:\ADS_ERR.ADT
[2009/09/23 01:08:17 | 00,004,096 | ---- | M] () -- C:\ADS_ERR.ADI
[2009/09/23 00:50:42 | 04,158,700 | -H-- | M] () -- C:\Users\Mark\AppData\Local\IconCache.db
[2009/09/23 00:48:48 | 00,000,182 | ---- | M] () -- C:\Users\Mark\Desktop\Download Dr.Web CureIt! Free anti-virus scanner, cures computers viruses..url
[2009/09/23 00:48:41 | 00,000,188 | ---- | M] () -- C:\Users\Mark\Desktop\SUPERAntiSpyware.com Remove Malware Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!.url
[2009/09/23 00:44:14 | 00,008,547 | ---- | M] () -- C:\ADS_ERR.adm
[2009/09/22 16:28:02 | 00,000,336 | ---- | M] () -- C:\Windows\ads.ini
[2009/09/22 16:25:47 | 00,002,828 | -HS- | M] () -- C:\Windows\SysWow64\KGyGaAvL.sys
[2009/09/21 21:32:33 | 65,743,511 | ---- | M] () -- C:\Users\Mark\Desktop\SOAPware demo.zip
[2009/09/21 21:24:37 | 00,057,856 | ---- | M] () -- C:\Users\Mark\Documents\Mark Beans Memo-Original.doc
[2009/09/21 19:25:41 | 00,112,900 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\microavi.avg
[2009/09/17 11:25:29 | 00,000,223 | ---- | M] () -- C:\Users\Mark\Desktop\A guide and tutorial on using ComboFix.url
[2009/09/17 08:42:19 | 00,004,997 | ---- | M] () -- C:\Users\Mark\Desktop\QuickBooks Test-091709.iif
[2009/09/16 11:19:00 | 01,643,776 | ---- | M] (Runscanner.net) -- C:\Users\Mark\Desktop\RunScanner.exe
[2009/09/11 22:27:56 | 00,024,576 | ---- | M] () -- C:\Users\Mark\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2009/09/10 14:53:52 | 00,022,104 | ---- | M] () -- C:\Windows\SysNative\drivers\mbam.sys
[2009/09/08 20:45:30 | 03,942,048 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Mark\Desktop\mbam-setup.exe
[2009/09/07 22:58:52 | 00,002,651 | ---- | M] () -- C:\Users\Mark\Desktop\Microsoft Office Word 2007.lnk
[2009/09/07 22:29:19 | 00,008,179 | ---- | M] () -- C:\ads_err.dbf
[2009/09/05 23:43:51 | 00,033,416 | ---- | M] () -- C:\Windows\SysNative\drivers\avgmfx64.sys
[2009/09/05 23:43:51 | 00,012,464 | ---- | M] () -- C:\Windows\SysNative\avgrssta.dll
[2009/09/05 23:43:49 | 00,427,016 | ---- | M] () -- C:\Windows\SysNative\drivers\avgldx64.sys
[2009/08/27 00:18:46 | 00,505,188 | ---- | M] () -- C:\Users\Mark\Documents\Mark's Contacts.CSV
[2009/08/27 00:18:42 | 00,038,436 | ---- | M] () -- C:\Users\Mark\AppData\Roaming\Comma Separated Values (Windows).ADR
< End of report >

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:32 PM

Posted 25 September 2009 - 06:01 PM

There we go! :(


Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O33 - MountPoints2\{d0084261-cc48-11dd-8160-a173e04adabb}\Shell\AutoRun\command - "" = BOOTEX\thumbcache_131.exe
    O33 - MountPoints2\{d0084261-cc48-11dd-8160-a173e04adabb}\Shell\explore\command - "" = BOOTEX/thumbcache_131.exe
    O33 - MountPoints2\{d0084261-cc48-11dd-8160-a173e04adabb}\Shell\open\command - "" = .////BOOTEX/thumbcache_131.exe
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 FloridaMark

FloridaMark
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 25 September 2009 - 10:31 PM

Sam-

After the reboot this is the log file displayed by OTL...

All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0084261-cc48-11dd-8160-a173e04adabb}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0084261-cc48-11dd-8160-a173e04adabb}\ not found.
File BOOTEX\thumbcache_131.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0084261-cc48-11dd-8160-a173e04adabb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0084261-cc48-11dd-8160-a173e04adabb}\ not found.
File BOOTEX/thumbcache_131.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0084261-cc48-11dd-8160-a173e04adabb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0084261-cc48-11dd-8160-a173e04adabb}\ not found.
File .////BOOTEX/thumbcache_131.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mark
File delete failed. C:\Users\Mark\AppData\Local\Temp\~DF7DAC.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Mark\AppData\Local\Temp\~DF7DB6.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Mark\AppData\Local\Temp\~DF8C.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Mark\AppData\Local\Temp\~DF96.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Mark\AppData\Local\Temp\~DFD9.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Mark\AppData\Local\Temp\~DFE3.tmp scheduled to be deleted on reboot.
->Temp folder emptied: 439283858 bytes
File delete failed. C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 210409597 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
Windows Temp folder emptied: 13623884 bytes
RecycleBin emptied: 340489808 bytes

Total Files Cleaned = 957.34 mb


OTL by OldTimer - Version 3.0.14.0 log created on 09252009_231414

Files\Folders moved on Reboot...
File\Folder C:\Users\Mark\AppData\Local\Temp\~DF7DAC.tmp not found!
File\Folder C:\Users\Mark\AppData\Local\Temp\~DF7DB6.tmp not found!
File\Folder C:\Users\Mark\AppData\Local\Temp\~DF8C.tmp not found!
File\Folder C:\Users\Mark\AppData\Local\Temp\~DF96.tmp not found!
File\Folder C:\Users\Mark\AppData\Local\Temp\~DFD9.tmp not found!
File\Folder C:\Users\Mark\AppData\Local\Temp\~DFE3.tmp not found!

Registry entries deleted on Reboot...


As instructed I ran OTL again and here is the new log file...


OTL logfile created on: 9/25/2009 11:26:41 PM - Run 2
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Users\Mark\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.61 Gb Available Physical Memory | 65.33% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 122.07 Gb Total Space | 20.14 Gb Free Space | 16.50% Space Free | Partition Type: NTFS
Drive D: | 75.94 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
Drive F: | 292.97 Gb Total Space | 263.57 Gb Free Space | 89.96% Space Free | Partition Type: NTFS
Drive G: | 516.47 Gb Total Space | 421.08 Gb Free Space | 81.53% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IRON-MAN
Current User Name: Mark
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/03/27 16:56:00 | 02,895,872 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files (x86)\Advantage 9.0\Server\ADS.EXE
PRC - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/27 16:45:56 | 00,020,376 | ---- | M] (WebEx Communications, Inc.) -- C:\Windows\SysWOW64\atashost.exe
PRC - [2009/09/05 23:43:31 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgwdsvc.exe
PRC - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Bonjour\mDNSResponder.exe
PRC - [2008/09/24 18:35:14 | 00,068,136 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
PRC - [2008/01/24 13:36:22 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
PRC - [2008/11/24 23:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/10/20 22:18:26 | 00,071,096 | ---- | M] () -- C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
PRC - [2007/06/05 14:20:32 | 00,177,704 | ---- | M] () -- C:\Windows\SysWOW64\PSIService.exe
PRC - [2007/05/13 22:54:36 | 00,272,024 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
PRC - [2008/11/24 23:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2009/09/05 23:43:43 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgemc.exe
PRC - [2009/09/05 23:43:48 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgcsrvx.exe
PRC - [2008/12/10 23:32:17 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2006/06/06 13:10:26 | 01,085,440 | ---- | M] () -- C:\Program Files (x86)\NETGEAR\WG111v2\WG111v2.exe
PRC - [2009/01/30 09:26:04 | 01,790,056 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files (x86)\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
PRC - [2009/09/05 23:43:36 | 02,007,832 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgtray.exe
PRC - [2009/04/24 12:08:04 | 00,634,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
PRC - [2008/10/16 18:26:40 | 00,116,016 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
PRC - [2009/09/25 09:09:00 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Users\Mark\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2007/11/07 10:11:22 | 04,466,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe -- (msvsmon90 [Disabled | Stopped])
SRV:64bit: - [2008/11/25 12:45:40 | 00,153,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [Auto | Running])
SRV:64bit: - [2008/01/20 22:47:32 | 00,383,544 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Running])
SRV:64bit: - [2008/01/20 22:52:15 | 01,216,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Running])
SRV - [2009/03/27 16:56:00 | 02,895,872 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files (x86)\Advantage 9.0\Server\ADS.EXE -- (Advantage [Auto | Running])
SRV - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2009/07/27 16:45:56 | 00,020,376 | ---- | M] (WebEx Communications, Inc.) -- C:\Windows\SysWOW64\atashost.exe -- (atashost [Auto | Running])
SRV - [2009/09/05 23:43:43 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/09/05 23:43:31 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/27 14:03:13 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/27 14:01:49 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64 [On_Demand | Stopped])
SRV - [2008/01/20 22:51:36 | 00,344,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])
SRV - [2008/01/20 22:51:36 | 00,153,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])
SRV - [2006/11/02 11:03:48 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])
SRV - [2008/06/19 21:17:12 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/09/24 18:35:14 | 00,068,136 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe -- (GEST Service [Auto | Running])
SRV - [2008/10/16 19:23:30 | 00,217,088 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08 [On_Demand | Running])
SRV - [2008/10/16 19:24:24 | 00,135,168 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc [Auto | Running])
SRV - [2008/10/16 19:31:12 | 00,906,752 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC [Auto | Running])
SRV - [2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/06/19 21:16:53 | 00,859,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/11/20 14:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2006/11/02 05:46:05 | 00,018,944 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\keyiso.dll -- (KeyIso [On_Demand | Running])
SRV - [2008/01/24 13:36:22 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2006/11/02 09:34:14 | 00,000,000 | ---D | M] -- C:\Windows\SysWow64\Msdtc -- (MSDTC [Unknown | Stopped])
SRV - [2008/11/24 23:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS [Auto | Running])
SRV - [2008/11/24 23:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2007/09/17 10:36:18 | 00,800,040 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
SRV - [2008/01/20 22:48:28 | 00,592,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\netlogon.dll -- (Netlogon [On_Demand | Stopped])
SRV - [2007/06/27 19:04:00 | 00,279,848 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])
SRV - [2008/10/20 22:18:26 | 00,071,096 | ---- | M] () -- C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU [Auto | Running])
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/06/05 14:20:32 | 00,177,704 | ---- | M] () -- C:\Windows\SysWOW64\PSIService.exe -- (ProtexisLicensing [Auto | Running])
SRV - [2007/05/13 22:54:36 | 00,272,024 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe -- (RichVideo [Auto | Running])
SRV - [2008/11/24 23:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [Auto | Running])
SRV - [2006/11/02 02:35:15 | 00,060,994 | ---- | M] () -- C:\Windows\SysWow64\Wbem\vds.mof -- (vds [On_Demand | Stopped])
SRV - [2006/11/02 02:35:15 | 00,055,846 | ---- | M] () -- C:\Windows\SysWow64\Wbem\vss.mof -- (VSS [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV:64bit: - [2009/09/05 23:43:49 | 00,427,016 | ---- | M] () -- C:\Windows\SysNative\Drivers\avgldx64.sys -- (AvgLdx64 [System | Running])
DRV:64bit: - [2009/09/05 23:43:51 | 00,033,416 | ---- | M] () -- C:\Windows\SysNative\Drivers\avgmfx64.sys -- (AvgMfx64 [System | Running])
DRV:64bit: - [2009/05/17 09:51:59 | 00,133,640 | ---- | M] () -- C:\Windows\SysNative\Drivers\avgtdia.sys -- (AvgTdiA [System | Running])
DRV:64bit: - [2008/04/17 14:12:54 | 00,019,304 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV:64bit: - [2006/11/02 01:28:10 | 00,273,920 | ---- | M] () -- C:\Windows\SysNative\drivers\HdAudio.sys -- (HdAudAddService [On_Demand | Stopped])
DRV:64bit: - [2008/08/22 00:50:32 | 00,019,456 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\motccgp.sys -- (motccgp [On_Demand | Running])
DRV:64bit: - [2008/08/22 00:50:02 | 00,009,216 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\motccgpfl.sys -- (motccgpfl [On_Demand | Running])
DRV:64bit: - [2007/06/20 20:57:36 | 00,029,184 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\motmodem.sys -- (motmodem [On_Demand | Running])
DRV:64bit: - [2007/06/20 20:57:40 | 00,029,184 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\motport.sys -- (motport [On_Demand | Running])
DRV:64bit: - [2008/06/10 16:04:27 | 00,036,424 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\point64k.sys -- (Point64 [On_Demand | Running])
DRV:64bit: - [2007/06/25 06:37:14 | 00,108,032 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169 [On_Demand | Running])
DRV:64bit: - [2007/12/26 03:46:26 | 00,340,992 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\wg111v2.sys -- (RTL8187 [On_Demand | Running])
DRV:64bit: - [2008/01/20 22:47:28 | 00,046,080 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb [On_Demand | Stopped])
DRV - [2009/09/25 23:17:53 | 00,024,072 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\Windows\gdrv.sys -- (gdrv [On_Demand | Running])
DRV - [2009/01/03 09:45:49 | 00,030,528 | ---- | M] () -- C:\Windows\GVTDrv64.sys -- (GVTDrv64 [On_Demand | Stopped])
DRV - [2006/09/18 17:35:23 | 00,001,088 | ---- | M] () -- C:\Windows\SysWow64\Wbem\mpsdrv.mof -- (mpsdrv [On_Demand | Running])
DRV - [2006/09/18 17:36:40 | 00,003,066 | ---- | M] () -- C:\Windows\SysWow64\Wbem\tcpip.mof -- (Tcpip [Boot | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1599347378-186534776-3278552042-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-21-1599347378-186534776-3278552042-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-1599347378-186534776-3278552042-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1599347378-186534776-3278552042-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1599347378-186534776-3278552042-1000\S-1-5-21-1599347378-186534776-3278552042-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/04 14:36:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2009/05/04 21:20:34 | 00,000,000 | ---D | M]


O1 HOSTS File: (761 bytes) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-1599347378-186534776-3278552042-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files (x86)\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.DLL (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.DLL (Microsoft Corporation)
O4 - HKU\S-1-5-21-1599347378-186534776-3278552042-1000..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-1599347378-186534776-3278552042-1000..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
O4 - Startup: C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VZAccess Manager.lnk = C:\Program Files (x86)\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe (Smith Micro Software, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\SysNative\NLAapi.dll ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\SysNative\napinsp.dll ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\SysNative\pnrpnsp.dll ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\SysNative\pnrpnsp.dll ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\SysNative\winrnr.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\SysNative\mswsock.dll ()
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\SysNative\mswsock.dll ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\SysWow64\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\SysWow64\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\SysWow64\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\SysWow64\pnrpnsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://postitem.auctionarms.com/ImageUploader5.cab (Image Uploader Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://ndcsupport.webex.com/client/T26L/su...rt/ieatgpc1.cab (GpcContainer Class)
O18:64bit: - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll ()
O18:64bit: - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysNative\msvidctl.dll ()
O18:64bit: - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll ()
O18:64bit: - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll ()
O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll ()
O18:64bit: - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysNative\inetcomm.dll ()
O18:64bit: - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll ()
O18:64bit: - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll ()
O18:64bit: - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysNative\msvidctl.dll ()
O18:64bit: - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter: - application/octet-stream - C:\Windows\SysNative\mscoree.dll ()
O18:64bit: - Protocol\Filter: - application/x-complus - C:\Windows\SysNative\mscoree.dll ()
O18:64bit: - Protocol\Filter: - application/x-msdownload - C:\Windows\SysNative\mscoree.dll ()
O18:64bit: - Protocol\Filter: - deflate - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Filter: - gzip - C:\Windows\SysNative\urlmon.dll ()
O18:64bit: - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18:64bit: - Protocol\Filter: - x-sdch - Reg Error: Key error. File not found
O18 - Protocol\Filter: - text/xml - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20:64bit: - AppInit_DLLs: (avgrssta.dll) - C:\Windows\SysNative\avgrssta.dll ()
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (RtlGina2.dll) - C:\Windows\SysWow64\RtlGina2.dll ()
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/27 21:36:00 | 00,000,049 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{484ee695-c7e4-11dd-bf72-f22976b60403}\Shell\AutoRun\command - "" = E:\Launch.exe -- File not found
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\Launch.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\SysWow64\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/25 23:14:14 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/09/25 09:11:38 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Users\Mark\Desktop\OTL.exe
[2009/09/24 19:10:47 | 00,000,000 | ---D | C] -- C:\Users\Mark\AppData\Roaming\Malwarebytes
[2009/09/24 19:10:45 | 00,000,848 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/24 19:10:42 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2009/09/24 19:10:41 | 00,022,104 | ---- | C] () -- C:\Windows\SysNative\drivers\mbam.sys
[2009/09/24 19:10:41 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/09/24 19:10:41 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2009/09/24 19:09:11 | 03,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Mark\Desktop\mbam-setup.exe
[2009/09/23 22:01:49 | 00,000,000 | ---D | C] -- C:\rsit
[2009/09/23 22:01:49 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\trend micro
[2009/09/23 22:00:36 | 00,781,909 | ---- | C] () -- C:\Users\Mark\Desktop\RSIT.exe
[2009/09/23 21:57:47 | 00,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\Runscanner.net
[2009/09/23 21:56:20 | 01,643,776 | ---- | C] (Runscanner.net) -- C:\Users\Mark\Desktop\RunScanner.exe
[2009/09/23 00:48:48 | 00,000,182 | ---- | C] () -- C:\Users\Mark\Desktop\Download Dr.Web CureIt! Free anti-virus scanner, cures computers viruses..url
[2009/09/23 00:48:41 | 00,000,188 | ---- | C] () -- C:\Users\Mark\Desktop\SUPERAntiSpyware.com Remove Malware Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!.url
[2009/09/21 21:32:33 | 65,743,511 | ---- | C] () -- C:\Users\Mark\Desktop\SOAPware demo.zip
[2009/09/21 21:24:37 | 00,057,856 | ---- | C] () -- C:\Users\Mark\Documents\Mark Beans Memo-Original.doc
[2009/09/17 08:42:19 | 00,004,997 | ---- | C] () -- C:\Users\Mark\Desktop\QuickBooks Test-091709.iif
[2009/09/17 08:35:29 | 00,000,223 | ---- | C] () -- C:\Users\Mark\Desktop\A guide and tutorial on using ComboFix.url
[2009/09/07 22:27:25 | 00,000,336 | ---- | C] () -- C:\Windows\ads.ini
[2009/08/27 00:18:42 | 00,038,436 | ---- | C] () -- C:\Users\Mark\AppData\Roaming\Comma Separated Values (Windows).ADR
[2009/08/27 00:18:36 | 00,505,188 | ---- | C] () -- C:\Users\Mark\Documents\Mark's Contacts.CSV
[2009/05/13 00:00:00 | 00,014,056 | ---- | C] () -- C:\Windows\vmdcr.dll
[2009/05/11 00:00:00 | 00,014,056 | ---- | C] () -- C:\Windows\amcdr.dll
[2009/05/02 00:00:00 | 00,014,056 | ---- | C] () -- C:\Windows\SysWow64\jrdgl.dll
[2009/04/29 00:00:00 | 00,014,056 | ---- | C] () -- C:\Windows\SysWow64\rkeyds.sys
[2009/04/27 00:00:00 | 00,014,056 | ---- | C] () -- C:\Windows\SysWow64\emlks.dll
[2009/02/20 02:38:28 | 00,000,510 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2009/01/31 20:24:02 | 00,002,828 | -HS- | C] () -- C:\Windows\SysWow64\KGyGaAvL.sys
[2009/01/31 20:24:02 | 00,000,088 | RHS- | C] () -- C:\Windows\SysWow64\3312FDD298.sys
[2008/12/16 00:35:41 | 00,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2008/12/13 09:16:23 | 00,005,254 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2008/12/10 12:21:03 | 00,000,272 | ---- | C] () -- C:\Windows\lgfwup.ini
[2008/12/10 12:10:56 | 00,030,528 | ---- | C] () -- C:\Windows\GVTDrv64.sys
[2008/12/10 12:01:22 | 00,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2008/11/21 17:47:52 | 03,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2008/11/21 17:45:16 | 00,000,416 | ---- | C] () -- C:\Windows\SysWow64\dtu100.dll.manifest
[2008/11/21 17:45:16 | 00,000,416 | ---- | C] () -- C:\Windows\SysWow64\dpl100.dll.manifest
[2008/11/21 17:44:16 | 00,012,288 | ---- | C] () -- C:\Windows\SysWow64\DivXWMPExtType.dll
[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/06/11 10:02:32 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/06/11 10:02:32 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/06/11 10:02:32 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2008/06/05 09:58:26 | 00,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/01/20 22:50:05 | 00,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2008/01/20 22:49:49 | 00,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2006/11/02 08:34:27 | 00,000,254 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 08:34:27 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/05/03 18:44:32 | 00,036,864 | ---- | C] () -- C:\Windows\SysWow64\RtlGina2.dll
[2003/08/07 15:01:50 | 00,237,568 | ---- | C] () -- C:\Windows\SysWow64\lame_enc.dll

========== Files - Modified Within 30 Days ==========

[2009/09/25 23:25:12 | 00,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{27EEEB8D-747E-4B5D-9DB3-02DA4EFBECA6}.job
[2009/09/25 23:22:58 | 02,849,706 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2009/09/25 23:22:58 | 00,885,190 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2009/09/25 23:22:58 | 00,005,270 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2009/09/25 23:22:20 | 00,002,111 | ---- | M] () -- C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VZAccess Manager.lnk
[2009/09/25 23:17:54 | 00,003,840 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/09/25 23:17:54 | 00,003,840 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/09/25 23:17:53 | 00,024,072 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\Windows\gdrv.sys
[2009/09/25 23:17:51 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/09/25 23:17:50 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/09/25 23:16:37 | 04,178,474 | -H-- | M] () -- C:\Users\Mark\AppData\Local\IconCache.db
[2009/09/25 18:31:45 | 41,771,690 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
[2009/09/25 18:31:45 | 00,113,133 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\microavi.avg
[2009/09/25 09:09:00 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Users\Mark\Desktop\OTL.exe
[2009/09/24 19:10:45 | 00,000,848 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/23 21:59:33 | 00,781,909 | ---- | M] () -- C:\Users\Mark\Desktop\RSIT.exe
[2009/09/23 01:08:17 | 00,046,264 | ---- | M] () -- C:\ADS_ERR.ADT
[2009/09/23 01:08:17 | 00,004,096 | ---- | M] () -- C:\ADS_ERR.ADI
[2009/09/23 00:48:48 | 00,000,182 | ---- | M] () -- C:\Users\Mark\Desktop\Download Dr.Web CureIt! Free anti-virus scanner, cures computers viruses..url
[2009/09/23 00:48:41 | 00,000,188 | ---- | M] () -- C:\Users\Mark\Desktop\SUPERAntiSpyware.com Remove Malware Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!.url
[2009/09/23 00:44:14 | 00,008,547 | ---- | M] () -- C:\ADS_ERR.adm
[2009/09/22 16:28:02 | 00,000,336 | ---- | M] () -- C:\Windows\ads.ini
[2009/09/22 16:25:47 | 00,002,828 | -HS- | M] () -- C:\Windows\SysWow64\KGyGaAvL.sys
[2009/09/21 21:32:33 | 65,743,511 | ---- | M] () -- C:\Users\Mark\Desktop\SOAPware demo.zip
[2009/09/21 21:24:37 | 00,057,856 | ---- | M] () -- C:\Users\Mark\Documents\Mark Beans Memo-Original.doc
[2009/09/17 11:25:29 | 00,000,223 | ---- | M] () -- C:\Users\Mark\Desktop\A guide and tutorial on using ComboFix.url
[2009/09/17 08:42:19 | 00,004,997 | ---- | M] () -- C:\Users\Mark\Desktop\QuickBooks Test-091709.iif
[2009/09/16 11:19:00 | 01,643,776 | ---- | M] (Runscanner.net) -- C:\Users\Mark\Desktop\RunScanner.exe
[2009/09/11 22:27:56 | 00,024,576 | ---- | M] () -- C:\Users\Mark\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2009/09/10 14:53:52 | 00,022,104 | ---- | M] () -- C:\Windows\SysNative\drivers\mbam.sys
[2009/09/08 20:45:30 | 03,942,048 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Mark\Desktop\mbam-setup.exe
[2009/09/07 22:58:52 | 00,002,651 | ---- | M] () -- C:\Users\Mark\Desktop\Microsoft Office Word 2007.lnk
[2009/09/07 22:29:19 | 00,008,179 | ---- | M] () -- C:\ads_err.dbf
[2009/09/05 23:43:51 | 00,033,416 | ---- | M] () -- C:\Windows\SysNative\drivers\avgmfx64.sys
[2009/09/05 23:43:51 | 00,012,464 | ---- | M] () -- C:\Windows\SysNative\avgrssta.dll
[2009/09/05 23:43:49 | 00,427,016 | ---- | M] () -- C:\Windows\SysNative\drivers\avgldx64.sys
[2009/08/27 00:18:46 | 00,505,188 | ---- | M] () -- C:\Users\Mark\Documents\Mark's Contacts.CSV
[2009/08/27 00:18:42 | 00,038,436 | ---- | M] () -- C:\Users\Mark\AppData\Roaming\Comma Separated Values (Windows).ADR
< End of report >

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:32 PM

Posted 26 September 2009 - 01:01 PM

Looks pretty good to me. How are things on your end?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 FloridaMark

FloridaMark
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 26 September 2009 - 02:26 PM

Sam-

Hmmm... :(

It seemed to be running great. I had experienced some problems with Internet speed but that seems to be great right now also. Unfortunately as I was typing this message an IE session opened with this message in the address bar:

hxxp://grotator2.info/035wL0EzLGBzL==&1510200924053

And AVG popped a "Threat detected" message that says:

Accessed file is infected
File name: pescanner1.info/25/25-035wL0EzLGBzL==
Threat name: Exploit Rogue scanner (type 836)
Process name: c:\Program Files (x86)\Internet Explorer\iexplore.exe
Process ID: 1492

Also, I am very concerned that I have two boxes which both got hit (probably different problems) at about the same time while relieing on AVG Free for protection. What suggestions do you have to avoid problems like this in the future? Should I/can I run two different Anti virus progs simulataneously on my boxes? It seems like diferent progs detect and protect against different malware. I am not sure that there is a one stop solution. In the past I have used McAffee and Symantec for long periods of time till I ran into issues with both of those paid solutions and switched to AVG Free. it worked great for me till now...

I use the Google picture searching capability for Bible class lessons frequently (I don't publish the pics since I don't own them) and I am pretty sure that is how my other box was corrupted. It is very likely that this box was corrupted the same way.

It isn't much for all the assistance and knowledge you brought to bear on my problem but I did do a donation of $30. Thanks so much for your asisstance. Would you possibly have the time to help me with the other box also? I posted that problem in this forum on 9/17 and nobody has responded yet. The Title is "Cryptor Virus on Win XP Home" and I put a green smiley on that one too.

All your help really is appreciated!

-Mark

Edited by Buckeye_Sam, 27 September 2009 - 11:53 AM.
disabled link


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:32 PM

Posted 27 September 2009 - 11:58 AM

So that link opened up on it's own without any input from you? If so, that's a bit of a concern.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

In answer to your question, you never want to run more than one antivirus at a time. They can conflict and cause some serious issues. Once we are sure the malware is gone here, I'll post some security recommendations for you.

I did get your donation. Thank you very much! :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 FloridaMark

FloridaMark
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 27 September 2009 - 11:23 PM

Sam-

I ran the ESET Online as you requested. The three files that it found and eliminated were not threats. The VNC ap is one that I used on a web site that I built, the other two hits were malware utilities. I put all three of those aps out there.

In answer to your request for clarifcation, yes, I believe that lthe link I reported below opened up on it's own without any input from me twice. I did have some web pages open in IE so it is possible that it was one of those but I don't think I had anything unusual open at the time.

Here is the log.txt...

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=a1e8c5f4545e594fb299904865080a46
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-09-28 02:23:50
# local_time=2009-09-27 10:23:50 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=1026 61 83 97 18960019054507
# compatibility_mode=5889 61 100 100 532209778686785
# scanned=303562
# found=3
# cleaned=3
# scan_time=4256
C:\Users\Mark\Documents\Downloads\Antivirus Tools\SDFix.exe Win32/PrcView application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Mark\Documents\My Web Sites\wwwroot-b4 F3 mods\SUPPORT.EXE Win32/RemoteAdmin.WinVNC application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Mark\Documents\_Knowledge\Antivirus Tools\SDFix.exe Win32/PrcView application (deleted - quarantined) 00000000000000000000000000000000 C

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:32 PM

Posted 28 September 2009 - 07:04 AM

Ok, so nothing there. How about Malwarebytes? Can you run a quick scan with it and post the log if it comes up with anything?

Have you had any more popups?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 FloridaMark

FloridaMark
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 28 September 2009 - 12:54 PM

Hey Sam-

I ran a quick MBAM scan as you requested and then ran a full scan and both came up clean (no malicious items detected). I have not had any other popups.

-Mark

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:32 PM

Posted 28 September 2009 - 07:06 PM

Good! Keep a close eye on it and let me know if you start getting popups, but right now it appears that things are cleaned up.

It's time to clean up.
  • Make sure you have an Internet Connection.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 FloridaMark

FloridaMark
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 28 September 2009 - 08:29 PM

Opps...

Right after my last post I needed to use my thumb drive for something and when I plugged it in AVG popped up a warning again, "Resident Shield detected I:\BOOTEX\thumbcache_131.exe".

This is the same issue that I started with. It appears to be a trojan being copied to my thumb drive when I plug it in, but from where? And why did this not pop up for several days then start again today? :(

Do you want me to run the OTL Clean Up as you instructed?

-Mark




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users