Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can not install/update Anti Virus + Windows Programmes Blocked


  • This topic is locked This topic is locked
15 replies to this topic

#1 yundo

yundo

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 28 September 2009 - 01:02 PM

Good evening and thanks for taking time to help me out.
I am trying to clean a laptop that has had several users over the last year and seems to be infected.
The first step I took was to reinstall many drivers which seem to been uninstalled. For example I had to reinstall the wireless drives to get online! The SM Bus driver as well as the Bluetooth and some sound drivers also needed to be reinstalled.

The machine had Kaspersky Anti Virus which seems to have expired or perhaps disabled. As I was unable to get Kaspersky to start I removed it and tried to install AVG Anti Virus (Free version) despite my best efforts AVG would not install.
I tried to find a working System Restore point but “System Restore” was unavliable (the whole System Restore tab did not appear at all). I then went to Windows Updates to try and get any updates but this too seemed to freeze for about an hour.
I tried to run online virus scans at Housecall and Kaspersky but both pages are showing up us unavailable. So I downloaded Firefox (in case IE was the problem) but still no luck with the online virus scans.
I downloaded Spbybot Search and Destroy and after running the clean up I could see System Restore but I still could not install AVG.
I decided to install Comodo Firewall and Anti Virus which thankfully installed without any drama. However I have been unable to update the Anti Virus – it keeps stalling at 30%.
Please give me some advice on what you would recommend.
Below I have pasted my DDS.txt report and as per your instructions I have also attached Attach.txt and Ark.txt .

Thank you!


DDS (Ver_09-09-24.01) - NTFSx86

Run by Administrator at 20:29:10.51 on Mon 09/28/2009

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.552 [GMT 3:00]





============== Running Processes ===============



C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscript.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\SkyTel.EXE

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\wscript.exe

C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE

C:\WINDOWS\system32\CNAB4RPK.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr



============== Pseudo HJT Report ===============



uStart Page = hxxp://www.google.com/

uWindow Title = Microsoft Internet Explorer

mWinlogon: Userinit=c:\windows\system32\userinit.exe

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [CTFMOON] c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\regedit.sys

mRun: [regdeit] c:\windows\system32\svchostnt.exe

mRun: [UnlockerAssistant] c:\program files\unlocker\UnlockerAssistant.exe -H

mRun: [<NO NAME>]

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [SkyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [svchost] c:\windows\system32\svchostnt.exe

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-000000000003}\_SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\lenovo\bluetooth software\BTTray.exe

uPolicies-explorer: NoResolveTrack = 1 (0x1)

uPolicies-explorer: NoInstrumentation = 1 (0x1)

mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

dPolicies-explorer: NoResolveTrack = 1 (0x1)

dPolicies-explorer: NoInstrumentation = 1 (0x1)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\lenovo\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\lenovo\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\windows\system32\guard32.dll



================= FIREFOX ===================



FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\xpf7qk8u.default\



============= SERVICES / DRIVERS ===============



R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-9-28 132296]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-9-28 25160]

R1 fhp3c27;fhp3c27;c:\windows\system32\drivers\fhp3c27.sys [2009-9-28 44928]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-9-28 723632]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-7-21 157696]

S1 9c40990e.sys;9c40990e.sys;\??\c:\windows\system32\drivers\9c40990e.sys --> c:\windows\system32\drivers\9c40990e.sys [?]

S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-7-21 29208]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-7-21 29208]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2009-7-21 81192]



=============== Created Last 30 ================



2009-09-28 19:50 80,288 a------- c:\windows\system32\drivers\sfi.dat

2009-09-28 19:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo

2009-09-28 19:47 179,792 a------- c:\windows\system32\guard32.dll

2009-09-28 19:47 132,296 a------- c:\windows\system32\drivers\cmdguard.sys

2009-09-28 19:47 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys

2009-09-28 19:47 <DIR> --d----- c:\program files\COMODO

2009-09-28 19:45 <DIR> --d----- c:\program files\trend micro

2009-09-28 19:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar

2009-09-28 19:22 67 a------- c:\windows\wininit.ini

2009-09-28 19:20 <DIR> --d----- c:\windows\system32\LogFiles

2009-09-28 18:43 <DIR> --d----- c:\program files\AVG

2009-09-28 18:41 32,783 a--shr-- c:\windows\system32\svchostnt.exe

2009-09-28 14:33 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-09-28 14:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-09-28 14:13 44,928 a------- c:\windows\system32\drivers\fhp3c27.sys

2009-09-28 13:48 940,794 a------- c:\windows\system32\LoopyMusic.wav

2009-09-28 13:48 146,650 a------- c:\windows\system32\BuzzingBee.wav

2009-09-28 13:44 53,248 a------- c:\windows\system32\CSVer.dll

2009-09-28 13:39 176,640 a------- c:\windows\system32\drivers\b57xp32.sys

2009-09-28 13:39 <DIR> --d----- c:\program files\Broadcom

2009-09-28 13:36 1,286,144 a------- c:\windows\system32\drivers\BCMWL5.SYS

2009-09-28 13:33 553 a------- c:\windows\USetup.iss

2009-09-28 13:33 90,112 a------- c:\windows\system32\ChCfg.exe

2009-09-28 13:33 6,272 a------- c:\windows\system32\drivers\splitter.sys

2009-09-28 13:33 83,072 a------- c:\windows\system32\drivers\wdmaud.sys

2009-09-28 13:33 52,864 a------- c:\windows\system32\drivers\DMusic.sys

2009-09-28 13:33 56,576 a------- c:\windows\system32\drivers\swmidi.sys

2009-09-28 13:33 142,592 a------- c:\windows\system32\drivers\aec.sys

2009-09-28 13:33 172,416 a------- c:\windows\system32\drivers\kmixer.sys

2009-09-28 13:33 2,944 a------- c:\windows\system32\drivers\drmkaud.sys

2009-09-28 13:33 60,800 a------- c:\windows\system32\drivers\sysaudio.sys

2009-09-28 13:32 <DIR> --d----- c:\documents and settings\administrator\Bluetooth Software

2009-09-28 13:31 106,557 a------- c:\windows\system32\btw_ci.dll

2009-09-28 13:31 89,896 a------- c:\windows\system32\drivers\btwsecfl.sys

2009-09-28 13:31 47,272 a------- c:\windows\system32\drivers\btwusb.sys

2009-09-28 13:31 991,400 a------- c:\windows\system32\drivers\btkrnl.sys

2009-09-28 13:07 <DIR> --ds---- c:\documents and settings\administrator\UserData

2009-09-05 23:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files

2009-09-03 18:11 <DIR> --d----- c:\program files\PDF Unlocker

2009-09-03 03:00 101,120 a----r-- c:\windows\system32\drivers\ewusbmdm.sys

2009-09-03 03:00 24,448 a----r-- c:\windows\system32\drivers\ewdcsc.sys

2009-09-03 03:00 <DIR> --d----- c:\program files\Mobile Partner

2009-09-02 03:45 25,856 a------- c:\windows\system32\drivers\usbprint.sys

2009-09-02 03:44 135,168 a------- c:\windows\system32\CNAB4EMU.DLL

2009-09-02 03:44 69,632 a------- c:\windows\system32\CNAB4SMK.DLL

2009-09-02 03:44 62,848 a------- c:\windows\system32\CNAB4RPK.EXE

2009-09-02 03:44 28,672 a------- c:\windows\system32\CNAB4PTU.DLL

2009-09-02 03:44 28,672 a------- c:\windows\system32\CNAB4LMK.DLL

2009-09-02 03:43 <DIR> --d----- c:\program files\Canon



==================== Find3M ====================



2009-09-28 20:29 2,724,492 a--shr-- C:\pagefiles.sys

2009-09-28 19:35 2,724,492 a--shr-- c:\windows\system32\regedit.sys

2009-09-28 13:32 339,968 a------- c:\windows\HideWin.exe

2009-07-21 00:53 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

2009-07-21 00:51 50,968 a------- c:\windows\system32\avgfwdx.dll

2009-07-21 00:23 21,640 a------- c:\windows\system32\emptyregdb.dat

2008-05-08 12:24 176,128 a--shr-- c:\windows\system32\wscript.exe



============= FINISH: 20:31:05.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 yundo

yundo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 05 October 2009 - 08:21 AM

Good afternoon.
It's been a week since I posted and I understand that all the gurus are probably swamped with requests for help. I would really appreciate it if someone had a look at my logs too.
Thanks again

#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 15 October 2009 - 05:03 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE

Please also turn off Word Wrap in notepad before pasting your logs....it will make them more readable. Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 yundo

yundo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 16 October 2009 - 06:46 AM

Thank you for getting back to me - it is good to know that the system works!
I am still having problems, here is the latest DDS log

Thanks again


DDS (Ver_09-09-24.01) - NTFSx86 MINIMAL

Run by Administrator at 14:15:06.14 on Fri 10/16/2009

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.759 [GMT 3:00]





============== Running Processes ===============



C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Administrator\Desktop\Deez Magic\dds.scr



============== Pseudo HJT Report ===============



uStart Page = hxxp://www.google.com/

uWindow Title = Microsoft Internet Explorer

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

uURLSearchHooks: H - No File

mWinlogon: Userinit=c:\windows\system32\userinit.exe

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [CTFMOON] c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\regedit.sys

mRun: [UnlockerAssistant] c:\program files\unlocker\UnlockerAssistant.exe -H

mRun: [<NO NAME>]

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-000000000003}\_SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\lenovo\bluetooth software\BTTray.exe

uPolicies-explorer: NoResolveTrack = 1 (0x1)

uPolicies-explorer: NoInstrumentation = 1 (0x1)

mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

dPolicies-explorer: NoResolveTrack = 1 (0x1)

dPolicies-explorer: NoInstrumentation = 1 (0x1)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\lenovo\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\lenovo\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\windows\system32\guard32.dll



================= FIREFOX ===================



FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\xpf7qk8u.default\

FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll



============= SERVICES / DRIVERS ===============



R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-6 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-7-21 157696]

S1 9c40990e.sys;9c40990e.sys;\??\c:\windows\system32\drivers\9c40990e.sys --> c:\windows\system32\drivers\9c40990e.sys [?]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-7 335240]

S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-7 27784]

S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-7 108552]

S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-9-28 132296]

S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-9-28 25160]

S1 fhp3c27;fhp3c27;c:\windows\system32\drivers\fhp3c27.sys [2009-9-28 44928]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-7 297752]

S2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-9-28 723632]

S2 gupdate1ca46bfdb4b21f4;Google Update Service (gupdate1ca46bfdb4b21f4);c:\program files\google\update\GoogleUpdate.exe [2009-10-6 133104]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2009-7-21 81192]



=============== Created Last 30 ================



2009-10-08 10:41 26,488 a------- c:\windows\system32\spupdsvc.exe

2009-10-08 09:51 <DIR> --d-h--- c:\windows\$hf_mig$

2009-10-07 17:11 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll

2009-10-07 17:11 91,648 -------- c:\windows\system32\dllcache\mtxoci.dll

2009-10-07 17:11 161,792 -------- c:\windows\system32\dllcache\msdtcuiu.dll

2009-10-07 17:11 66,560 -------- c:\windows\system32\dllcache\mtxclu.dll

2009-10-07 17:11 956,928 -------- c:\windows\system32\dllcache\msdtctm.dll

2009-10-07 17:11 58,880 -------- c:\windows\system32\dllcache\msdtclog.dll

2009-10-07 17:09 2,560 -------- c:\windows\system32\xpsp4res.dll

2009-10-07 17:09 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb

2009-10-07 17:09 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

2009-10-07 17:08 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe

2009-10-07 17:08 76,288 -------- c:\windows\system32\dllcache\telnet.exe

2009-10-07 16:39 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

2009-10-07 16:38 346,112 -------- c:\windows\system32\dllcache\localspl.dll

2009-10-07 16:37 354,304 -------- c:\windows\system32\dllcache\winhttp.dll

2009-10-07 16:26 134,144 -------- c:\windows\system32\dllcache\wkssvc.dll

2009-10-07 16:26 144,896 -------- c:\windows\system32\dllcache\schannel.dll

2009-10-07 16:23 58,880 -------- c:\windows\system32\dllcache\atl.dll

2009-10-07 15:37 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll

2009-10-07 15:07 2,067,968 -------- c:\windows\system32\dllcache\mstscax.dll

2009-10-07 14:57 153,088 -------- c:\windows\system32\dllcache\triedit.dll

2009-10-07 14:52 128,512 a------- c:\windows\system32\dllcache\dhtmled.ocx

2009-10-07 14:50 <DIR> --d-h--- C:\$AVG8.VAULT$

2009-10-07 14:50 333,952 -------- c:\windows\system32\dllcache\srv.sys

2009-10-07 14:48 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

2009-10-07 14:39 108,552 a------- c:\windows\system32\drivers\avgtdix.sys

2009-10-07 14:39 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-10-07 14:39 335,240 a------- c:\windows\system32\drivers\avgldx86.sys

2009-10-07 14:39 <DIR> --d----- c:\windows\system32\drivers\Avg

2009-10-07 07:37 512,000 -------- c:\windows\system32\dllcache\jscript.dll

2009-10-07 07:37 <DIR> --d----- C:\c8ae60870b0c939f50

2009-10-07 07:32 15,688 a------- c:\windows\system32\lsdelete.exe

2009-10-06 23:02 64,160 a------- c:\windows\system32\drivers\Lbd.sys

2009-10-06 23:01 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}

2009-10-06 23:01 <DIR> --d----- c:\program files\Lavasoft

2009-10-06 19:33 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes

2009-10-06 19:32 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-06 19:32 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-10-06 19:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-10-06 19:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-09-28 19:50 1,474,593 a------- c:\windows\system32\drivers\sfi.dat

2009-09-28 19:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo

2009-09-28 19:47 179,792 a------- c:\windows\system32\guard32.dll

2009-09-28 19:47 132,296 a------- c:\windows\system32\drivers\cmdguard.sys

2009-09-28 19:47 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys

2009-09-28 19:47 <DIR> --d----- c:\program files\COMODO

2009-09-28 19:45 <DIR> --d----- c:\program files\trend micro

2009-09-28 19:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar

2009-09-28 19:22 67 a------- c:\windows\wininit.ini

2009-09-28 19:20 <DIR> --d----- c:\windows\system32\LogFiles

2009-09-28 18:43 <DIR> --d----- c:\program files\AVG

2009-09-28 14:33 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-09-28 14:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-09-28 14:13 44,928 a------- c:\windows\system32\drivers\fhp3c27.sys

2009-09-28 13:48 940,794 a------- c:\windows\system32\LoopyMusic.wav

2009-09-28 13:48 146,650 a------- c:\windows\system32\BuzzingBee.wav

2009-09-28 13:44 53,248 a------- c:\windows\system32\CSVer.dll

2009-09-28 13:39 176,640 a------- c:\windows\system32\drivers\b57xp32.sys

2009-09-28 13:39 <DIR> --d----- c:\program files\Broadcom

2009-09-28 13:36 1,286,144 a------- c:\windows\system32\drivers\BCMWL5.SYS

2009-09-28 13:33 553 a------- c:\windows\USetup.iss

2009-09-28 13:33 73,728 a------- c:\windows\system32\ChCfg.exe

2009-09-28 13:33 6,272 a------- c:\windows\system32\drivers\splitter.sys

2009-09-28 13:33 83,072 a------- c:\windows\system32\drivers\wdmaud.sys

2009-09-28 13:33 52,864 a------- c:\windows\system32\drivers\DMusic.sys

2009-09-28 13:33 56,576 a------- c:\windows\system32\drivers\swmidi.sys

2009-09-28 13:33 142,592 a------- c:\windows\system32\drivers\aec.sys

2009-09-28 13:33 172,416 a------- c:\windows\system32\drivers\kmixer.sys

2009-09-28 13:33 2,944 a------- c:\windows\system32\drivers\drmkaud.sys

2009-09-28 13:33 60,800 a------- c:\windows\system32\drivers\sysaudio.sys

2009-09-28 13:32 <DIR> --d----- c:\documents and settings\administrator\Bluetooth Software

2009-09-28 13:31 106,557 a------- c:\windows\system32\btw_ci.dll

2009-09-28 13:31 89,896 a------- c:\windows\system32\drivers\btwsecfl.sys

2009-09-28 13:31 47,272 a------- c:\windows\system32\drivers\btwusb.sys

2009-09-28 13:31 991,400 a------- c:\windows\system32\drivers\btkrnl.sys

2009-09-28 13:07 <DIR> --ds---- c:\documents and settings\administrator\UserData



==================== Find3M ====================



2009-10-06 21:38 353,412 a--shr-- C:\pagefiles.sys

2009-09-28 13:32 319,488 a------- c:\windows\HideWin.exe

2009-08-05 12:01 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-07-21 00:53 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

2009-07-21 00:23 21,640 a------- c:\windows\system32\emptyregdb.dat

2008-05-08 12:24 155,648 a--shr-- c:\windows\system32\wscript.exe



============= FINISH: 14:16:32.82 ===============

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:42 PM

Posted 20 October 2009 - 12:36 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 yundo

yundo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 20 October 2009 - 01:33 PM

Good evening.
Thank you for getting back to me, I am still having problems with this computer. Here are are the two logs you asked me to provide:

++++++++++++++++++

OTL logfile created on: 10/20/2009 9:22:45 PM - Run 1

OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy



1014.36 Mb Total Physical Memory | 396.48 Mb Available Physical Memory | 39.09% Memory free

2.39 Gb Paging File | 1.83 Gb Available in Paging File | 76.61% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]



%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 103.91 Gb Total Space | 94.02 Gb Free Space | 90.48% Space Free | Partition Type: NTFS

Drive D: | 30.38 Gb Total Space | 26.77 Gb Free Space | 88.10% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded



Computer Name: EVEREST

Current User Name: Administrator

Logged in as Administrator.



Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard



========== Processes (SafeList) ==========



PRC - [2009/10/14 16:58:50 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

PRC - [2009/10/07 14:39:13 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe

PRC - [2009/10/07 14:39:13 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe

PRC - [2009/10/07 14:39:11 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe

PRC - [2009/10/06 23:01:48 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe

PRC - [2009/09/28 19:47:56 | 00,723,632 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

PRC - [2009/07/03 17:49:06 | 01,029,456 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

PRC - [2009/07/03 17:49:06 | 00,520,024 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

PRC - [2008/09/01 10:50:20 | 00,062,848 | ---- | M] (CANON INC.) -- C:\WINDOWS\System32\CNAB4RPK.EXE

PRC - [2008/07/29 09:31:18 | 16,806,912 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE

PRC - [2008/07/03 12:38:24 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE

PRC - [2008/06/24 09:21:36 | 00,600,680 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe

PRC - [2008/06/24 09:21:34 | 01,448,576 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\Lenovo\Bluetooth Software\BTStackServer.exe

PRC - [2008/06/24 09:21:34 | 00,346,720 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe

PRC - [2008/05/02 10:15:46 | 00,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe

PRC - [2006/10/23 11:40:14 | 00,046,200 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe



========== Win32 Services (SafeList) ==========



SRV - [2009/10/07 14:39:11 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])

SRV - [2009/10/06 23:01:48 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1ca46bfdb4b21f4 [Auto | Stopped])

SRV - [2009/09/28 19:47:56 | 00,723,632 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent [Auto | Running])

SRV - [2009/07/21 00:41:45 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])

SRV - [2009/07/03 17:49:06 | 01,029,456 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])

SRV - [2008/06/24 09:21:34 | 00,346,720 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe -- (btwdins [Auto | Running])

SRV - [2008/04/14 13:00:00 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])

SRV - [2005/09/23 17:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

SRV - [2005/09/23 17:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])

SRV - [2003/07/28 22:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])



========== Driver Services (SafeList) ==========



DRV - [2009/10/07 14:39:29 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])

DRV - [2009/10/07 14:39:19 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])

DRV - [2009/10/07 14:39:18 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])

DRV - [2009/09/28 19:47:56 | 00,132,296 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\cmdguard.sys -- (cmdGuard [System | Running])

DRV - [2009/09/28 19:47:56 | 00,087,104 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect [Boot | Running])

DRV - [2009/09/28 19:47:56 | 00,025,160 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\cmdhlp.sys -- (cmdHlp [System | Running])

DRV - [2009/09/28 14:13:12 | 00,044,928 | ---- | M] () -- C:\WINDOWS\System32\drivers\fhp3c27.sys -- (fhp3c27 [System | Running])

DRV - [2009/07/03 17:49:08 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])

DRV - [2008/07/31 16:35:08 | 04,751,872 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])

DRV - [2008/07/25 11:18:32 | 00,176,640 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\b57xp32.sys -- (b57w2k [On_Demand | Running])

DRV - [2008/07/23 05:03:26 | 00,157,696 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\Drivers\RTS5121.sys -- (RSUSBSTOR [On_Demand | Running])

DRV - [2008/06/23 07:24:00 | 00,991,400 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\System32\DRIVERS\btkrnl.sys -- (BTKRNL [On_Demand | Running])

DRV - [2008/06/11 09:14:20 | 00,047,272 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\System32\Drivers\btwusb.sys -- (BTWUSB [On_Demand | Running])

DRV - [2008/04/14 13:00:00 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])

DRV - [2008/04/14 13:00:00 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])

DRV - [2008/04/14 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])

DRV - [2008/02/21 03:46:48 | 01,286,144 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\bcmwl5.sys -- (BCM43XX [On_Demand | Running])

DRV - [2008/02/15 08:12:08 | 05,854,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Running])

DRV - [2008/01/10 20:59:08 | 00,081,192 | ---- | M] (CyberLink) -- C:\WINDOWS\System32\drivers\WSVD.sys -- (WSVD [On_Demand | Stopped])

DRV - [2007/08/25 05:45:22 | 00,101,120 | R--- | M] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\System32\DRIVERS\ewusbmdm.sys -- (hwdatacard [On_Demand | Stopped])

DRV - [2007/05/24 02:33:58 | 00,128,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\wimfltr.sys -- (WimFltr [On_Demand | Stopped])

DRV - [2006/02/25 17:13:06 | 00,016,877 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32 [Auto | Running])



========== Standard Registry (SafeList) ==========





========== Internet Explorer ==========



IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm





IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/



IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/



IE - HKU\S-1-5-21-448539723-1757981266-1935655697-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKU\S-1-5-21-448539723-1757981266-1935655697-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKU\S-1-5-21-448539723-1757981266-1935655697-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-448539723-1757981266-1935655697-500\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found

IE - HKU\S-1-5-21-448539723-1757981266-1935655697-500\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll File not found

IE - HKU\S-1-5-21-448539723-1757981266-1935655697-500\S-1-5-21-448539723-1757981266-1935655697-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



========== FireFox ==========



FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.6

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3



FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/10/07 14:39:11 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/28 13:23:22 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/28 13:23:17 | 00,000,000 | ---D | M]



[2009/09/28 13:23:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions

[2009/09/28 13:23:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2009/10/16 10:39:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\xpf7qk8u.default\extensions

[2009/09/28 13:28:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\xpf7qk8u.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

[2009/09/28 13:23:17 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions

[2009/09/28 13:23:17 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2009/08/24 23:15:25 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll

[2009/08/24 23:15:26 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll

[2009/08/24 23:15:27 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll

[2009/08/24 21:45:46 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml

[2009/08/24 21:45:46 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml

[2009/07/24 00:12:00 | 00,001,519 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg_igeared.xml

[2009/08/24 21:45:46 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml

[2009/08/24 21:45:46 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml

[2009/08/24 21:45:46 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml

[2009/08/24 21:45:46 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml



Hosts file not found

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL File not found

O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll File not found

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL File not found

O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll File not found

O3 - HKU\S-1-5-21-448539723-1757981266-1935655697-500\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-21-448539723-1757981266-1935655697-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-21-448539723-1757981266-1935655697-500\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll File not found

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()

O4 - HKU\S-1-5-21-448539723-1757981266-1935655697-500..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O4 - HKU\.DEFAULT..\RunOnce: [_nltide_3] C:\WINDOWS\System32\advpack.DLL (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [_nltide_3] C:\WINDOWS\System32\advpack.DLL (Microsoft Corporation)

O4 - HKU\S-1-5-19..\RunOnce: [_nltide_3] C:\WINDOWS\System32\advpack.DLL (Microsoft Corporation)

O4 - HKU\S-1-5-20..\RunOnce: [_nltide_3] C:\WINDOWS\System32\advpack.DLL (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInstrumentation = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMFUprogramsList = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInstrumentation = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMFUprogramsList = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInstrumentation = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMFUprogramsList = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInstrumentation = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMFUprogramsList = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1

O7 - HKU\S-1-5-21-448539723-1757981266-1935655697-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0

O7 - HKU\S-1-5-21-448539723-1757981266-1935655697-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-21-448539723-1757981266-1935655697-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-21-448539723-1757981266-1935655697-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-21-448539723-1757981266-1935655697-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-21-448539723-1757981266-1935655697-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInstrumentation = 1

O7 - HKU\S-1-5-21-448539723-1757981266-1935655697-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMFUprogramsList = 1

O7 - HKU\S-1-5-21-448539723-1757981266-1935655697-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1

O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm ()

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm ()

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm ()

O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm ()

O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKU\S-1-5-21-448539723-1757981266-1935655697-500\..Trusted Domains: 113 domain(s) and sub-domain(s) not assigned to a zone.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 41.212.3.2 41.212.3.253

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)

O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)

O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\System32\guard32.dll (COMODO)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O27 - HKLM IFEO\00hoeav.com: Debugger - C:\WINDOWS\system32\svchostnt.exe File not found

O27 - HKLM IFEO\drwtsn32.exe: Debugger - C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys (Microsoft Corporation)

O27 - HKLM IFEO\taskmgr.exe: Debugger - C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/07/21 00:28:33 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2009/10/06 21:38:11 | 00,000,204 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]

O32 - AutoRun File - [2009/10/06 21:38:12 | 00,000,204 | RHS- | M] () - D:\autorun.inf -- [ NTFS ]

O33 - MountPoints2\{a794c678-b4a4-11de-a984-002100724c24}\Shell - "" = AutoRun

O33 - MountPoints2\{a794c678-b4a4-11de-a984-002100724c24}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{a794c678-b4a4-11de-a984-002100724c24}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found

O33 - MountPoints2\{b7d11db4-7536-11de-b245-806d6172696f}\Shell - "" = AutoRun

O33 - MountPoints2\{b7d11db4-7536-11de-b245-806d6172696f}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{b7d11db4-7536-11de-b245-806d6172696f}\Shell\AutoRun\command - "" = G:\setup.exe -- File not found

O33 - MountPoints2\{cb91c2a2-7934-11de-a951-00238b074344}\Shell - "" = AutoRun

O33 - MountPoints2\{cb91c2a2-7934-11de-a951-00238b074344}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{cb91c2a2-7934-11de-a951-00238b074344}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found

O33 - MountPoints2\{d2ae8842-885a-11de-a959-00238b074344}\Shell - "" = AutoRun

O33 - MountPoints2\{d2ae8842-885a-11de-a959-00238b074344}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{d2ae8842-885a-11de-a959-00238b074344}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found

O33 - MountPoints2\{ff6faf11-9754-11de-a95c-00238b074344}\Shell\AutoRun\command - "" = E:\wscript.exe -- File not found

O33 - MountPoints2\{ff6faf11-9754-11de-a95c-00238b074344}\Shell\open\Command - "" = E:\wscript.exe -- File not found

O33 - MountPoints2\F\Shell - "" = AutoRun

O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found

O34 - HKLM BootExecute: (autocheck) - File not found

O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (*) - File not found

O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

O35 - comfile [open] -- "%1" %* File not found

O35 - exefile [open] -- "%1" %* File not found



========== Files/Folders - Created Within 30 Days ==========



[1 C:\WINDOWS\System32\*.tmp files]

[3 C:\WINDOWS\*.tmp files]

[2009/10/06 23:01:45 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

[2009/09/28 19:42:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar

[2009/09/28 19:48:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo

[2009/10/06 23:01:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft

[2009/10/06 19:32:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2009/09/28 14:33:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2009/10/07 07:36:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

[2009/09/28 14:48:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia

[2009/10/06 19:33:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

[2009/09/28 13:23:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla

[2009/09/28 13:32:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google

[2009/09/28 13:23:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla

[2009/09/28 13:33:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Temp

[2009/09/28 13:32:35 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield

[2009/09/28 18:43:52 | 00,000,000 | ---D | C] -- C:\Program Files\AVG

[2009/09/28 13:39:08 | 00,000,000 | ---D | C] -- C:\Program Files\Broadcom

[2009/09/28 19:47:56 | 00,000,000 | ---D | C] -- C:\Program Files\COMODO

[2009/10/06 23:01:47 | 00,000,000 | ---D | C] -- C:\Program Files\Google

[2009/09/28 13:44:34 | 00,000,000 | ---D | C] -- C:\Program Files\Intel

[2009/10/06 23:01:41 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft

[2009/10/06 19:32:30 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2009/09/28 13:23:16 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2009/09/28 14:33:05 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2009/09/28 19:45:33 | 00,000,000 | ---D | C] -- C:\Program Files\trend micro

[2009/10/20 21:09:00 | 00,521,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2009/10/08 10:48:34 | 00,017,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll

[2009/10/08 10:41:28 | 00,026,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdsvc.exe

[2009/10/08 09:51:16 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$

[2009/10/07 17:11:33 | 00,091,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mtxoci.dll

[2009/10/07 17:11:32 | 00,161,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdtcuiu.dll

[2009/10/07 17:11:32 | 00,066,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mtxclu.dll

[2009/10/07 17:11:31 | 00,956,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdtctm.dll

[2009/10/07 17:11:31 | 00,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdtclog.dll

[2009/10/07 17:09:25 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll

[2009/10/07 17:09:21 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe

[2009/10/07 17:08:08 | 00,080,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tlntsess.exe

[2009/10/07 17:08:07 | 00,076,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\telnet.exe

[2009/10/07 16:39:54 | 00,204,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll

[2009/10/07 16:38:14 | 00,346,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\localspl.dll

[2009/10/07 16:37:06 | 00,354,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winhttp.dll

[2009/10/07 16:26:38 | 00,134,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wkssvc.dll

[2009/10/07 16:26:00 | 00,144,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\schannel.dll

[2009/10/07 16:23:34 | 00,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atl.dll

[2009/10/07 15:37:36 | 00,585,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcrt4.dll

[2009/10/07 15:07:03 | 02,067,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstscax.dll

[2009/10/07 14:57:08 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll

[2009/10/07 14:52:35 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx

[2009/10/07 14:50:43 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$

[2009/10/07 14:50:33 | 00,333,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys

[2009/10/07 14:48:59 | 01,315,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoe.dll

[2009/10/07 14:39:29 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys

[2009/10/07 14:39:29 | 00,011,952 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll

[2009/10/07 14:39:19 | 00,335,240 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys

[2009/10/07 14:39:18 | 00,027,784 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys

[2009/10/07 14:39:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg

[2009/10/07 07:38:04 | 24,689,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

[2009/10/07 07:37:56 | 00,512,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jscript.dll

[2009/10/07 07:37:50 | 00,000,000 | ---D | C] -- C:\c8ae60870b0c939f50

[2009/10/06 23:02:50 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys

[2009/10/06 19:32:38 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2009/10/06 19:32:35 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2009/10/06 19:31:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Deez Magic

[2009/09/28 19:47:58 | 00,179,792 | ---- | C] (COMODO) -- C:\WINDOWS\System32\guard32.dll

[2009/09/28 19:47:58 | 00,132,296 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys

[2009/09/28 19:47:58 | 00,087,104 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys

[2009/09/28 19:47:58 | 00,025,160 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys

[2009/09/28 19:45:32 | 00,000,000 | ---D | C] -- C:\rsit

[2009/09/28 19:20:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles

[2009/09/28 14:26:54 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

[2009/09/28 13:44:34 | 00,053,248 | ---- | C] (Windows XP Bundled build C-Centric Single User) -- C:\WINDOWS\System32\CSVer.dll

[2009/09/28 13:39:09 | 00,176,640 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\drivers\b57xp32.sys

[2009/09/28 13:36:05 | 01,286,144 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\drivers\BCMWL5.SYS

[2009/09/28 13:33:24 | 00,073,728 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\ChCfg.exe

[2009/09/28 13:33:22 | 00,006,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\splitter.sys

[2009/09/28 13:33:20 | 00,083,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\wdmaud.sys

[2009/09/28 13:33:18 | 00,052,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\DMusic.sys

[2009/09/28 13:33:16 | 00,056,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\swmidi.sys

[2009/09/28 13:33:14 | 00,142,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\aec.sys

[2009/09/28 13:33:12 | 00,172,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\kmixer.sys

[2009/09/28 13:33:10 | 00,002,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\drmkaud.sys

[2009/09/28 13:33:07 | 00,060,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sysaudio.sys

[2009/09/28 13:32:58 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\RTCOM

[2009/09/28 13:32:53 | 00,146,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\portcls.sys

[2009/09/28 13:32:53 | 00,060,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\drmk.sys

[2009/09/28 13:32:47 | 09,716,736 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTLCPL.exe

[2009/09/28 13:32:47 | 01,826,816 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SkyTel.exe

[2009/09/28 13:32:47 | 01,196,032 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RtlUpd.exe

[2009/09/28 13:32:47 | 00,266,240 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\RTSndMgr.cpl

[2009/09/28 13:32:47 | 00,081,920 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SoundMan.exe

[2009/09/28 13:32:46 | 04,751,872 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys

[2009/09/28 13:32:43 | 16,806,912 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe

[2009/09/28 13:32:43 | 02,810,880 | ---- | C] (RealTek Semicoductor Corp.) -- C:\WINDOWS\alcwzrd.exe

[2009/09/28 13:32:43 | 02,166,784 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\MicCal.exe

[2009/09/28 13:32:43 | 00,278,528 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\ALSndMgr.cpl

[2009/09/28 13:32:43 | 00,057,344 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\Alcmtr.exe

[2009/09/28 13:32:39 | 00,528,384 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RtlExUpd.dll

[2009/09/28 13:32:39 | 00,319,488 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\HideWin.exe

[2009/09/28 13:31:16 | 00,106,557 | ---- | C] (Broadcom Corporation.) -- C:\WINDOWS\System32\btw_ci.dll

[2009/09/28 13:31:16 | 00,089,896 | ---- | C] (Broadcom Corporation.) -- C:\WINDOWS\System32\drivers\btwsecfl.sys

[2009/09/28 13:31:16 | 00,047,272 | ---- | C] (Broadcom Corporation.) -- C:\WINDOWS\System32\drivers\btwusb.sys

[2009/09/28 13:31:15 | 00,991,400 | ---- | C] (Broadcom Corporation.) -- C:\WINDOWS\System32\drivers\btkrnl.sys

[2009/09/28 13:21:18 | 08,067,224 | ---- | C] (Mozilla) -- C:\Documents and Settings\Administrator\Desktop\Firefox Setup 3.5.3.exe



========== Files - Modified Within 30 Days ==========



[1 C:\WINDOWS\System32\*.tmp files]

[3 C:\WINDOWS\*.tmp files]

[2009/10/20 21:23:40 | 01,474,593 | ---- | M] () -- C:\WINDOWS\System32\drivers\sfi.dat

[2009/10/20 21:15:01 | 00,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

[2009/10/20 21:14:01 | 00,001,166 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job

[2009/10/20 21:14:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2009/10/20 21:13:54 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2009/10/20 21:06:03 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2009/10/16 14:46:44 | 03,712,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

[2009/10/16 09:41:10 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2009/10/16 09:38:46 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2009/10/14 16:58:50 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2009/10/07 14:46:18 | 42,437,010 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2009/10/07 14:45:32 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg

[2009/10/07 14:45:32 | 00,009,280 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg

[2009/10/07 14:39:30 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk

[2009/10/07 14:39:29 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys

[2009/10/07 14:39:29 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll

[2009/10/07 14:39:19 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys

[2009/10/07 14:39:18 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys

[2009/10/07 14:39:17 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg

[2009/10/06 23:01:44 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk

[2009/10/06 21:38:11 | 00,353,412 | RHS- | M] () -- C:\pagefiles.sys

[2009/10/06 21:38:11 | 00,000,204 | RHS- | M] () -- C:\autorun.inf

[2009/10/06 19:32:41 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/09/28 19:49:20 | 00,000,808 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\COMODO Internet Security.lnk

[2009/09/28 19:47:56 | 00,179,792 | ---- | M] (COMODO) -- C:\WINDOWS\System32\guard32.dll

[2009/09/28 19:47:56 | 00,132,296 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys

[2009/09/28 19:47:56 | 00,087,104 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys

[2009/09/28 19:47:56 | 00,025,160 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys

[2009/09/28 19:25:10 | 00,462,344 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2009/09/28 19:25:10 | 00,395,768 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2009/09/28 19:25:10 | 00,059,842 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2009/09/28 19:22:15 | 00,000,067 | ---- | M] () -- C:\WINDOWS\wininit.ini

[2009/09/28 14:13:12 | 00,044,928 | ---- | M] () -- C:\WINDOWS\System32\drivers\fhp3c27.sys

[2009/09/28 13:48:20 | 00,940,794 | ---- | M] () -- C:\WINDOWS\System32\LoopyMusic.wav

[2009/09/28 13:48:20 | 00,146,650 | ---- | M] () -- C:\WINDOWS\System32\BuzzingBee.wav

[2009/09/28 13:32:39 | 00,319,488 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\HideWin.exe

[2009/09/28 13:31:10 | 00,000,633 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

[2009/09/28 13:23:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat

[2009/09/28 13:23:18 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2009/09/28 13:23:06 | 08,067,224 | ---- | M] (Mozilla) -- C:\Documents and Settings\Administrator\Desktop\Firefox Setup 3.5.3.exe



========== Files - No Company Name ==========

[2009/10/07 17:11:56 | 01,291,264 | ---- | C] () -- C:\WINDOWS\System32\dllcache\quartz.dll

[2009/10/07 17:09:24 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb

[2009/10/07 14:39:30 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk

[2009/10/07 14:39:17 | 42,437,010 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2009/10/07 14:39:17 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg

[2009/10/07 14:39:17 | 00,492,629 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg

[2009/10/07 14:39:17 | 00,009,280 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg

[2009/10/07 07:32:00 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe

[2009/10/06 23:04:47 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2009/10/06 23:02:04 | 00,001,166 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job

[2009/10/06 23:01:44 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk

[2009/10/06 19:32:41 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/09/28 19:50:10 | 01,474,593 | ---- | C] () -- C:\WINDOWS\System32\drivers\sfi.dat

[2009/09/28 19:49:20 | 00,000,808 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\COMODO Internet Security.lnk

[2009/09/28 19:22:15 | 00,000,067 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2009/09/28 14:13:12 | 00,044,928 | ---- | C] () -- C:\WINDOWS\System32\drivers\fhp3c27.sys

[2009/09/28 13:48:20 | 00,940,794 | ---- | C] () -- C:\WINDOWS\System32\LoopyMusic.wav

[2009/09/28 13:48:20 | 00,146,650 | ---- | C] () -- C:\WINDOWS\System32\BuzzingBee.wav

[2009/09/28 13:33:44 | 00,000,553 | ---- | C] () -- C:\WINDOWS\USetup.iss

[2009/09/28 13:31:10 | 00,000,633 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

[2009/09/28 13:23:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2009/09/28 13:23:18 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2009/08/02 00:32:41 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll

[2009/08/02 00:21:17 | 00,046,608 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2009/07/21 01:00:14 | 03,712,656 | -H-- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

[2009/07/21 00:50:01 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009/07/21 00:30:39 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini

[2009/07/20 17:15:29 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini

[2008/06/24 09:20:42 | 02,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll

[2008/04/14 13:00:00 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\CopyToSendTo.dll

[2008/04/14 13:00:00 | 00,000,573 | ---- | C] () -- C:\WINDOWS\win.ini

[2008/04/14 13:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

[2005/02/17 22:41:32 | 00,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest

[2005/02/17 22:41:30 | 00,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest

[2003/09/23 15:40:34 | 00,394,240 | ---- | C] () -- C:\WINDOWS\System32\HMTCD.dll

[2003/01/08 01:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[2001/11/14 23:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

< End of report >



+++++++++++++++++


OTL Extras logfile created on: 10/20/2009 9:22:45 PM - Run 1

OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy



1014.36 Mb Total Physical Memory | 396.48 Mb Available Physical Memory | 39.09% Memory free

2.39 Gb Paging File | 1.83 Gb Available in Paging File | 76.61% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]



%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 103.91 Gb Total Space | 94.02 Gb Free Space | 90.48% Space Free | Partition Type: NTFS

Drive D: | 30.38 Gb Total Space | 26.77 Gb Free Space | 88.10% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded



Computer Name: EVEREST

Current User Name: Administrator

Logged in as Administrator.



Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard



========== Extra Registry (SafeList) ==========





========== File Associations ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)



[HKEY_USERS\S-1-5-21-448539723-1757981266-1935655697-500\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)



========== Shell Spawning ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %* File not found

chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)

cmdfile [open] -- "%1" %* File not found

comfile [open] -- "%1" %* File not found

exefile [open] -- "%1" %* File not found

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

piffile [open] -- "%1" %* File not found

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

vbsfile [edit] -- Reg Error: Key error.

vbsfile [print] -- Reg Error: Key error.

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)



========== Security Center Settings ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusOverride" = 0



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

"DisableUnicastResponsesToMulticastBroadcast" = 0



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

"DisableUnicastResponsesToMulticastBroadcast" = 0



========== Authorized Applications List ==========



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\WINDOWS\system32\CNAB4RPK.EXE" = C:\WINDOWS\system32\CNAB4RPK.EXE:*:Enabled:Canon LBP2900 RPC Server Process -- (CANON INC.)

"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)





========== HKEY_LOCAL_MACHINE Uninstall List ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{46F4D124-20E5-4D12-BE52-EC177A7A4B42}" = Lenovo OneKey Recovery

"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{84814E6B-2581-46EC-926A-823BD1C670F6}" = Lenovo Bluetooth with Enhanced Data Rate Software

"{8991E763-21F5-4DEA-A938-5D9D77DCB488}" = Broadcom WLAN

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update

"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{D10CB652-9332-4242-B7A9-2D61570144F7}" = Realtek Card Reader

"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F870B987-18BC-45FC-9BE8-35C02DCDA10F}" = Broadcom Gigabit Integrated Controller

"Ad-Aware" = Ad-Aware

"Adobe Acrobat 8 Professional - English, Français, Deutsch" = Adobe Acrobat 8 Professional - English, Français, Deutsch

"AVG8Uninstall" = AVG Free 8.5

"Canon LBP2900" = Canon LBP2900

"COMODO Internet Security" = COMODO Internet Security

"HDMI" = Intel® Graphics Media Accelerator Driver

"HijackThis" = HijackThis 2.0.2

"InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}" = Lenovo OneKey Recovery

"Magic ISO Maker v5.3 (build 0221)" = Magic ISO Maker v5.3 (build 0221)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0

"Mobile Partner" = Mobile Partner

"Mozilla Firefox (3.5.3)" = Mozilla Firefox (3.5.3)

"PDF Unlocker - Demo Version 2.0_is1" = PDF Unlocker

"WinRAR archiver" = WinRAR archiver



========== Last 10 Event Log Errors ==========



[ Application Events ]

Error - 10/8/2009 3:00:13 AM | Computer Name = EVEREST | Source = Google Update | ID = 20

Description =



Error - 10/8/2009 4:02:14 AM | Computer Name = EVEREST | Source = Google Update | ID = 20

Description =



Error - 10/9/2009 3:14:48 AM | Computer Name = EVEREST | Source = Google Update | ID = 20

Description =



Error - 10/9/2009 3:27:55 AM | Computer Name = EVEREST | Source = Google Update | ID = 20

Description =



Error - 10/16/2009 3:07:05 AM | Computer Name = EVEREST | Source = Google Update | ID = 20

Description =



Error - 10/16/2009 4:08:15 AM | Computer Name = EVEREST | Source = Google Update | ID = 20

Description =



Error - 10/16/2009 5:06:28 AM | Computer Name = EVEREST | Source = Google Update | ID = 20

Description =



Error - 10/16/2009 5:31:55 AM | Computer Name = EVEREST | Source = Microsoft Office 11 | ID = 2001

Description = Rejected Safe Mode action : Microsoft Office Word.



Error - 10/16/2009 6:07:27 AM | Computer Name = EVEREST | Source = Google Update | ID = 20

Description =



Error - 10/16/2009 7:07:56 AM | Computer Name = EVEREST | Source = Google Update | ID = 20

Description =



[ System Events ]

Error - 10/16/2009 3:03:36 AM | Computer Name = EVEREST | Source = DCOM | ID = 10010

Description = The server {C2BFE331-6739-4270-86C9-493D9A04CD38} did not register

with DCOM within the required timeout.



Error - 10/16/2009 3:07:38 AM | Computer Name = EVEREST | Source = DCOM | ID = 10010

Description = The server {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C} did not register

with DCOM within the required timeout.



Error - 10/16/2009 3:41:59 AM | Computer Name = EVEREST | Source = DCOM | ID = 10010

Description = The server {C2BFE331-6739-4270-86C9-493D9A04CD38} did not register

with DCOM within the required timeout.



Error - 10/16/2009 3:48:40 AM | Computer Name = EVEREST | Source = DCOM | ID = 10010

Description = The server {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C} did not register

with DCOM within the required timeout.



Error - 10/16/2009 7:14:28 AM | Computer Name = EVEREST | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}



Error - 10/16/2009 7:17:23 AM | Computer Name = EVEREST | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}



Error - 10/16/2009 7:17:36 AM | Computer Name = EVEREST | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}



Error - 10/16/2009 7:25:19 AM | Computer Name = EVEREST | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}



Error - 10/16/2009 7:25:46 AM | Computer Name = EVEREST | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}



Error - 10/16/2009 7:46:45 AM | Computer Name = EVEREST | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}





< End of report >


Thank you for your help as always!

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:42 PM

Posted 20 October 2009 - 06:46 PM

Hi,

I notice that you had a couple of malware entries in your first logs, many of which are gone now. Do you recall which program found what in which file? If you could provide some of the logfiles, that would be great. :(

How did you reinstall the driver? Have you run sfc /scannow to check if other Microsoft files were corrupted?

I also see that you installed Malwarebytes, did you run a scan with it? If so, please provide the log.


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\System32\drivers\fhp3c27.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


Please also run Rootrepeal:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
Please post back the result from jotti and the logs from your security software as well.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 yundo

yundo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 20 October 2009 - 08:03 PM

Hi again,

Yes I did run Malwarebytes sorry I did not mention that before. I will post the log below. I also ran Root Repeal previously and will also attach that log as well as the Root Repeal log from today. I will post today’s logs at the top.

Here is what I have done since your last post.

1. I ran sfc /scannow – nothing seemed to have happened. A black box flickered on and off.

2. I ran Jotti on C:\WINDOWS\System32\drivers\fhp3c27.sys here is the log:

Filename: fhp3c27.sys
Status: Scan finished. 8 out of 21 scanners reported malware.
Scan taken on: Wed 21 Oct 2009 02:02:20 (CET)



Scanners

[ArcaVir]

2009-10-20 Found nothing

[G DATA]

2009-10-20 Win32:Alureon-DK

[A-Squared]

2009-10-21 Found nothing

[Ikarus]

2009-10-20 Found nothing

[Avast! antivirus]

2009-10-20 Win32:Alureon-DK

[Kaspersky Anti-Virus]

2009-10-21 Rootkit.Win32.Agent.uok

[Grisoft AVG Anti-Virus]

2009-10-20 Found nothing

[ESET NOD32]

2009-10-20 Win32/Rootkit.Kryptik.S

[Avira AntiVir]

2009-10-20 TR/Crypt.ZPACK.Gen

[Norman Virus Control]

2009-10-20 Found nothing

[Softwin BitDefender]

2009-10-20 Found nothing

[Panda Antivirus]

2009-10-20 Found nothing

[ClamAV]

2009-10-20 Found nothing

[Quick Heal]

2009-10-20 Found nothing

[CPsecure]

2009-10-20 Found nothing

[Sophos]

2009-10-21 Found nothing

[Dr.Web]

2009-10-20 BackDoor.Gootkit.2

[VirusBlokAda VBA32]

2009-10-20 Found nothing

[Frisk F-Prot Antivirus]

2009-10-20 W32/Rootkit.B.gen!Eldorado

[VirusBuster]

2009-10-20 Found nothing

[F-Secure Anti-Virus]

2009-10-21 Rootkit.Win32.Agent.uok

3. I also ran Jotti on C:|\WINDOWS\explorer.exe as it has been throwing up errors in AVG here is the log:




Filename: explorer.exe

Status:

Scan finished. 18 out of 21 scanners reported malware.

Scan taken on: Wed 21 Oct 2009 02:34:38 (CET)



Scanners

[ArcaVir]

2009-10-20 Heur.W32

[G DATA]

2009-10-21 Win32.Virtob.Gen.12

[A-Squared]

2009-10-21 Trojan.Win32.Patched!IK

[Ikarus]

2009-10-20 Trojan.Win32.Patched

[Avast! antivirus]

2009-10-20 Win32:Vitro

[Kaspersky Anti-Virus]

2009-10-21 Virus.Win32.Virut.ce

[Grisoft AVG Anti-Virus]

2009-10-20 Win32/Virut

[ESET NOD32]

2009-10-20 Win32/Virut.NBP

[Avira AntiVir]

2009-10-20 W32/Virut.Gen

[Norman Virus Control]

2009-10-20 Found nothing

[Softwin BitDefender]

2009-10-20 Win32.Virtob.Gen.12

[Panda Antivirus]

2009-10-20 W32/Sality.AO

[ClamAV]

2009-10-20 Found nothing

[Quick Heal]

2009-10-20 W32.Virut.G

[CPsecure]

2009-10-20 Found nothing

[Sophos]

2009-10-21 W32/Scribble-B

[Dr.Web]

2009-10-20 Win32.Virut.56

[VirusBlokAda VBA32]

2009-10-20 Virus.Win32.Virut.X5

[Frisk F-Prot Antivirus]

2009-10-20 W32/Virut.AI!Generic

[VirusBuster]

2009-10-20 Win32.Virut.Y.Gen

[F-Secure Anti-Virus]

2009-10-21 Virus.Win32.Virut.ce


Here is today’s Root Repeal log:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/10/21 03:25

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================



Drivers

-------------------

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA786F000 Size: 49152 File Visible: No Signed: -

Status: -



Hidden/Locked Files

-------------------

Path: C:\WINDOWS\system32\drivers\sfi.dat

Status: Locked to the Windows API!



SSDT

-------------------

#: 011 Function Name: NtAdjustPrivilegesToken

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27fd46



#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27f250



#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27f8ea



#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2802c2



#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27f132



#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa281254



#: 052 Function Name: NtCreateSymbolicLinkObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa28152c



#: 053 Function Name: NtCreateThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27ecf8



#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27ff2c



#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2800dc



#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27ea5a



#: 097 Function Name: NtLoadDriver

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa280ed6



#: 105 Function Name: NtMakeTemporaryObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27f4d4



#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27fb2e



#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27e78a



#: 125 Function Name: NtOpenSection

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27f764



#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27e902



#: 192 Function Name: NtRenameKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa280688



#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2809f0



#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa280c72



#: 240 Function Name: NtSetSystemInformation

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa281084



#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa280488



#: 249 Function Name: NtShutdownSystem

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27f46e



#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27f658



#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27effc



#: 258 Function Name: NtTerminateThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa27eeca



Stealth Objects

-------------------

Object: Hidden Module [Name: svchost.exe]

Process: svchost.exe (PID: 2988) Address: 0x01000000 Size: 20480



Shadow SSDT

-------------------

#: 013 Function Name: NtGdiBitBlt

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa283308



#: 122 Function Name: NtGdiDeleteObjectApp

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa283a2c



#: 227 Function Name: NtGdiMaskBlt

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa28343c



#: 233 Function Name: NtGdiOpenDCW

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2838ec



#: 237 Function Name: NtGdiPlgBlt

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa28357c



#: 292 Function Name: NtGdiStretchBlt

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2836b0



#: 310 Function Name: NtUserBlockInput

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa283188



#: 319 Function Name: NtUserCallHwndParamLock

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2823da



#: 383 Function Name: NtUserGetAsyncKeyState

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa282e58



#: 389 Function Name: NtUserGetClipboardData

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2837ea



#: 414 Function Name: NtUserGetKeyboardState

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa282bc6



#: 416 Function Name: NtUserGetKeyState

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa282d08



#: 460 Function Name: NtUserMessageCall

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2828aa



#: 465 Function Name: NtUserMoveWindow

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa282112



#: 475 Function Name: NtUserPostMessage

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa28255c



#: 476 Function Name: NtUserPostThreadMessage

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa282708



#: 491 Function Name: NtUserRegisterRawInputDevices

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa282fa8



#: 502 Function Name: NtUserSendInput

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa282a6c



#: 509 Function Name: NtUserSetClipboardViewer

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa28309e



#: 529 Function Name: NtUserSetParent

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa282282



#: 549 Function Name: NtUserSetWindowsHookEx

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa283a92



#: 552 Function Name: NtUserSetWinEventHook

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa283cc6



==EOF==

Root repeal from: 2009/09/28 20:33
ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/28 20:33

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================



Drivers

-------------------

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA922B000 Size: 49152 File Visible: No Signed: -

Status: -



Hidden/Locked Files

-------------------

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-2E0A134A.pf

Status: Visible to the Windows API, but not on disk.



Path: C:\WINDOWS\Temp\Perflib_Perfdata_c84.dat

Status: Invisible to the Windows API!



Path: C:\WINDOWS\system32\drivers\sfi.dat

Status: Locked to the Windows API!



Path: c:\windows\system32\catroot2\dberr.txt

Status: Size mismatch (API: 29673, Raw: 29418)



Path: c:\documents and settings\all users\application data\comodo\firewall pro\cfplogdb.sdb

Status: Size mismatch (API: 93184, Raw: 91136)



Path: c:\documents and settings\all users\application data\comodo\tmp\base_end_user_v2456.cav

Status: Size mismatch (API: 48592896, Raw: 45671424)



SSDT

-------------------

#: 011 Function Name: NtAdjustPrivilegesToken

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a7d46



#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a7250



#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a78ea



#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a82c2



#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a7132



#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a9254



#: 052 Function Name: NtCreateSymbolicLinkObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a952c



#: 053 Function Name: NtCreateThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a6cf8



#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a7f2c



#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a80dc



#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a6a5a



#: 097 Function Name: NtLoadDriver

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a8ed6



#: 105 Function Name: NtMakeTemporaryObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a74d4



#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a7b2e



#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a678a



#: 125 Function Name: NtOpenSection

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a7764



#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a6902



#: 192 Function Name: NtRenameKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a8688



#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a89f0



#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a8c72



#: 240 Function Name: NtSetSystemInformation

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a9084



#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a8488



#: 249 Function Name: NtShutdownSystem

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a746e



#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a7658



#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a6ffc



#: 258 Function Name: NtTerminateThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2a6eca



Stealth Objects

-------------------

Object: Hidden Module [Name: svchost.exe]

Process: svchost.exe (PID: 3712) Address: 0x01000000 Size: 20480



Shadow SSDT

-------------------

#: 013 Function Name: NtGdiBitBlt

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2ab308



#: 122 Function Name: NtGdiDeleteObjectApp

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aba2c



#: 227 Function Name: NtGdiMaskBlt

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2ab43c



#: 233 Function Name: NtGdiOpenDCW

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2ab8ec



#: 237 Function Name: NtGdiPlgBlt

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2ab57c



#: 292 Function Name: NtGdiStretchBlt

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2ab6b0



#: 310 Function Name: NtUserBlockInput

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2ab188



#: 319 Function Name: NtUserCallHwndParamLock

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aa3da



#: 383 Function Name: NtUserGetAsyncKeyState

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aae58



#: 389 Function Name: NtUserGetClipboardData

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2ab7ea



#: 414 Function Name: NtUserGetKeyboardState

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aabc6



#: 416 Function Name: NtUserGetKeyState

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aad08



#: 460 Function Name: NtUserMessageCall

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aa8aa



#: 465 Function Name: NtUserMoveWindow

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aa112



#: 475 Function Name: NtUserPostMessage

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aa55c



#: 476 Function Name: NtUserPostThreadMessage

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aa708



#: 491 Function Name: NtUserRegisterRawInputDevices

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aafa8



#: 502 Function Name: NtUserSendInput

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aaa6c



#: 509 Function Name: NtUserSetClipboardViewer

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2ab09e



#: 529 Function Name: NtUserSetParent

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aa282



#: 549 Function Name: NtUserSetWindowsHookEx

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2aba92



#: 552 Function Name: NtUserSetWinEventHook

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2abcc6



==EOF==

Here are the two malwarebyte logs:

Malwarebytes' Anti-Malware 1.41

Database version: 2915

Windows 5.1.2600 Service Pack 3



10/6/2009 9:47:24 PM

mbam-log-2009-10-06 (21-47-24).txt



Scan type: Quick Scan

Objects scanned: 90419

Time elapsed: 6 minute(s), 42 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regdeit (Backdoor.Bot) -> Quarantined and deleted successfully.



Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.



Folders Infected:

(No malicious items detected)



Files Infected:

(No malicious items detected)

++++++++++++++


Malwarebytes' Anti-Malware 1.41

Database version: 2915

Windows 5.1.2600 Service Pack 3



10/6/2009 9:55:31 PM

mbam-log-2009-10-06 (21-55-31).txt



Scan type: Quick Scan

Objects scanned: 90200

Time elapsed: 5 minute(s), 5 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

(No malicious items detected)

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:42 PM

Posted 20 October 2009 - 08:36 PM

Hi,

I've got bad news, I'm sorry to say. :( AVG was right to warn you about those files, they were infected by virut.

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:Please let me know what your next step will be.

regards _temp_

Edited by _temp_, 20 October 2009 - 08:36 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 yundo

yundo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 21 October 2009 - 02:18 PM

Thanks for the real advice and for sharing all the links so I could read up on it myself. It is scary how infected that computer was. I have taken your advice and formatted and reinstalled Windows XP. Well since it is a small Lenovo S10 netbook without a CD drive I used the inbuilt One Key Restore feature to reinstall the OS. For the links you shared I understand that this could mean that the computer can still be infected. Would you please have a look at these new logs for me and see if everything is ok?
Thank you.



DDS (Ver_09-09-24.01) - FAT32x86

Run by admin at 3:04:56.81 on Thu 10/22/2009

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.544 [GMT 8:00]



AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}



============== Running Processes ===============



C:\WINDOWS\system32\svchost -k DcomLaunch

SVCHOST.EXE

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe

SVCHOST.EXE

SVCHOST.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

SVCHOST.EXE

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\Energy Management\utility.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Lenovo\Energy Management\Energy Management.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe

C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE

C:\Documents and Settings\Miriam K Were\Desktop\Deez Magic\dds.scr



============== Pseudo HJT Report ===============



uStart Page = hxxp://lenovo.live.com/

uInternet Connection Wizard,ShellNext = hxxp://www.avg.com/ww.special-toolbar-first-run-tlbrf-v2

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

uURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [IgfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe

mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe

mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\lenovo\bluetooth software\BTTray.exe

IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Send to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\lenovo\bluetooth software\btsendto_ie.htm

IE: {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.lenovo.com

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\lenovo\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256121069046

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\windows\system32\guard32.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll



================= FIREFOX ===================



FF - ProfilePath - c:\docume~1\miriam~1\applic~1\mozilla\firefox\profiles\0za6cx91.default\

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\



============= SERVICES / DRIVERS ===============



R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-21 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-21 27784]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-21 108552]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-10-21 132296]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-10-21 25160]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-10-21 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-21 297752]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-10-21 723632]

R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\lenovo\onekey app\system repair\UpdateMonitor.exe [2008-10-29 430080]

R2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-10-29 47680]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2008-10-29 9472]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-10-29 157696]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2008-10-29 81192]



=============== Created Last 30 ================



2009-10-22 02:47 <DIR> --dsh--- c:\documents and settings\miriam k were\IETldCache

2009-10-22 02:38 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll

2009-10-22 02:38 12,800 -------- c:\windows\system32\dllcache\xpshims.dll

2009-10-22 02:38 <DIR> --d----- c:\windows\ie8updates

2009-10-22 02:38 100,352 -------- c:\windows\system32\dllcache\iecompat.dll

2009-10-22 02:35 <DIR> --d-h--- c:\windows\ie8

2009-10-22 00:20 333,952 -------- c:\windows\system32\dllcache\srv.sys

2009-10-22 00:20 331,776 -------- c:\windows\system32\dllcache\msadce.dll

2009-10-22 00:19 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

2009-10-22 00:13 337,408 -------- c:\windows\system32\dllcache\netapi32.dll

2009-10-22 00:12 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat

2009-10-22 00:06 272,128 -------- c:\windows\system32\dllcache\bthport.sys

2009-10-21 23:46 401,408 -------- c:\windows\system32\dllcache\rpcss.dll

2009-10-21 23:46 284,160 -------- c:\windows\system32\dllcache\pdh.dll

2009-10-21 23:46 473,600 -------- c:\windows\system32\dllcache\fastprox.dll

2009-10-21 23:46 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe

2009-10-21 23:46 110,592 -------- c:\windows\system32\dllcache\services.exe

2009-10-21 23:46 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll

2009-10-21 23:46 617,472 -------- c:\windows\system32\dllcache\advapi32.dll

2009-10-21 23:46 714,752 -------- c:\windows\system32\dllcache\ntdll.dll

2009-10-21 23:44 153,088 -------- c:\windows\system32\dllcache\triedit.dll

2009-10-21 23:41 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx

2009-10-21 23:36 203,136 -------- c:\windows\system32\dllcache\rmcast.sys

2009-10-21 23:35 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys

2009-10-21 23:12 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll

2009-10-21 23:01 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-10-21 23:01 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe

2009-10-21 23:01 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-10-21 22:50 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll

2009-10-21 22:48 2,560 -------- c:\windows\system32\xpsp4res.dll

2009-10-21 22:48 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb

2009-10-21 22:48 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

2009-10-21 22:38 1,368,640 a------- c:\windows\system32\ICAutoUpdate.log.bak

2009-10-21 22:23 <DIR> --d----- C:\ed6a7df4a00c8f740f7d532f22aa

2009-10-21 21:27 <DIR> --d----- c:\windows\system32\PreInstall

2009-10-21 20:35 31,768 a------- c:\windows\system32\wucltui.dll.mui

2009-10-21 20:35 18,456 a------- c:\windows\system32\wuaueng.dll.mui

2009-10-21 20:35 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui

2009-10-21 20:35 23,576 a------- c:\windows\system32\wuapi.dll.mui

2009-10-21 20:35 <DIR> --d----- c:\windows\system32\SoftwareDistribution

2009-10-21 18:50 <DIR> --d----- c:\windows\system32\LogFiles

2009-10-21 18:27 <DIR> --d----- c:\program files\Windows Live Favorites

2009-10-21 18:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo

2009-10-21 18:19 179,792 a------- c:\windows\system32\guard32.dll

2009-10-21 18:19 132,296 a------- c:\windows\system32\drivers\cmdguard.sys

2009-10-21 18:19 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys

2009-10-21 18:19 <DIR> --d----- c:\program files\COMODO

2009-10-21 13:03 108,552 a------- c:\windows\system32\drivers\avgtdix.sys

2009-10-21 13:03 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-10-21 13:03 335,240 a------- c:\windows\system32\drivers\avgldx86.sys

2009-10-21 13:03 <DIR> --d----- c:\windows\system32\drivers\Avg

2009-10-21 13:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar

2009-10-21 13:03 <DIR> --d----- c:\program files\AVG

2009-10-21 13:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

2009-10-21 12:39 703 a------- c:\documents and settings\miriam k were\set_env.bat

2009-10-21 12:39 <DIR> --d----- c:\docume~1\miriam~1\applic~1\Symantec

2009-10-21 12:39 <DIR> --d----- c:\documents and settings\miriam k were\Bluetooth Software

2009-10-21 12:39 <DIR> --d----- c:\documents and settings\Miriam K Were

2009-10-21 12:36 5,208 a------- c:\windows\system32\pid.PNF



==================== Find3M ====================



2009-09-11 22:18 136,192 a------- c:\windows\system32\msv1_0.dll

2009-09-11 22:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll

2009-09-05 05:03 58,880 a------- c:\windows\system32\msasn1.dll

2009-09-05 05:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll

2009-08-29 16:08 916,480 a------- c:\windows\system32\wininet.dll

2009-08-29 16:08 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll

2009-08-29 16:08 916,480 -------- c:\windows\system32\dllcache\wininet.dll

2009-08-29 16:08 5,940,224 -------- c:\windows\system32\dllcache\mshtml.dll

2009-08-29 16:08 206,848 -------- c:\windows\system32\dllcache\occache.dll

2009-08-29 16:08 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll

2009-08-29 16:08 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll

2009-08-29 16:08 184,320 -------- c:\windows\system32\dllcache\iepeers.dll

2009-08-29 16:08 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll

2009-08-29 16:08 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll

2009-08-29 16:08 11,069,440 -------- c:\windows\system32\dllcache\ieframe.dll

2009-08-29 16:08 387,584 -------- c:\windows\system32\dllcache\iedkcs32.dll

2009-08-29 15:36 133,120 -------- c:\windows\system32\dllcache\extmgr.dll

2009-08-28 18:35 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe

2009-08-28 18:29 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe

2009-08-26 16:00 247,326 a------- c:\windows\system32\strmdll.dll

2009-08-26 16:00 247,326 a------- c:\windows\system32\dllcache\strmdll.dll

2009-08-05 17:01 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-08-05 17:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

2009-08-04 23:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe

2009-08-04 22:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe

2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe

2009-07-29 12:37 119,808 a------- c:\windows\system32\t2embed.dll

2009-07-29 12:37 81,920 a------- c:\windows\system32\fontsub.dll

2009-07-29 12:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll

2009-07-29 12:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll

2008-10-29 20:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat



============= FINISH: 3:05:46.51 ===============


ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/10/22 03:07

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================



Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xA9EC5000 Size: 98304 File Visible: No Signed: -

Status: -



Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7AD3000 Size: 8192 File Visible: No Signed: -

Status: -



Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA8F25000 Size: 49152 File Visible: No Signed: -

Status: -



SSDT

-------------------

#: 011 Function Name: NtAdjustPrivilegesToken

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa207d46



#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa207250



#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2078ea



#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2082c2



#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa207132



#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa209254



#: 052 Function Name: NtCreateSymbolicLinkObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20952c



#: 053 Function Name: NtCreateThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa206cf8



#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa207f2c



#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2080dc



#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa206a5a



#: 097 Function Name: NtLoadDriver

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa208ed6



#: 105 Function Name: NtMakeTemporaryObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2074d4



#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa207b2e



#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20678a



#: 125 Function Name: NtOpenSection

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa207764



#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa206902



#: 192 Function Name: NtRenameKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa208688



#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa2089f0



#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa208c72



#: 240 Function Name: NtSetSystemInformation

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa209084



#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa208488



#: 249 Function Name: NtShutdownSystem

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20746e



#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa207658



#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa206ffc



#: 258 Function Name: NtTerminateThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa206eca



Shadow SSDT

-------------------

#: 013 Function Name: NtGdiBitBlt

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20b308



#: 122 Function Name: NtGdiDeleteObjectApp

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20ba2c



#: 227 Function Name: NtGdiMaskBlt

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20b43c



#: 233 Function Name: NtGdiOpenDCW

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20b8ec



#: 237 Function Name: NtGdiPlgBlt

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20b57c



#: 292 Function Name: NtGdiStretchBlt

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20b6b0



#: 310 Function Name: NtUserBlockInput

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20b188



#: 319 Function Name: NtUserCallHwndParamLock

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20a3da



#: 383 Function Name: NtUserGetAsyncKeyState

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20ae58



#: 389 Function Name: NtUserGetClipboardData

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20b7ea



#: 414 Function Name: NtUserGetKeyboardState

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20abc6



#: 416 Function Name: NtUserGetKeyState

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20ad08



#: 460 Function Name: NtUserMessageCall

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20a8aa



#: 465 Function Name: NtUserMoveWindow

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20a112



#: 475 Function Name: NtUserPostMessage

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20a55c



#: 476 Function Name: NtUserPostThreadMessage

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20a708



#: 491 Function Name: NtUserRegisterRawInputDevices

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20afa8



#: 502 Function Name: NtUserSendInput

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20aa6c



#: 509 Function Name: NtUserSetClipboardViewer

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20b09e



#: 529 Function Name: NtUserSetParent

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20a282



#: 549 Function Name: NtUserSetWindowsHookEx

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20ba92



#: 552 Function Name: NtUserSetWinEventHook

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa20bcc6



==EOF==

Attached Files



#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:42 PM

Posted 21 October 2009 - 06:56 PM

Hi,

virut infects every executable file. This way it does not have to leave a trace in the logs you showed.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Choose one of them and scan your PC with it, if they find infected files this means that your install did not work or that you have since executed another infected file. Really the only solution is then to reformat once more.

regards _temp_
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 yundo

yundo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 23 October 2009 - 04:01 PM

Thank you for all your help. I am learning a lot from you.
As per your advice I scanned the computer using a live CD and sure enough as you suspected the infection was still there.

I scanned first with the Kaspersky RescueDisk here is the log:

Scan: completed 10/22/09 8:17 PM (events: 10, objects: , time: 00:00:00)
10/22/09 8:17 PM Task completed
10/22/09 7:03 PM Deleted: Virus.Win32.Virut.ce /discs/E:/drivers/Wireless/ISL_64.exe
10/22/09 7:02 PM Deleted: Virus.Win32.Virut.ce /discs/E:/drivers/Wireless/RMV_64.exe
10/22/09 7:02 PM Deleted: Virus.Win32.Virut.ce /discs/E:/drivers/Wireless/DRC_64.exe
10/22/09 6:58 PM Detected: Virus.Win32.Virut.ce /discs/E:/drivers/Wireless/RMV_64.exe
10/22/09 6:58 PM Detected: Virus.Win32.Virut.ce /discs/E:/drivers/Wireless/ISL_64.exe
10/22/09 6:58 PM Detected: Virus.Win32.Virut.ce /discs/E:/drivers/Wireless/DRC_64.exe
10/22/09 6:57 PM Deleted: Virus.Win32.Virut.ce /discs/E:/drivers/Audio/WDM/RtlUpd64.exe
10/22/09 6:56 PM Detected: Virus.Win32.Virut.ce /discs/E:/drivers/Audio/WDM/RtlUpd64.exe
10/22/09 5:46 PM Task started

Then I scanned again using the BitDefender Live CD. Here is the log:

====================================================
= Logging started on Fri Oct 23 13:49:06 2009
====================================================

List of objects to be scanned:
- /media/sda1
- /media/sda3
- /media/sda5

Object '/media/sda5/Installed Programmes/ms office
2k3/Office2003.iso=>Extras/MathType 5.1/mtype_v5_1_keygen.exe' is
infected with 'Win32.Freetrip.C@mm'

==================================================
= Applying actions
==================================================
File '/media/sda5/Installed Programmes/ms office 2k3/Office2003.iso'
has been ignored

==================================================
= Applying actions
==================================================
Object '/media/sda5/Installed Programmes/ms office
2k3/Office2003.iso=>Extras/MathType 5.1/mtype_v5_1_keygen.exe' could
not be deleted


As you can see BitDefender was unable to delete Win32.Freetrip.C@mm which the other anti virus did not even pick up.
Is your recommendation still to compleletly format this machine and reinstall from scratch. or is there anything else I can try? I ask only because this is a Lenovo Netbook s10 and as far as I can tell it did not come with any cds so I would have to buy a new copy of windows if I formatted the drive. But please feel free to give me what you think is the best course of action.

Thanks again for your help!

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:42 PM

Posted 26 October 2009 - 11:35 AM

Hi,

what is on your E-partition?

'/media/sda5/Installed Programmes/ms office
2k3/Office2003.iso=>Extras/MathType 5.1/mtype_v5_1_keygen.exe'


The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

http://www.trendmicro.com/vinfo/grayware/v...=CRCK_KEYGEN.BB

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

http://blog.trendmicro.com/crack-sites-dis...rux-and-fakeav/


When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a lot of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.


If you still need assistance please remove all cracked software from your system. Namely the:
  • MS Office
.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 yundo

yundo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 26 October 2009 - 11:55 AM

Hi again.

As far as I can tell the laptop has no permanent E drive. (Please see the attached screen-shots)
I just rechecked and it definately does not have MS Office installed yet. The only software I have installed is
Firewall - Comodo
Anti Virus - AVG Free
Internet Explorer
All the Windows XP updates

In short I have no idea where that e-drive reading is coming from.

However, when I did put in my USB stick I noticed it allocated it drive letter E:
and when I plugged in the external cd-rom drive (after removing the USB stick) it was also give the drive letter E:

So at the time of the scan the e drive would have been the cd-rom drive on which the BitDefender etc live CDs were running.

How could it find MS Office on that CD?

I think I may be missing something here, please share any thoughts with me because as far as I can see there is no permanent E drive and no hacked software!

Thanks again

Attached Files



#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:42 PM

Posted 26 October 2009 - 02:57 PM

Hi,

could you please tell me if your D- or C-partition contains the folders drivers and/or installed programmes.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users