Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Pakes.u located in C:/windows/system32/drivers/atapisys.dll


  • This topic is locked This topic is locked
21 replies to this topic

#1 pcourtemanche

pcourtemanche

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 30 October 2009 - 09:05 PM

DDS.TXT Log


DDS (Ver_09-10-26.01) - NTFSx86
Run by OEM Preinstall at 21:39:36.96 on Fri 10/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.94 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\providerComcast\bin\tgsrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\comcasttb\CIDGlobalLight.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\OEM Preinstall\Desktop\dds.scr
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [ComcastAntispyClient] "c:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [FBSearch] c:\program files\search guard plus\SearchGuardPlus.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173923867318
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5476/mcfscan.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-20 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-20 360584]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-24 108289]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-20 285392]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-1 53248]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providercomcast\bin\tgsrvc.exe [2008-5-2 148768]
S2 cfgmhrmimqi;cfgmhrmimqi;\??\c:\windows\system32\drivers\oexswureoxbnfi.sys --> c:\windows\system32\drivers\oexswureoxbnfi.sys [?]
S2 USBDriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

=============== Created Last 30 ================

2009-10-29 01:38:37 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-25 16:03:36 0 d-----w- c:\docume~1\oempre~1\applic~1\Malwarebytes
2009-10-25 16:03:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-25 16:03:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-25 16:03:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-25 16:03:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 01:37:48 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-25 01:37:48 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-25 01:26:44 0 d-sha-r- C:\cmdcons
2009-10-25 01:25:14 98816 ----a-w- c:\windows\sed.exe
2009-10-25 01:25:14 236544 ----a-w- c:\windows\PEV.exe
2009-10-25 01:25:14 161792 ----a-w- c:\windows\SWREG.exe
2009-10-24 21:26:32 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-24 21:26:19 0 d-----w- c:\program files\Avira
2009-10-24 21:26:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-10-21 00:23:56 0 d-----w- C:\$AVG
2009-10-21 00:23:42 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-21 00:23:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-21 00:23:35 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-21 00:23:20 0 d-----w- c:\windows\system32\drivers\Avg
2009-10-21 00:23:04 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-10-21 00:21:21 0 d-----w- c:\program files\AVG
2009-10-17 00:14:56 0 ----a-w- c:\windows\Dtiluxeruxil.bin
2009-10-17 00:14:50 120 ----a-w- c:\windows\Isojalepinub.dat
2009-10-03 19:00:17 17991 ----a-w- c:\windows\system32\ikihi.lib
2009-10-03 19:00:17 14959 ----a-w- c:\docume~1\alluse~1\applic~1\pici.dat
2009-10-03 18:44:16 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-03 15:15:14 18767 ----a-w- c:\windows\system32\ykyqokupep.db
2009-10-03 15:15:14 12691 ----a-w- c:\windows\mehapawef.com
2009-10-03 13:41:37 19468 ----a-w- c:\windows\xuvodac.db
2009-10-03 13:41:37 14596 ----a-w- c:\docume~1\alluse~1\applic~1\hunax.dat
2009-10-03 13:41:37 10395 ----a-w- c:\windows\system32\cugugugeh.db

==================== Find3M ====================

2009-09-16 14:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\SET4E.tmp
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 16:49:31 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2008-11-12 23:48:11 19157 ----a-w- c:\program files\common files\kogu.lib
2008-11-12 23:48:11 17933 ----a-w- c:\program files\common files\dugiby.com
2008-11-12 23:48:11 15467 ----a-w- c:\program files\common files\yvijexyrek.db
2008-11-12 23:48:11 12710 ----a-w- c:\program files\common files\jotuvexo.sys
2007-02-08 03:59:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007020720070208\index.dat
2008-11-15 18:03:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111520081116\index.dat

============= FINISH: 21:40:39.87 ===============


AVG Error Message:

Results Overview:

C:\Windows\system32\drivers\atapi.sys Trojan Horse Rootkit-Pakes.U Object is white-listed (critical/system file that should not be removed

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:43 AM

Posted 06 November 2009 - 12:04 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:43 AM

Posted 11 November 2009 - 05:43 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:43 AM

Posted 13 November 2009 - 09:58 AM

Topic reopened.

Please post your logs.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 pcourtemanche

pcourtemanche
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 13 November 2009 - 11:01 AM

OTL logfile created on: 11/13/2009 10:50:51 AM - Run 1
OTL by OldTimer - Version 3.1.5.0 Folder = C:\Documents and Settings\OEM Preinstall\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.79 Mb Total Physical Memory | 469.09 Mb Available Physical Memory | 46.23% Memory free
2.39 Gb Paging File | 1.68 Gb Available in Paging File | 70.39% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 132.71 Gb Free Space | 89.04% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OEM-2568CCEBA0B
Current User Name: OEM Preinstall
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/13 09:49:08 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\OEM Preinstall\Desktop\OTL.exe
PRC - [2009/11/12 18:34:52 | 02,020,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/11/12 18:34:50 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/10/20 19:23:13 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/10/20 19:23:08 | 00,502,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/10/20 19:23:07 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/10/20 19:23:07 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/09/17 13:29:04 | 00,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/09/15 09:23:54 | 00,894,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/05 11:49:33 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/09/05 11:49:33 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/08/19 12:25:52 | 01,589,208 | ---- | M] () -- C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
PRC - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/06/17 12:49:44 | 00,616,408 | ---- | M] () -- C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
PRC - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/05/26 22:19:14 | 00,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/05/02 11:40:34 | 00,148,768 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\providerComcast\bin\tgsrvc.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/19 13:10:32 | 00,267,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/02/19 13:10:24 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/01/31 23:13:08 | 00,385,024 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2007/09/26 12:55:04 | 00,283,912 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
PRC - [2007/05/08 15:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PRC - [2005/09/19 21:36:20 | 00,114,688 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/09/19 21:32:24 | 00,077,824 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/05/12 00:40:38 | 00,204,800 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
PRC - [2005/05/12 00:33:52 | 00,479,232 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PRC - [2005/05/11 23:23:26 | 00,282,624 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2005/01/12 03:01:32 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PRC - [2004/09/24 13:32:48 | 00,118,784 | ---- | M] (Nikon Corporation) -- C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
PRC - [2003/12/01 15:27:00 | 00,053,248 | ---- | M] (GEAR Software) -- C:\WINDOWS\system32\gearsec.exe


========== Modules (SafeList) ==========

MOD - [2009/11/13 09:49:08 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\OEM Preinstall\Desktop\OTL.exe
MOD - [2008/04/13 19:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 19:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/20 19:23:07 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/09/15 09:23:54 | 00,894,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/05 11:49:33 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 19:22:22 | 00,068,112 | ---- | M] (McAfee) -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/06/17 12:49:44 | 00,616,408 | ---- | M] () -- C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe -- (AntiSpywareService)
SRV - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/05/02 11:40:34 | 00,398,704 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
SRV - [2008/05/02 11:40:34 | 00,148,768 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\providerComcast\bin\tgsrvc.exe -- (tgsrvc_providercomcast)
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2008/04/13 19:11:55 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\irmon.dll -- (Irmon)
SRV - [2008/02/19 13:10:24 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/09/26 12:55:04 | 00,283,912 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe -- (ITMRTSVC)
SRV - [2007/08/09 02:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/12/01 15:27:00 | 00,053,248 | ---- | M] (GEAR Software) -- C:\WINDOWS\system32\gearsec.exe -- (gearsec)


========== Driver Services (SafeList) ==========

DRV - [2009/11/10 18:13:45 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/10/20 19:23:36 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/10/20 19:23:34 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/28 15:33:56 | 00,055,656 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/07/16 11:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/05/11 09:12:24 | 00,028,520 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 09:33:07 | 00,096,104 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 11:35:05 | 00,011,608 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/12/02 06:05:34 | 00,118,656 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2008/04/13 13:40:30 | 00,096,512 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\atapi.sys -- (atapi)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/31 14:09:14 | 00,030,464 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2006/09/19 14:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2006/06/09 22:58:22 | 01,373,120 | ---- | M] (C-Media Inc) -- C:\WINDOWS\system32\drivers\cmuda.sys -- (cmuda)
DRV - [2005/09/19 22:00:54 | 01,302,332 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/03/07 23:43:27 | 00,021,744 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2005/03/07 23:43:26 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2005/03/07 23:43:25 | 00,051,120 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2005/01/26 02:03:00 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2004/08/04 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 17:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139)
DRV - [2003/09/19 15:47:24 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2001/08/17 08:51:32 | 00,018,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



IE - HKU\S-1-5-21-2798751602-3604470327-847386435-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2798751602-3604470327-847386435-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-2798751602-3604470327-847386435-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-2798751602-3604470327-847386435-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-2798751602-3604470327-847386435-1004\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-2798751602-3604470327-847386435-1004\S-1-5-21-2798751602-3604470327-847386435-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2798751602-3604470327-847386435-1004\S-1-5-21-2798751602-3604470327-847386435-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/19 09:18:37 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/09/05 11:49:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{626D90CC-D637-4636-910B-6519718A5ACD}: C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\{626D90CC-D637-4636-910B-6519718A5ACD} [2009/10/16 19:14:40 | 00,000,000 | ---D | M]

[2009/09/05 11:52:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\OEM Preinstall\Application Data\Mozilla\Extensions
[2009/09/05 11:52:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\OEM Preinstall\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Comcast Toolbar) - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2798751602-3604470327-847386435-1004\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No CLSID value found.
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [FBSearch] C:\Program Files\Search Guard Plus\SearchGuardPlus.exe ()
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2798751602-3604470327-847386435-1004..\Run: [ComcastAntispyClient] C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe ()
O4 - HKU\S-1-5-21-2798751602-3604470327-847386435-1004..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe (Nikon Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2798751602-3604470327-847386435-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2798751602-3604470327-847386435-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2798751602-3604470327-847386435-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2798751602-3604470327-847386435-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2798751602-3604470327-847386435-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1173923867318 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe (Virtools WebPlayer Class)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...476/mcfscan.cab (McFreeScan Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/13 03:48:06 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/13 09:48:52 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\OEM Preinstall\Desktop\OTL.exe
[2009/10/28 20:38:37 | 00,195,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2009/10/28 20:37:56 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2009/10/27 20:25:20 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\OEM Preinstall\Desktop\HijackThis.exe
[2009/10/27 20:25:02 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\OEM Preinstall\Desktop\HijackThisInstaller.exe
[2009/10/27 20:19:09 | 14,827,320 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\OEM Preinstall\Desktop\6m3ze36z.exe
[2009/10/25 12:32:43 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\OEM Preinstall\Desktop\RootRepeal.exe
[2009/10/25 11:03:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\OEM Preinstall\Application Data\Malwarebytes
[2009/10/25 11:03:27 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/25 11:03:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/10/25 11:03:23 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/10/25 11:03:21 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/25 11:02:23 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\OEM Preinstall\Desktop\mbam-setup.exe
[2009/10/24 20:37:48 | 00,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\proquota.exe
[2009/10/24 20:37:48 | 00,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\proquota.exe
[2009/10/24 20:26:44 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/10/24 20:25:15 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/10/24 20:25:14 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/10/24 20:25:14 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/10/24 20:25:14 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/10/24 20:25:01 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/10/24 20:15:11 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/10/24 16:26:33 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/10/24 16:26:33 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/10/24 16:26:32 | 00,055,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/10/24 16:26:32 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/10/24 16:26:32 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/10/24 16:26:19 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2009/10/24 16:26:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2009/10/23 21:09:14 | 09,426,368 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\OEM Preinstall\Desktop\windows-kb890830-x64-v3.0.exe
[2009/10/21 06:34:10 | 26,768,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/10/20 19:23:56 | 00,000,000 | ---D | C] -- C:\$AVG
[2009/10/20 19:23:42 | 00,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/10/20 19:23:42 | 00,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/10/20 19:23:35 | 00,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/10/20 19:23:34 | 00,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/10/20 19:23:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/10/20 19:23:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/10/20 19:21:21 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/10/16 19:14:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\{626D90CC-D637-4636-910B-6519718A5ACD}
[2005/05/11 23:36:48 | 00,012,288 | ---- | C] (Hewlett-Packard Co.) -- C:\WINDOWS\Fonts\RandFont.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/13 09:49:08 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\OEM Preinstall\Desktop\OTL.exe
[2009/11/13 08:33:41 | 45,044,607 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/13 08:33:11 | 00,089,584 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/13 08:29:08 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/11/13 08:28:33 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/13 08:28:07 | 00,021,043 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/11/13 08:27:33 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/13 08:27:25 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/13 08:27:24 | 00,153,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/12 21:17:35 | 00,000,219 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/11/12 21:14:52 | 03,932,160 | -H-- | M] () -- C:\Documents and Settings\OEM Preinstall\NTUSER.DAT
[2009/11/12 21:14:52 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\OEM Preinstall\ntuser.ini
[2009/11/10 19:01:03 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/11/10 18:13:45 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/11/05 12:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/11/04 20:04:38 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/01 09:01:40 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/11/01 08:56:38 | 00,550,988 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/01 08:56:38 | 00,462,168 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/01 08:56:38 | 00,078,114 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/30 20:37:48 | 00,523,776 | ---- | M] () -- C:\Documents and Settings\OEM Preinstall\Desktop\dds.scr
[2009/10/27 20:25:24 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\OEM Preinstall\Desktop\HijackThis.exe
[2009/10/27 20:25:07 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\OEM Preinstall\Desktop\HijackThisInstaller.exe
[2009/10/27 20:19:11 | 14,827,320 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\OEM Preinstall\Desktop\6m3ze36z.exe
[2009/10/25 14:06:45 | 00,001,106 | ---- | M] () -- C:\Documents and Settings\OEM Preinstall\Desktop\AVG.csv
[2009/10/25 12:34:27 | 00,000,111 | ---- | M] () -- C:\Documents and Settings\OEM Preinstall\default.pls
[2009/10/25 12:34:17 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/10/25 12:33:02 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\OEM Preinstall\Desktop\settings.dat
[2009/10/25 12:33:00 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\OEM Preinstall\Desktop\RootRepeal.exe
[2009/10/25 11:03:31 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/25 11:02:42 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\OEM Preinstall\Desktop\mbam-setup.exe
[2009/10/24 20:44:50 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/24 20:44:13 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/10/24 20:26:55 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/10/24 16:26:58 | 00,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/10/24 16:23:03 | 33,961,728 | ---- | M] () -- C:\Documents and Settings\OEM Preinstall\Desktop\avira_antivir_personal_en.exe
[2009/10/23 21:09:15 | 09,426,368 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\OEM Preinstall\Desktop\windows-kb890830-x64-v3.0.exe
[2009/10/22 19:02:04 | 00,000,769 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/10/22 18:55:28 | 00,744,853 | ---- | M] () -- C:\Documents and Settings\OEM Preinstall\Desktop\PAVARK.exe
[2009/10/22 06:11:57 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Dtiluxeruxil.bin
[2009/10/22 04:19:04 | 05,939,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
[2009/10/22 04:19:04 | 05,939,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2009/10/21 06:12:12 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Isojalepinub.dat
[2009/10/20 21:19:35 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\gojosose
[2009/10/20 19:23:42 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/10/20 19:23:42 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2009/10/20 19:23:36 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/10/20 19:23:34 | 00,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2009/10/20 19:23:34 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/10/20 19:23:21 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/10/20 19:23:21 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/01 09:01:40 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/11/01 09:01:38 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/10/30 20:37:19 | 00,523,776 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Desktop\dds.scr
[2009/10/25 14:06:45 | 00,001,106 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Desktop\AVG.csv
[2009/10/25 12:33:02 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Desktop\settings.dat
[2009/10/25 11:03:31 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/24 20:26:55 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/10/24 20:26:48 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/10/24 20:25:14 | 00,236,544 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/10/24 20:25:14 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/10/24 20:25:14 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/10/24 20:25:14 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/10/24 16:26:57 | 00,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/10/24 16:22:49 | 33,961,728 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Desktop\avira_antivir_personal_en.exe
[2009/10/22 18:54:42 | 00,744,853 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Desktop\PAVARK.exe
[2009/10/20 19:23:42 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2009/10/20 19:23:34 | 00,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2009/10/20 19:23:21 | 45,044,607 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/10/20 19:23:21 | 00,492,629 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/10/20 19:23:21 | 00,089,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/10/20 19:23:20 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/10/16 19:14:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Dtiluxeruxil.bin
[2009/10/16 19:14:50 | 00,000,120 | ---- | C] () -- C:\WINDOWS\Isojalepinub.dat
[2009/10/03 14:00:17 | 00,019,486 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\hylahale.db
[2009/10/03 14:00:17 | 00,016,460 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\zali.db
[2009/10/03 14:00:17 | 00,014,959 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\pici.dat
[2009/10/03 10:15:14 | 00,018,844 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\ikogexido.dat
[2009/10/03 10:15:14 | 00,016,809 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\zizo.db
[2009/10/03 08:41:37 | 00,015,717 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\taxubog.db
[2009/10/03 08:41:37 | 00,015,046 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\tywokesyxa.dat
[2009/10/03 08:41:37 | 00,014,596 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hunax.dat
[2009/06/25 14:11:19 | 00,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2009/06/10 11:04:17 | 00,002,180 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\HPSU_48BitScanUpdate.log
[2009/06/10 11:04:17 | 00,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2009/06/10 10:54:40 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\HelpFilesUpdatePatch_HELPFILEREPLACE.log
[2009/06/10 10:54:39 | 00,000,373 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\HelpFilesUpdatePatch_PRINTHELPWRAPPER.log
[2009/06/10 10:54:39 | 00,000,234 | ---- | C] () -- C:\WINDOWS\PrnHlpLogConfig.ini
[2009/06/10 10:47:08 | 00,002,997 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\PatchUpdate_InstantShareJPG.log
[2009/06/10 10:47:08 | 00,000,214 | ---- | C] () -- C:\WINDOWS\HP_InstantSHareJPG.ini
[2009/06/10 10:45:32 | 00,003,840 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\PatchUpdate_IZClosingDiscError.log
[2009/06/10 10:45:32 | 00,000,217 | ---- | C] () -- C:\WINDOWS\HP_IZClosingDiscErrorPatch.ini
[2009/06/10 10:44:23 | 00,035,690 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\Update_HP_RedboxHprblog_HPSU.log
[2009/06/10 10:44:23 | 00,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2009/05/13 21:08:28 | 00,000,219 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/05/13 10:25:00 | 00,000,122 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/11/12 20:10:39 | 00,018,785 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\rimamoto.com
[2008/11/12 20:10:39 | 00,018,079 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\eseqazane.pif
[2008/11/12 20:10:39 | 00,015,570 | ---- | C] () -- C:\WINDOWS\System32\zoseget.sys
[2008/11/12 20:10:39 | 00,014,561 | ---- | C] () -- C:\WINDOWS\System32\jisa.dll
[2008/11/12 20:10:39 | 00,014,466 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ihuqopu._sy
[2008/11/12 20:10:39 | 00,012,110 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\igapopux.com
[2008/11/12 18:48:11 | 00,019,157 | ---- | C] () -- C:\Program Files\Common Files\kogu.lib
[2008/11/12 18:48:11 | 00,017,933 | ---- | C] () -- C:\Program Files\Common Files\dugiby.com
[2008/11/12 18:48:11 | 00,016,879 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\tesawiko.db
[2008/11/12 18:48:11 | 00,015,467 | ---- | C] () -- C:\Program Files\Common Files\yvijexyrek.db
[2008/11/12 18:48:11 | 00,014,117 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\zoxu.pif
[2008/11/12 18:48:11 | 00,012,710 | ---- | C] () -- C:\Program Files\Common Files\jotuvexo.sys
[2008/11/12 18:37:52 | 00,019,307 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\dybadose.pif
[2008/11/12 18:37:52 | 00,018,148 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\ykopufax.sys
[2008/11/12 18:37:52 | 00,017,671 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\kyhugalily._dl
[2008/11/12 18:37:52 | 00,014,039 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\piwisi.dat
[2008/11/12 18:37:52 | 00,010,083 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\tycanezaxo.sys
[2008/02/04 18:23:10 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/12/30 18:20:18 | 00,004,561 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/09/27 10:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/09/15 20:13:20 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2007/06/09 14:30:24 | 00,001,055 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\Hewlett-PackardHP Officejet 5600 series1171590213_PROTOCOL.log
[2007/06/09 14:30:24 | 00,000,699 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\Hewlett-PackardHP Officejet 5600 series1171590213_UI.log
[2007/06/09 14:30:24 | 00,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2007/06/09 14:30:24 | 00,000,113 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\Hewlett-PackardHP Officejet 5600 series1171590213_API.log
[2007/03/01 20:23:21 | 00,000,021 | ---- | C] () -- C:\WINDOWS\CS_SETUP.ini
[2007/02/15 20:53:06 | 00,000,137 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\fusioncache.dat
[2007/02/15 20:28:21 | 00,000,745 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/02/10 17:19:58 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/02/10 16:21:19 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/02/07 23:56:15 | 00,005,120 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/16 01:35:20 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/10/13 04:12:21 | 00,032,104 | ---- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2006/10/13 04:01:11 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2006/10/13 04:01:04 | 00,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2006/10/13 04:01:04 | 00,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2006/10/13 04:01:02 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2006/10/13 04:00:56 | 00,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2006/10/13 03:57:54 | 04,809,206 | -H-- | C] () -- C:\Documents and Settings\OEM Preinstall\Local Settings\Application Data\IconCache.db
[2006/10/13 03:55:37 | 00,004,033 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2006/10/13 03:55:34 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2006/10/13 03:54:34 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\OEM Preinstall\Application Data\desktop.ini
[2006/10/12 23:19:54 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2004/08/04 07:00:00 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2004/08/04 07:00:00 | 00,000,769 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2001/07/06 15:30:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/01/22 13:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 20 bytes -> C:\Documents and Settings\OEM Preinstall\Desktop\PAVARK.exe:License
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2B99FE60
< End of report >



OTL Extras logfile created on: 11/13/2009 10:50:51 AM - Run 1
OTL by OldTimer - Version 3.1.5.0 Folder = C:\Documents and Settings\OEM Preinstall\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.79 Mb Total Physical Memory | 469.09 Mb Available Physical Memory | 46.23% Memory free
2.39 Gb Paging File | 1.68 Gb Available in Paging File | 70.39% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 132.71 Gb Free Space | 89.04% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OEM-2568CCEBA0B
Current User Name: OEM Preinstall
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\StubInstaller.exe" = C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer -- (LimeWire)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\McAfee\VirusScan\mcvsmap.exe" = C:\Program Files\McAfee\VirusScan\mcvsmap.exe:*:Enabled:mcvsmap -- (McAfee, Inc.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}" = PhotoGallery
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{08D2F839-A9FD-4F5A-A529-D45FF6E238A3}" = OpenOffice.org 2.0
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{172975EB-9465-4861-95B5-C7BB6D3DE62A}" = DocumentViewer
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{21DB3D90-D816-4092-A260-CA3F6B55A6DD}" = Sonic_PrimoSDK
"{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}" = CP_Panorama1Config
"{2466E904-7E48-4597-9321-722CF02930EB}" = 5600
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{32BDCCB8-9DC8-496d-9DB1-F77510775BDB}" = InstantShareDevices
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36E47DA1-10E1-45d9-8B19-14D19607CDCF}" = CP_CalendarTemplates1
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3CCB26F5-E2A7-4C91-8340-9149D7B7C2BE}" = Virtual Earth 3D (Beta)
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{54E3707F-808E-4fd4-95C9-15D1AB077E5D}" = NewCopy
"{56EE8B17-8274-418d-89AC-C057C5DB251E}" = RandMap
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{5A01C58E-B0EC-49b9-AD71-7C0468688087}" = CP_Package_Basic1
"{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}" = HP PSC & OfficeJet 5.3.B
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{66BA8C26-AFE4-4408-807B-43E76B57EF53}" = SkinsHP1
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{7850A6D2-CBEA-4728-9877-F1BEDEA9F619}" = AiOSoftware
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7C9B95B7-B598-4398-B30F-7F6827192E6C}" = ProductContext
"{7E27304E-BAA2-4d90-A34E-76641FAFABB4}" = CP_AtenaShokunin1Config
"{7E4BEB77-BEA9-4544-AB74-06EDE6CE3D39}" = Comcast User Setup
"{80FD852F-5AAC-4129-B931-06AAFFA43138}" = iTunes
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BB69D0F-1369-4DBD-99A9-1BC228ED1033}" = Nero 7 Essentials
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5BB5365-EFB4-44c3-A7E2-EB59B7EFD23D}" = CueTour
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B4D279F1-4309-49cc-A4B5-3A0D2E59C7B5}" = PanoStandAlone
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{BFD5AC8A-5884-4da8-9873-3DF8E3DCCE18}" = 5600Trb
"{BFD96B89-B769-4CD6-B11E-E79FFD46F067}" = QuickTime
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC7984C5-020D-4944-85A0-58D09D4A8BFB}" = 5600_Help
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = Fax
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D3C97899-3890-43DB-AA0C-D91A84FA7787}" = Avery Wizard 3.1
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{EE7C3A14-1D20-49F6-B903-491561076F0F}" = ArcSoft Software Suite
"{F05A5232-CE5E-4274-AB27-44EB8105898D}" = CA Pest Patrol Realtime Protection
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F7DA5EBC-D7C6-45A3-AB36-1DEA3E6801B4}" = MixMeister Express 6
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"{FF3999BE-1A7B-4738-88AA-97BF14094A4A}" = PictureProject
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"AVG9Uninstall" = AVG Free 9.0
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"C-Media Audio" = C-Media 3D Audio
"C-Media Audio Driver" = C-Media WDM Audio Driver
"comcasttb" = Comcast Toolbar 3.0
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"HP Document Viewer" = HP Document Viewer 5.3
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Photo & Imaging" = HP Image Zone 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{D3C97899-3890-43DB-AA0C-D91A84FA7787}" = Avery Wizard 3.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MixMeister BPM Analyzer_is1" = MixMeister BPM Analyzer 1.0
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"TBSB07183.TBSB07183Toolbar" = Fast Browser Search (My Web Tattoo)
"Virtools3DLifePlayer" = Virtools 3D Life Player
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = The GIMP 2.2.17
"WinGTK-2_is1" = GTK+ 2.10.13 runtime environment
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2798751602-3604470327-847386435-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/1/2009 1:52:59 PM | Computer Name = OEM-2568CCEBA0B | Source = ESENT | ID = 485
Description = svchost (1140) An attempt to delete the file "C:\WINDOWS\system32\CatRoot2\tmp.edb"
failed with system error 5 (0x00000005): "Access is denied. ". The delete file
operation will fail with error -1032 (0xfffffbf8).

Error - 11/1/2009 1:52:59 PM | Computer Name = OEM-2568CCEBA0B | Source = ESENT | ID = 485
Description = svchost (1140) An attempt to delete the file "C:\WINDOWS\system32\CatRoot2\tmp.edb"
failed with system error 5 (0x00000005): "Access is denied. ". The delete file
operation will fail with error -1032 (0xfffffbf8).

Error - 11/1/2009 1:53:00 PM | Computer Name = OEM-2568CCEBA0B | Source = ESENT | ID = 490
Description = svchost (1140) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\tmp.edb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 11/1/2009 1:53:00 PM | Computer Name = OEM-2568CCEBA0B | Source = ESENT | ID = 439
Description = Catalog Database (1140) Unable to write a shadowed header for file
C:\WINDOWS\system32\CatRoot2\tmp.edb. Error -1032.

Error - 11/1/2009 1:53:02 PM | Computer Name = OEM-2568CCEBA0B | Source = ESENT | ID = 485
Description = svchost (1140) An attempt to delete the file "C:\WINDOWS\system32\CatRoot2\tmp.edb"
failed with system error 5 (0x00000005): "Access is denied. ". The delete file
operation will fail with error -1032 (0xfffffbf8).

Error - 11/1/2009 1:53:03 PM | Computer Name = OEM-2568CCEBA0B | Source = ESENT | ID = 490
Description = svchost (1140) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\tmp.edb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 11/1/2009 1:53:03 PM | Computer Name = OEM-2568CCEBA0B | Source = ESENT | ID = 439
Description = Catalog Database (1140) Unable to write a shadowed header for file
C:\WINDOWS\system32\CatRoot2\tmp.edb. Error -1032.

Error - 11/1/2009 2:41:25 PM | Computer Name = OEM-2568CCEBA0B | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/4/2009 8:57:06 PM | Computer Name = OEM-2568CCEBA0B | Source = ESENT | ID = 490
Description = svchost (1140) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 11/13/2009 10:38:45 AM | Computer Name = OEM-2568CCEBA0B | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/1/2009 1:40:06 PM | Computer Name = OEM-2568CCEBA0B | Source = Service Control Manager | ID = 7023
Description = The USBDriver service terminated with the following error: %%126

Error - 11/1/2009 1:52:40 PM | Computer Name = OEM-2568CCEBA0B | Source = Service Control Manager | ID = 7023
Description = The USBDriver service terminated with the following error: %%126

Error - 11/4/2009 8:29:21 PM | Computer Name = OEM-2568CCEBA0B | Source = Service Control Manager | ID = 7023
Description = The USBDriver service terminated with the following error: %%126

Error - 11/4/2009 8:56:42 PM | Computer Name = OEM-2568CCEBA0B | Source = Service Control Manager | ID = 7023
Description = The USBDriver service terminated with the following error: %%126

Error - 11/6/2009 9:42:03 PM | Computer Name = OEM-2568CCEBA0B | Source = Service Control Manager | ID = 7023
Description = The USBDriver service terminated with the following error: %%126

Error - 11/10/2009 7:06:28 PM | Computer Name = OEM-2568CCEBA0B | Source = Service Control Manager | ID = 7023
Description = The USBDriver service terminated with the following error: %%126

Error - 11/10/2009 7:08:52 PM | Computer Name = OEM-2568CCEBA0B | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 11/10/2009 7:08:53 PM | Computer Name = OEM-2568CCEBA0B | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053

Error - 11/12/2009 7:29:23 PM | Computer Name = OEM-2568CCEBA0B | Source = Service Control Manager | ID = 7023
Description = The USBDriver service terminated with the following error: %%126

Error - 11/13/2009 9:27:51 AM | Computer Name = OEM-2568CCEBA0B | Source = Service Control Manager | ID = 7023
Description = The USBDriver service terminated with the following error: %%126


< End of report >

#6 pcourtemanche

pcourtemanche
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 13 November 2009 - 11:03 AM

I have downloaded A LOT of virus softwares prior to going to this site for help. When all this is said and done, can you please advise which ones to remove?

Thank you for your help in advance, it is really appreciated.

Paula

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:43 AM

Posted 13 November 2009 - 07:01 PM

Hi,

I'll be happy to give you some advice. I'm going to address the most urgent one know and if at any point you have any specific questions, please ask. :( Otherwise we'll check your PCs software once the malware is removed.
Let's start with the anti virus programs:
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and keep only one of the following AVG, Avira or McAfee.

Afterwards please run Combofix to attakc the malware issues:
Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 pcourtemanche

pcourtemanche
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 13 November 2009 - 07:58 PM

Thanks. My only question is that Macafee didn't catch the Pakes-U trojan but AVG did... how do I determine the best one to keep??

#9 pcourtemanche

pcourtemanche
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 13 November 2009 - 10:44 PM

ComboFix 09-11-14.01 - OEM Preinstall 11/13/2009 22:22.2.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.519 [GMT -5:00]
Running from: c:\documents and settings\OEM Preinstall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\OEM Preinstall\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-13 18:15 . 2009-11-13 18:15 143976 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks\uninstall.exe
2009-11-13 18:14 . 2009-11-13 18:15 1794456 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-10-29 01:38 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-25 16:03 . 2009-10-25 16:03 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\Malwarebytes
2009-10-25 16:03 . 2009-10-25 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-25 01:37 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-25 01:37 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-24 21:26 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-21 00:21 . 2009-10-21 00:23 -------- d-----w- c:\program files\AVG
2009-10-17 00:14 . 2009-10-22 11:11 0 ----a-w- c:\windows\Dtiluxeruxil.bin
2009-10-17 00:14 . 2009-10-21 11:12 120 ----a-w- c:\windows\Isojalepinub.dat
2009-10-17 00:14 . 2009-10-17 00:14 -------- d-----w- c:\documents and settings\OEM Preinstall\Local Settings\Application Data\{626D90CC-D637-4636-910B-6519718A5ACD}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 03:04 . 2009-05-22 19:49 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\CallingID
2009-11-14 02:53 . 2009-01-17 03:19 -------- d-----w- c:\program files\Common Files\Scanner
2009-11-14 02:40 . 2009-04-23 14:36 -------- d-----w- c:\program files\Coupons
2009-11-13 18:16 . 2008-10-25 23:16 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks
2009-11-13 18:15 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-10-22 01:32 . 2009-04-19 15:29 -------- d-----w- c:\program files\McAfee
2009-10-19 00:09 . 2009-05-22 19:48 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\comcasttb
2009-10-18 18:22 . 2009-07-10 22:55 -------- d-----w- c:\program files\Search Guard Plus
2009-10-18 18:22 . 2009-07-10 22:55 -------- d-----w- c:\program files\Search Guard PlusU
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-13 23:09 . 2007-08-19 20:54 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\gtk-2.0
2009-10-03 19:00 . 2009-10-03 19:00 14959 ----a-w- c:\documents and settings\All Users\Application Data\pici.dat
2009-10-03 18:44 . 2009-10-03 18:44 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-03 15:15 . 2009-10-03 15:15 18844 ----a-w- c:\documents and settings\OEM Preinstall\Local Settings\Application Data\ikogexido.dat
2009-10-03 15:15 . 2009-10-03 15:15 12691 ----a-w- c:\windows\mehapawef.com
2009-10-03 13:41 . 2009-10-03 13:41 15046 ----a-w- c:\documents and settings\OEM Preinstall\Local Settings\Application Data\tywokesyxa.dat
2009-10-03 13:41 . 2009-10-03 13:41 14596 ----a-w- c:\documents and settings\All Users\Application Data\hunax.dat
2009-09-20 22:00 . 2009-09-05 16:51 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\LimeWire
2009-09-19 01:31 . 2007-02-14 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-16 14:22 . 2009-04-19 15:30 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-04-19 15:30 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-04-19 15:30 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-04-19 15:30 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-04-19 15:30 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2009-09-11 14:18 136192 ----a-w- c:\windows\system32\SET4E.tmp
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 16:49 . 2009-09-05 16:49 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-09-05 16:49 . 2009-09-05 16:49 152576 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-11-12 23:48 . 2008-11-12 23:48 19157 ----a-w- c:\program files\Common Files\kogu.lib
2008-11-12 23:48 . 2008-11-12 23:48 17933 ----a-w- c:\program files\Common Files\dugiby.com
2008-11-12 23:48 . 2008-11-12 23:48 15467 ----a-w- c:\program files\Common Files\yvijexyrek.db
2008-11-12 23:48 . 2008-11-12 23:48 12710 ----a-w- c:\program files\Common Files\jotuvexo.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . 621A6A7D491BD3609FF40510D8437904 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-25_01.44.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-14 02:53 . 2009-11-14 02:53 16384 c:\windows\Temp\Perflib_Perfdata_678.dat
+ 2004-08-04 12:00 . 2009-11-01 13:56 78114 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-10-21 11:30 78114 c:\windows\system32\perfc009.dat
- 2006-10-13 08:51 . 2009-10-25 01:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-10-13 08:51 . 2009-11-14 03:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-10-13 08:51 . 2009-11-14 03:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-13 08:51 . 2009-10-25 01:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-13 08:51 . 2009-10-25 01:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-25 15:13 . 2009-11-14 03:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-12 04:02 . 2009-07-12 04:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2004-08-04 12:00 . 2009-11-01 13:56 462168 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-10-21 11:30 462168 c:\windows\system32\perfh009.dat
- 2006-10-13 04:17 . 2009-06-10 14:52 153176 c:\windows\system32\FNTCACHE.DAT
+ 2006-10-13 04:17 . 2009-11-13 13:27 153176 c:\windows\system32\FNTCACHE.DAT
+ 2009-10-25 15:57 . 2009-10-25 15:57 195584 c:\windows\Installer\2d8778.msi
+ 2009-11-05 01:04 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-05 01:04 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2004-08-04 12:00 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2004-08-04 12:00 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
+ 2008-10-14 22:13 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-04 12:00 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-05 01:04 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2009-10-21 11:34 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-05 136600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"FBSearch"="c:\program files\Search Guard Plus\SearchGuardPlus.exe" [2009-05-04 194432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-3-1 118784]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=

R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 12:49 PM 616408]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [12/1/2003 3:27 PM 53248]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 11:40 AM 148768]
S2 cfgmhrmimqi;cfgmhrmimqi;\??\c:\windows\system32\drivers\oexswureoxbnfi.sys --> c:\windows\system32\drivers\oexswureoxbnfi.sys [?]
S2 USBDriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDriver
.
Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-04-19 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-19 16:22]

2009-10-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-19 16:22]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 22:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
FBSearch = c:\program files\Search Guard Plus\SearchGuardPlus.exe?EBD6}" sendreports="1" showoninstall="1"> ?<

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3464)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-13 22:34
ComboFix-quarantined-files.txt 2009-11-14 03:32
ComboFix2.txt 2009-10-25 01:52

Pre-Run: 143,050,358,784 bytes free
Post-Run: 143,296,339,968 bytes free

- - End Of File - - D4117C3F3AB522373203B267083A34E3

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:43 AM

Posted 15 November 2009 - 06:28 PM

Hi,

there still seems to be a lot of malware left. We're going to try to take most of it out with the following script:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\oexswureoxbnfi.sys
c:\windows\Dtiluxeruxil.bin
c:\windows\Isojalepinub.dat
c:\documents and settings\OEM Preinstall\Local Settings\Application Data\ikogexido.dat
c:\windows\mehapawef.com
c:\documents and settings\OEM Preinstall\Local Settings\Application Data\tywokesyxa.dat
c:\documents and settings\All Users\Application Data\hunax.dat
c:\windows\system32\SET4E.tmp
c:\program files\Common Files\kogu.lib
c:\program files\Common Files\dugiby.com
c:\program files\Common Files\yvijexyrek.db
c:\program files\Common Files\jotuvexo.sys

Folder::
c:\program files\Search Guard Plus
c:\program files\Search Guard PlusU
Registry::

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys

Driver::
cfgmhrmimqi
USBDriver
NetSvc::
USBDriver


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Regarding your question about McAfee and AVG, there is no easy answer and not a definite "better" and "worse, in my opinion. There will always be differences between programs and McAfee might catch other infections, that AVG doesn't even if it missed this one. In the end, if you are happy with AVG right now and don't want to pay for an anti virus program, I would suggest you stay with AVG. From what I see now, it seems as if both programs have not been able to prevent the infection or to clean it and as far as I know this is true for practicly all programs. The rootkit you have is extremely sneaky.

regards myrti

Edited by myrti, 15 November 2009 - 06:30 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 pcourtemanche

pcourtemanche
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 18 November 2009 - 07:01 AM

ComboFix 09-11-18.04 - OEM Preinstall 11/17/2009 21:05.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.438 [GMT -5:00]
Running from: c:\documents and settings\OEM Preinstall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\OEM Preinstall\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.

2009-11-16 00:03 . 2009-11-17 23:47 79488 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-15 19:30 . 2009-11-15 22:03 -------- d-----w- c:\program files\LimeWire
2009-11-14 22:00 . 2009-10-16 17:12 1119488 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-14 20:29 . 2009-11-14 20:47 -------- d-----w- C:\$AVG
2009-11-14 20:29 . 2009-11-14 20:29 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-14 20:29 . 2009-11-14 20:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-14 20:29 . 2009-11-14 20:29 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-14 20:29 . 2009-11-14 20:29 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-14 20:29 . 2009-11-17 23:45 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-14 20:28 . 2009-11-14 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-14 20:28 . 2009-11-14 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-13 18:15 . 2009-11-13 18:15 143976 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks\uninstall.exe
2009-11-13 18:14 . 2009-11-13 18:15 1794456 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-10-29 01:38 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-25 16:03 . 2009-10-25 16:03 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\Malwarebytes
2009-10-25 16:03 . 2009-10-25 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-25 01:37 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-25 01:37 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-24 21:26 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-21 00:21 . 2009-10-21 00:23 -------- d-----w- c:\program files\AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-16 22:58 . 2009-05-22 19:49 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\CallingID
2009-11-15 21:32 . 2007-02-10 22:52 -------- d-----w- c:\program files\MixMeister Express 6
2009-11-15 20:10 . 2009-09-05 16:51 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\LimeWire
2009-11-14 02:53 . 2009-01-17 03:19 -------- d-----w- c:\program files\Common Files\Scanner
2009-11-14 02:40 . 2009-04-23 14:36 -------- d-----w- c:\program files\Coupons
2009-11-13 18:16 . 2008-10-25 23:16 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks
2009-11-13 18:15 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-10-22 11:11 . 2009-10-17 00:14 0 ----a-w- c:\windows\Dtiluxeruxil.bin
2009-10-22 01:32 . 2009-04-19 15:29 -------- d-----w- c:\program files\McAfee
2009-10-21 11:12 . 2009-10-17 00:14 120 ----a-w- c:\windows\Isojalepinub.dat
2009-10-19 00:09 . 2009-05-22 19:48 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\comcasttb
2009-10-18 18:22 . 2009-07-10 22:55 -------- d-----w- c:\program files\Search Guard Plus
2009-10-18 18:22 . 2009-07-10 22:55 -------- d-----w- c:\program files\Search Guard PlusU
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-13 23:09 . 2007-08-19 20:54 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\gtk-2.0
2009-10-03 19:00 . 2009-10-03 19:00 14959 ----a-w- c:\documents and settings\All Users\Application Data\pici.dat
2009-10-03 18:44 . 2009-10-03 18:44 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-03 15:15 . 2009-10-03 15:15 18844 ----a-w- c:\documents and settings\OEM Preinstall\Local Settings\Application Data\ikogexido.dat
2009-10-03 15:15 . 2009-10-03 15:15 12691 ----a-w- c:\windows\mehapawef.com
2009-10-03 13:41 . 2009-10-03 13:41 15046 ----a-w- c:\documents and settings\OEM Preinstall\Local Settings\Application Data\tywokesyxa.dat
2009-10-03 13:41 . 2009-10-03 13:41 14596 ----a-w- c:\documents and settings\All Users\Application Data\hunax.dat
2009-09-16 14:22 . 2009-04-19 15:30 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-04-19 15:30 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-04-19 15:30 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-04-19 15:30 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-04-19 15:30 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2009-09-11 14:18 136192 ----a-w- c:\windows\system32\SET4E.tmp
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 16:49 . 2009-09-05 16:49 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-09-05 16:49 . 2009-09-05 16:49 152576 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-11-12 23:48 . 2008-11-12 23:48 19157 ----a-w- c:\program files\Common Files\kogu.lib
2008-11-12 23:48 . 2008-11-12 23:48 17933 ----a-w- c:\program files\Common Files\dugiby.com
2008-11-12 23:48 . 2008-11-12 23:48 15467 ----a-w- c:\program files\Common Files\yvijexyrek.db
2008-11-12 23:48 . 2008-11-12 23:48 12710 ----a-w- c:\program files\Common Files\jotuvexo.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . 621A6A7D491BD3609FF40510D8437904 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-25_01.44.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-17 23:40 . 2009-11-17 23:40 16384 c:\windows\Temp\Perflib_Perfdata_c0.dat
+ 2004-08-04 12:00 . 2009-11-01 13:56 78114 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-10-21 11:30 78114 c:\windows\system32\perfc009.dat
+ 2009-11-15 19:30 . 2009-11-15 19:30 85173 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2006-10-13 08:51 . 2009-10-25 01:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-10-13 08:51 . 2009-11-17 23:48 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-10-13 08:51 . 2009-10-25 01:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-10-13 08:51 . 2009-11-17 23:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-13 08:51 . 2009-10-25 01:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-14 15:06 . 2009-11-17 23:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-15 19:30 . 2009-11-15 19:30 77824 c:\windows\Installer\{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}\ARPPRODUCTICON.exe
+ 2009-07-12 04:02 . 2009-07-12 04:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
- 2004-08-04 12:00 . 2009-10-21 11:30 462168 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2009-11-01 13:56 462168 c:\windows\system32\perfh009.dat
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2006-10-13 04:17 . 2009-06-10 14:52 153176 c:\windows\system32\FNTCACHE.DAT
+ 2006-10-13 04:17 . 2009-11-13 13:27 153176 c:\windows\system32\FNTCACHE.DAT
+ 2009-10-25 15:57 . 2009-10-25 15:57 195584 c:\windows\Installer\2d8778.msi
+ 2009-11-05 01:04 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-05 01:04 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2004-08-04 12:00 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2004-08-04 12:00 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-14 22:13 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-04 12:00 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-15 19:30 . 2009-11-15 19:30 1021952 c:\windows\Installer\8997e.msi
+ 2009-11-05 01:04 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2009-10-21 11:34 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 17:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-05 136600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"FBSearch"="c:\program files\Search Guard Plus\SearchGuardPlus.exe" [2009-05-04 194432]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-14 2020120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-3-1 118784]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-14 20:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/14/2009 3:29 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/14/2009 3:29 PM 360584]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 12:49 PM 616408]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/14/2009 3:28 PM 285392]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [12/1/2003 3:27 PM 53248]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 11:40 AM 148768]
S2 cfgmhrmimqi;cfgmhrmimqi;\??\c:\windows\system32\drivers\oexswureoxbnfi.sys --> c:\windows\system32\drivers\oexswureoxbnfi.sys [?]
S2 USBDriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDriver
.
Contents of the 'Scheduled Tasks' folder

2009-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-04-19 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-19 16:22]

2009-10-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-19 16:22]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 21:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
FBSearch = c:\program files\Search Guard Plus\SearchGuardPlus.exe?EBD6}" sendreports="1" showoninstall="1"> ?<

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(264)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-17 21:17
ComboFix-quarantined-files.txt 2009-11-18 02:16
ComboFix2.txt 2009-11-14 03:34
ComboFix3.txt 2009-10-25 01:52

Pre-Run: 142,612,082,688 bytes free
Post-Run: 142,834,479,104 bytes free

- - End Of File - - B08ADB4D3DAB0AAEA007513E7AD4AF3E

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:43 AM

Posted 18 November 2009 - 09:42 AM

Hi

that does not seem to have worked. Could you please download the latest version of Combofix and place it on your desktop and try the script from my previous post again.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 pcourtemanche

pcourtemanche
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 20 November 2009 - 08:42 PM

ComboFix keeps telling me there is an updated version after I pull the script into Combofix to run. I declined it this time. Hope this is what you are looking for.

#14 pcourtemanche

pcourtemanche
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 20 November 2009 - 08:44 PM

ComboFix 09-11-18.04 - OEM Preinstall 11/20/2009 19:56.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.328 [GMT -5:00]
Running from: c:\documents and settings\OEM Preinstall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\OEM Preinstall\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\All Users\Application Data\hunax.dat"
"c:\documents and settings\OEM Preinstall\Local Settings\Application Data\ikogexido.dat"
"c:\documents and settings\OEM Preinstall\Local Settings\Application Data\tywokesyxa.dat"
"c:\program files\Common Files\dugiby.com"
"c:\program files\Common Files\jotuvexo.sys"
"c:\program files\Common Files\kogu.lib"
"c:\program files\Common Files\yvijexyrek.db"
"c:\windows\Dtiluxeruxil.bin"
"c:\windows\Isojalepinub.dat"
"c:\windows\mehapawef.com"
"c:\windows\system32\drivers\oexswureoxbnfi.sys"
"c:\windows\system32\SET4E.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\hunax.dat
c:\documents and settings\OEM Preinstall\Local Settings\Application Data\ikogexido.dat
c:\documents and settings\OEM Preinstall\Local Settings\Application Data\tywokesyxa.dat
c:\program files\Common Files\dugiby.com
c:\program files\Common Files\jotuvexo.sys
c:\program files\Common Files\kogu.lib
c:\program files\Common Files\yvijexyrek.db
c:\program files\Search Guard Plus
c:\program files\Search Guard Plus\fbsProtection.xml
c:\program files\Search Guard Plus\fbsSearchProvider.xml
c:\program files\Search Guard Plus\FbsSearchProviderIE8.exe
c:\program files\Search Guard Plus\SearchGuardPlus.exe
c:\program files\Search Guard Plus\SearchGuardPlus.ico
c:\program files\Search Guard PlusU
c:\program files\Search Guard PlusU\SGPU.ico
c:\program files\Search Guard PlusU\sgpUpdater.xml
c:\windows\Dtiluxeruxil.bin
c:\windows\Isojalepinub.dat
c:\windows\mehapawef.com
c:\windows\system32\SET4E.tmp

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CFGMHRMIMQI
-------\Legacy_USBDRIVER
-------\Service_cfgmhrmimqi
-------\Service_USBDriver


((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 )))))))))))))))))))))))))))))))
.

2009-11-16 00:03 . 2009-11-21 00:09 79488 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-15 19:30 . 2009-11-15 22:03 -------- d-----w- c:\program files\LimeWire
2009-11-14 22:00 . 2009-10-16 17:12 1119488 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-14 20:29 . 2009-11-14 20:47 -------- d-----w- C:\$AVG
2009-11-14 20:29 . 2009-11-14 20:29 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-14 20:29 . 2009-11-14 20:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-14 20:29 . 2009-11-14 20:29 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-14 20:29 . 2009-11-14 20:29 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-14 20:29 . 2009-11-21 00:07 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-14 20:28 . 2009-11-14 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-14 20:28 . 2009-11-14 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-13 18:15 . 2009-11-13 18:15 143976 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks\uninstall.exe
2009-11-13 18:14 . 2009-11-13 18:15 1794456 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-10-29 01:38 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-25 16:03 . 2009-10-25 16:03 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\Malwarebytes
2009-10-25 16:03 . 2009-10-25 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-25 01:37 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-25 01:37 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-24 21:26 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 00:48 . 2009-05-22 19:49 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\CallingID
2009-11-21 00:03 . 2009-04-19 15:29 -------- d-----w- c:\program files\McAfee
2009-11-15 21:32 . 2007-02-10 22:52 -------- d-----w- c:\program files\MixMeister Express 6
2009-11-15 20:10 . 2009-09-05 16:51 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\LimeWire
2009-11-14 02:53 . 2009-01-17 03:19 -------- d-----w- c:\program files\Common Files\Scanner
2009-11-14 02:40 . 2009-04-23 14:36 -------- d-----w- c:\program files\Coupons
2009-11-13 18:16 . 2008-10-25 23:16 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks
2009-11-13 18:15 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-11-05 17:36 . 2009-10-21 11:34 26768832 ----a-w- c:\windows\system32\MRT.exe
2009-10-22 09:19 . 2004-08-04 12:00 5939712 ------w- c:\windows\system32\mshtml.dll
2009-10-21 00:23 . 2009-10-21 00:21 -------- d-----w- c:\program files\AVG
2009-10-19 00:09 . 2009-05-22 19:48 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\comcasttb
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-13 23:09 . 2007-08-19 20:54 -------- d-----w- c:\documents and settings\OEM Preinstall\Application Data\gtk-2.0
2009-10-03 19:00 . 2009-10-03 19:00 14959 ----a-w- c:\documents and settings\All Users\Application Data\pici.dat
2009-10-03 18:44 . 2009-10-03 18:44 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-09-16 14:22 . 2009-04-19 15:30 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-04-19 15:30 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-04-19 15:30 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-04-19 15:30 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-04-19 15:30 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 16:49 . 2009-09-05 16:49 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-09-05 16:49 . 2009-09-05 16:49 152576 ----a-w- c:\documents and settings\OEM Preinstall\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-25_01.44.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-21 01:07 . 2009-11-21 01:07 16384 c:\windows\Temp\Perflib_Perfdata_7d8.dat
- 2004-08-04 12:00 . 2009-10-21 11:30 78114 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-11-01 13:56 78114 c:\windows\system32\perfc009.dat
+ 2009-11-15 19:30 . 2009-11-15 19:30 85173 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2004-08-04 12:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2006-10-13 08:51 . 2009-11-21 00:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-10-13 08:51 . 2009-10-25 01:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-10-13 08:51 . 2009-10-25 01:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-10-13 08:51 . 2009-11-21 00:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-18 11:49 . 2009-11-21 00:09 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-10-13 08:51 . 2009-10-25 01:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-15 19:30 . 2009-11-15 19:30 77824 c:\windows\Installer\{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}\ARPPRODUCTICON.exe
+ 2009-07-12 04:02 . 2009-07-12 04:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
- 2004-08-04 12:00 . 2009-10-21 11:30 462168 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2009-11-01 13:56 462168 c:\windows\system32\perfh009.dat
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2006-10-13 04:17 . 2009-11-13 13:27 153176 c:\windows\system32\FNTCACHE.DAT
- 2006-10-13 04:17 . 2009-06-10 14:52 153176 c:\windows\system32\FNTCACHE.DAT
+ 2009-10-25 15:57 . 2009-10-25 15:57 195584 c:\windows\Installer\2d8778.msi
+ 2009-11-05 01:04 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-05 01:04 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2004-08-04 12:00 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-14 22:13 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-04 12:00 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-15 19:30 . 2009-11-15 19:30 1021952 c:\windows\Installer\8997e.msi
+ 2009-11-05 01:04 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 17:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-05 136600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-14 2020120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-3-1 118784]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-14 20:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/14/2009 3:29 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/14/2009 3:29 PM 360584]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 12:49 PM 616408]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/14/2009 3:28 PM 285392]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [12/1/2003 3:27 PM 53248]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 11:40 AM 148768]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-04-19 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-19 16:22]

2009-10-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-19 16:22]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-FBSearch - c:\program files\Search Guard Plus\SearchGuardPlus.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 20:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
FBSearch = c:\program files\Search Guard Plus\SearchGuardPlus.exe?EBD6}" sendreports="1" showoninstall="1"> ?<

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3920)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\SearchIndexer.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-11-20 20:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-21 01:24
ComboFix2.txt 2009-11-18 02:17
ComboFix3.txt 2009-11-14 03:34
ComboFix4.txt 2009-10-25 01:52

Pre-Run: 142,718,873,600 bytes free
Post-Run: 142,702,198,784 bytes free

- - End Of File - - 9C674D767B53BF4EE834F79576CB8835

#15 pcourtemanche

pcourtemanche
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 21 November 2009 - 08:32 PM

Full system scan; no virus found. Thank you very much!

Do you have any suggestions to keep the system clean? I increased the security level on the Internet Explorer, but is there a specific malware/cookies software that will not impact MacAfee Virus Scanner?

I also backed up my system so if this happens again; I can just restore a clean copy.

Thank you for your diligence and persistance in assisting with this issue. Please let me know if there is anywhere that I can blog accalades on the great job that you did.

Thank you again.

Paula




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users