Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection that shuts down Malwarebytes


  • This topic is locked This topic is locked
33 replies to this topic

#1 Kenickie

Kenickie

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 05 November 2009 - 05:02 AM

My PC's infected with a nasty little virus that seems to be very adept at stopping itself being removed. I haven't been able to find out what virus it is I'm afraid, so I description of its effects is all I can give.

I first noticed something was wrong when the PC failed to shut down. I manually shut off power and rebooted and it hung mid-boot. I got it started OK in Safe Mode and went back to the last known good configuration, and it now starts again, although it occasionally reports an error (usually "cannot find C:\Program") when booting. Apart from this, effects that I've noticed are:

1. It seems to be attacking my network connections. It's trashed my Internet Connection Sharing and local ethernet connection. At times both the Internet and Ethernet connections disappear from my Network Connections list. They're back at the moment, although the title at the top that's meant to say "LAN or High-Speed Internet" just says "L". I fixed ICS once (before I was aware it was a virus doing the damage) by mending the SharedAccess registry keys, but then it went again. I've now physically disconnected the ethernet cable.

2. AVG won't update its virus definitions - I get an "access forbidden by server" message.

3. It shuts down Malwarebytes after a few seconds if I try to run it.

I've tried all the tricks suggested elsewhere on these forums to get Malwarebytes to run - I've changed the name of the downloaded installer file, changed the name of mbam.exe before running, and downloaded the randomly-named version from Malwarebytes, but it still closes it down. I've tried in Safe Mode too with no success.

Spybot and AVG report no infections (except for the odd tracking cookie). Everything I seen suggests that Malwarebytes can successfully catch the thing and remove it, but I just can't get it to run!!

I'd be very grateful for any help you can give me. Oh, and I'm running XP Professional SP3 if that helps.

Thanks!!

-------------------------------------------------------

DDS (Ver_09-10-26.01) - NTFSx86
Run by HP at 7:59:11.95 on 05/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.481 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\AIM\AIMWDI~1.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\HP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AIMWDInstallFilename] c:\progra~1\aim\AIMWDI~1.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-7 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-7 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-7 297752]
R3 AEILAB;AEI USB To Fast Ethernet Adapter;c:\windows\system32\drivers\AEILAB.SYS [2008-10-10 24299]
S3 pohci13F;pohci13F;\??\c:\docume~1\hp\locals~1\temp\pohci13f.sys --> c:\docume~1\hp\locals~1\temp\pohci13F.sys [?]

=============== Created Last 30 ================

2009-11-04 23:02:50 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 23:02:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-04 21:07:18 0 d-----w- c:\docume~1\hp\applic~1\Malwarebytes
2009-11-04 21:07:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-04 16:42:24 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-01 10:47:58 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-01 07:42:52 54156 ---ha-w- c:\windows\QTFont.qfn
2009-11-01 07:42:52 1409 ----a-w- c:\windows\QTFont.for
2009-10-21 18:16:51 0 d-----w- c:\docume~1\hp\applic~1\GARMIN
2009-10-21 18:16:20 0 d-----w- c:\program files\Garmin GPS Plugin
2009-10-21 18:16:15 0 d-----w- c:\program files\Garmin
2009-10-09 16:52:41 20 ----a-w- c:\windows\WinInit.Ini
2009-10-09 16:52:39 13312 ----a-w- c:\windows\system32\MSADP32.ACM

==================== Find3M ====================

2009-09-23 06:44:34 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-09-23 06:44:34 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 16:37:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 07:26:17 19832 -c--a-w- c:\docume~1\hp\applic~1\GDIPFONTCACHEV1.DAT
2008-09-28 17:21:00 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 7:59:43.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 AM

Posted 10 November 2009 - 07:34 AM

Hello Kenickie

Welcome to BleepingComputer :(
========================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 11 November 2009 - 05:16 AM

Hi kahdah, thanks for getting back to me. :( I realise you've got a lot of people asking for help!

I've run all the scans you asked me to and the results follow. As an aside, whilst I was waiting for a reply I had a look at my startup processes with msconfig and found one called "dumprep 0 -k", which looked suspicious to me. I'm no expert on these things but it looked like a command prompt that disabled the standard Microsoft error reporting dialogue box to me, so I disabled it. It didn't help much though!!

Scan results follow. Thanks for the help!

-----------------------------

OTL logfile created on: 11/11/2009 09:37:57 - Run 1
OTL by OldTimer - Version 3.1.5.0 Folder = C:\Documents and Settings\HP\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1023.45 Mb Total Physical Memory | 634.93 Mb Available Physical Memory | 62.04% Memory free
1.64 Gb Paging File | 1.36 Gb Available in Paging File | 82.64% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.96 Gb Total Space | 2.05 Gb Free Space | 10.81% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DANNY
Current User Name: HP
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\HP\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\HP\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\Syncor11.dll (SoundMAX)


========== Win32 Services (SafeList) ==========

SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (avg8wd) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (gusvc) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (FontCache3.0.0.0) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (idsvc) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)
SRV - (WMPNetworkSvc) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (SoundMAX Agent Service (default) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Driver Services (SafeList) ==========

DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\ialmnt5.sys (Intel Corporation)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (smwdm) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (aeaudio) -- C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)
DRV - (usbcm) -- C:\WINDOWS\system32\drivers\usbcm.sys (Microsystems Corp)
DRV - (AEILAB) -- C:\WINDOWS\system32\drivers\AEILAB.SYS (USB2LAN Provider)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/01 23:42:10 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/12/22 08:10:13 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe (Electronic Arts)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\plop\mbamgui.exe File not found
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; File not found
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab (DLM Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/31 11:07:36 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (MACHINE) - File not found
O34 - HKLM BootExecute: (BootExecut) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/07/31 11:06:53 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2009/11/11 09:34:53 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP\Desktop\OTL.exe
[2009/11/10 07:49:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/11/07 19:47:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP\Local Settings\Application Data\Threat Expert
[2009/11/07 19:39:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/11/07 17:15:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP\Application Data\IObit
[2009/11/06 10:15:26 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/11/06 10:15:26 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/11/06 10:15:26 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/11/05 15:39:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP\Local Settings\Application Data\Help
[2009/11/05 15:39:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP\Application Data\Help
[2009/11/05 15:37:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP\My Documents\RegRun2
[2009/11/05 09:24:47 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\HP\Desktop\RootRepeal.exe
[2009/11/04 23:02:50 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/11/04 23:02:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/11/04 21:07:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP\Application Data\Malwarebytes
[2009/11/04 21:07:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/04 16:40:52 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2009/11/01 10:47:58 | 00,093,360 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2009/10/31 15:22:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP\Application Data\WinRAR
[2009/10/31 15:21:17 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2009/10/25 10:45:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/10/21 18:20:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP\Application Data\Download Manager
[2009/10/21 18:16:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP\Application Data\GARMIN
[2009/10/21 18:16:20 | 00,000,000 | ---D | C] -- C:\Program Files\Garmin GPS Plugin
[2009/10/21 18:16:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/10/21 18:16:16 | 00,000,000 | ---D | C] -- C:\Program Files\DIFX
[2009/10/21 18:16:15 | 00,000,000 | ---D | C] -- C:\Program Files\Garmin
[2004/11/24 19:25:52 | 00,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/11 09:34:53 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP\Desktop\OTL.exe
[2009/11/11 09:22:37 | 00,206,492 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/11/11 09:22:37 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/11 09:21:52 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/11 09:21:48 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/11 09:21:45 | 00,122,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/11 09:15:26 | 04,718,592 | -H-- | M] () -- C:\Documents and Settings\HP\NTUSER.DAT
[2009/11/11 09:15:26 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\HP\ntuser.ini
[2009/11/11 09:15:18 | 05,873,462 | -H-- | M] () -- C:\Documents and Settings\HP\Local Settings\Application Data\IconCache.db
[2009/11/10 16:19:28 | 00,000,416 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{3C2A9A05-3E89-4C90-AE87-3454265031E6}.job
[2009/11/10 09:25:46 | 00,002,246 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/10 09:25:46 | 00,000,243 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2009/11/10 09:25:46 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/11/09 08:17:33 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/11/08 19:42:46 | 00,002,459 | ---- | M] () -- C:\Documents and Settings\HP\Desktop\Puppy Luv.lnk
[2009/11/08 10:47:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/11/07 17:15:44 | 00,000,927 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2009/11/07 11:44:42 | 00,002,469 | ---- | M] () -- C:\Documents and Settings\HP\Desktop\PowerPoint.lnk
[2009/11/05 17:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/11/05 15:37:32 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/11/05 15:37:32 | 00,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2009/11/05 15:37:32 | 00,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2009/11/05 09:25:59 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\HP\Desktop\settings.dat
[2009/11/05 09:24:51 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\HP\Desktop\RootRepeal.exe
[2009/11/05 07:58:19 | 00,523,776 | ---- | M] () -- C:\Documents and Settings\HP\Desktop\dds.scr
[2009/11/04 23:03:09 | 00,000,959 | ---- | M] () -- C:\Documents and Settings\HP\Desktop\Spybot - Search & Destroy.lnk
[2009/11/04 16:42:27 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/11/04 09:16:01 | 44,680,544 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/04 09:16:01 | 00,072,810 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/03 12:37:08 | 00,002,481 | ---- | M] () -- C:\Documents and Settings\HP\Desktop\Excel.lnk
[2009/11/03 07:31:19 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/11/03 07:31:19 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/10/28 10:47:53 | 00,093,360 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2009/10/27 10:23:55 | 00,002,483 | ---- | M] () -- C:\Documents and Settings\HP\Desktop\Word.lnk
[2009/10/25 05:57:38 | 00,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/25 05:57:38 | 00,433,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/25 05:57:38 | 00,067,768 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/22 09:19:04 | 05,939,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
[2009/10/22 09:19:04 | 05,939,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2009/10/14 22:43:17 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/07 17:15:44 | 00,000,927 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2009/11/05 15:37:32 | 00,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2009/11/05 09:25:59 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\HP\Desktop\settings.dat
[2009/11/05 07:58:13 | 00,523,776 | ---- | C] () -- C:\Documents and Settings\HP\Desktop\dds.scr
[2009/11/04 23:03:09 | 00,000,959 | ---- | C] () -- C:\Documents and Settings\HP\Desktop\Spybot - Search & Destroy.lnk
[2009/11/04 16:42:24 | 00,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/11/01 07:42:52 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/11/01 07:42:52 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/10/25 10:48:54 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/10/09 16:52:41 | 00,000,020 | ---- | C] () -- C:\WINDOWS\WinInit.Ini
[2009/09/23 06:46:19 | 00,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2009/09/23 06:44:36 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2009/04/30 23:31:06 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/04/30 23:31:06 | 01,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/04/30 23:31:06 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/04/30 23:31:06 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/03/26 22:09:51 | 00,000,289 | ---- | C] () -- C:\WINDOWS\Resize.INI
[2009/02/19 18:23:08 | 00,000,057 | ---- | C] () -- C:\WINDOWS\encore_launcher.ini
[2008/12/19 15:15:58 | 04,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/17 17:41:18 | 00,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/17 17:22:58 | 00,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/17 17:22:48 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/17 17:17:34 | 00,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/17 16:59:54 | 00,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/12/11 11:27:02 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/11/29 17:47:16 | 00,000,072 | ---- | C] () -- C:\WINDOWS\mb2loc.ini
[2008/11/28 19:32:18 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/11/10 17:47:02 | 00,019,832 | ---- | C] () -- C:\Documents and Settings\HP\Application Data\GDIPFONTCACHEV1.DAT
[2008/11/01 09:06:07 | 00,000,036 | ---- | C] () -- C:\WINDOWS\Tiny_Run.ini
[2008/10/12 14:56:40 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/10/10 15:35:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\bbcauto.INI
[2008/10/01 08:57:57 | 00,039,424 | ---- | C] () -- C:\Documents and Settings\HP\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/17 20:11:29 | 00,000,032 | ---- | C] () -- C:\Documents and Settings\HP\Application Data\ntl.ini
[2008/09/16 06:40:19 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2008/09/06 11:22:18 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/09/06 11:01:06 | 00,019,832 | ---- | C] () -- C:\Documents and Settings\HP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/07/31 16:14:12 | 05,873,462 | -H-- | C] () -- C:\Documents and Settings\HP\Local Settings\Application Data\IconCache.db
[2008/07/31 15:15:00 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2008/07/31 12:51:54 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\HP\Application Data\desktop.ini
[2008/07/31 11:56:24 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2004/10/03 17:50:54 | 00,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll
[2004/08/04 12:00:00 | 00,002,246 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 12:00:00 | 00,000,243 | ---- | C] () -- C:\WINDOWS\SYSTEM.INI

========== LOP Check ==========

[2009/06/29 12:57:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/08/16 12:16:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2009/11/07 19:52:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/09/17 19:53:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/11/08 10:47:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2004/08/04 12:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/11 09:21:52 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/11/10 16:19:28 | 00,000,416 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{3C2A9A05-3E89-4C90-AE87-3454265031E6}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2004/08/04 12:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2004/08/04 12:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2004/08/04 12:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2004/08/04 12:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

-----------------------------

OTL Extras logfile created on: 11/11/2009 09:37:57 - Run 1
OTL by OldTimer - Version 3.1.5.0 Folder = C:\Documents and Settings\HP\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1023.45 Mb Total Physical Memory | 634.93 Mb Available Physical Memory | 62.04% Memory free
1.64 Gb Paging File | 1.36 Gb Available in Paging File | 82.64% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.96 Gb Total Space | 2.05 Gb Free Space | 10.81% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DANNY
Current User Name: HP
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- (Electronic Arts)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03737893-5BEE-4C78-9C58-3AE7F172BBBE}" = Garmin Communicator Plugin
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1A5488D7-314D-4CBC-89BF-C5B59510BDBA}" = Finding Nemo
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 17
"{296B2D8E-CE82-92AF-B2E8-A646E7CB78A2}_is1" = RegAlyzer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C59AF9D-4139-4D07-BCA2-3CDEFE8B28E3}" = Puppy Luv A New Breed
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6E612C00-92CD-11D4-9A6D-0000B455B172}" = Slam Tilt
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{abe7844e-4d49-4c7e-9d03-7329a6b9feac}.sdb" = Dorling Kindersley Application Database v1.4
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{B406605B-45FE-4D8F-8250-1E77479583AE}" = Zoo Tycoon 2 - Marine Mania
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BCB8D603-985E-4765-B4AB-B4B991A535B7}" = Finding Nemo UWF
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom NetXtreme Ethernet Controller
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D169152F-9CDD-4160-BF1D-2C8BFE550C54}_is1" = Genie Backup Manager Lite 6.0
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E9459BCF-0982-498B-ABA7-26C34323493F}" = Citrix Presentation Server Client - Web Only
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"193bb64c00732e4d5ff2a48ccd900ee4" = Crystal Rain Forest V2
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"99 Bottles" = 99 Bottles
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Adventure Rock_is1" = Adventure Rock 1.0.1.96
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.4
"AOL Instant Messenger" = AOL Instant Messenger
"Arcade Master" = Arcade Master
"AVG8Uninstall" = AVG Free 8.5
"Balloon Kaboom" = Balloon Kaboom
"Balloon Kaboom Challenge" = Balloon Kaboom Challenge
"Blast Thru Special Edition" = Blast Thru Special Edition
"Cars - Radiator Springs Adventures" = Cars - Radiator Springs Adventures
"Colors of War Special Edition" = Colors of War Special Edition
"Dart Mania" = Dart Mania
"Drone" = Drone
"Drop" = Drop
"EADM" = EA Download Manager
"FileZilla Client" = FileZilla Client 3.2.4.1
"Foto Breakout" = Foto Breakout
"Funny Diet" = Funny Diet
"Gonzo Heads" = Gonzo Heads
"HijackThis" = HijackThis 2.0.2
"Human Body Explorer" = Human Body Explorer
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{1A5488D7-314D-4CBC-89BF-C5B59510BDBA}" = Finding Nemo
"InstallShield_{B406605B-45FE-4D8F-8250-1E77479583AE}" = Zoo Tycoon 2 - Marine Mania
"InstallShield_{BCB8D603-985E-4765-B4AB-B4B991A535B7}" = Finding Nemo: Nemo's Underwater World of Fun
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom NetXtreme Ethernet Controller
"Jewel Jam Special Edition" = Jewel Jam Special Edition
"Leap And Croak" = Leap And Croak
"LEGO Stunt Rally" = LEGO Stunt Rally
"MarbleBlastGold" = MarbleBlast (remove only)
"Maze Cube" = Maze Cube
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mini Golf Special Edition" = Mini Golf Special Edition
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"MusicBox 2" = MusicBox 2
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Node Jumper Special Edition" = Node Jumper Special Edition
"NoteTab Light_is1" = NoteTab Light (Remove only)
"NVIDIA Drivers" = NVIDIA Drivers
"Pingu and Friends" = Pingu and Friends
"QuickTime" = QuickTime
"Science Genius Virtual Laboratory_is1" = Science Genius Virtual Laboratory
"Snake Arena Special Edition" = Snake Arena Special Edition
"Space Battle 2001 Special Edition" = Space Battle 2001 Special Edition
"Sunken Treasure" = Sunken Treasure
"SystemRequirementsLab" = System Requirements Lab
"TescoDownloader" = Tesco Download Manager
"Tile Blazer Special Edition" = Tile Blazer Special Edition
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World Explorer" = World Explorer
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XP Codec Pack" = XP Codec Pack
"Zoombinis Island Odyssey" = Zoombinis Island Odyssey
"Zoombinis Mountain Rescue™" = Zoombinis Mountain Rescue™

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 09/10/2009 12:44:51 | Computer Name = DANNY | Source = Application Error | ID = 1000
Description = Faulting application wx32.exe, version 2.0.20.0, faulting module wx32.exe,
version 2.0.20.0, fault address 0x00121d98.

Error - 09/10/2009 12:51:28 | Computer Name = DANNY | Source = Application Error | ID = 1000
Description = Faulting application wx32.exe, version 2.0.20.0, faulting module wx32.exe,
version 2.0.20.0, fault address 0x000be951.

Error - 09/10/2009 12:51:50 | Computer Name = DANNY | Source = Application Error | ID = 1000
Description = Faulting application wx32.exe, version 2.0.20.0, faulting module wx32.exe,
version 2.0.20.0, fault address 0x000be951.

Error - 09/10/2009 12:57:31 | Computer Name = DANNY | Source = Application Error | ID = 1000
Description = Faulting application wx32.exe, version 2.0.20.0, faulting module wx32.exe,
version 2.0.20.0, fault address 0x000be951.

Error - 09/10/2009 12:57:52 | Computer Name = DANNY | Source = Application Error | ID = 1000
Description = Faulting application wx32.exe, version 2.0.20.0, faulting module wx32.exe,
version 2.0.20.0, fault address 0x000be951.

Error - 09/10/2009 15:56:36 | Computer Name = DANNY | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x003a006c.

Error - 11/10/2009 14:45:22 | Computer Name = DANNY | Source = Application Error | ID = 1000
Description = Faulting application setup32.exe, version 3.0.0.0, faulting module
setup32.exe, version 3.0.0.0, fault address 0x000063c2.

Error - 24/10/2009 05:28:20 | Computer Name = DANNY | Source = Application Error | ID = 1000
Description = Faulting application gng.exe, version 0.0.0.0, faulting module gng.exe,
version 0.0.0.0, fault address 0x00008ead.

Error - 24/10/2009 05:29:35 | Computer Name = DANNY | Source = Application Error | ID = 1000
Description = Faulting application gng.exe, version 0.0.0.0, faulting module gng.exe,
version 0.0.0.0, fault address 0x00008ead.

Error - 25/10/2009 06:46:35 | Computer Name = DANNY | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

[ System Events ]
Error - 09/11/2009 09:56:00 | Computer Name = DANNY | Source = ipnathlp | ID = 30009
Description = The DHCP allocator encountered a network error while attempting to
reply on IP address 252.47.70.102 to a request from a client. The data is the error
code.

Error - 09/11/2009 19:27:10 | Computer Name = DANNY | Source = ipnathlp | ID = 32003
Description = The Network Address Translator (NAT) was unable to request an operation
of
the kernel-mode translation module. This may indicate misconfiguration, insufficient
resources, or an internal error. The data is the error code.

Error - 10/11/2009 03:36:42 | Computer Name = DANNY | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%5

Error - 10/11/2009 05:35:28 | Computer Name = DANNY | Source = ipnathlp | ID = 32003
Description = The Network Address Translator (NAT) was unable to request an operation
of
the kernel-mode translation module. This may indicate misconfiguration, insufficient
resources, or an internal error. The data is the error code.

Error - 10/11/2009 12:17:02 | Computer Name = DANNY | Source = Print | ID = 19
Description = Sharing printer failed + 1722, Printer HP DeskJet 710C share name
Printer.

Error - 10/11/2009 12:22:00 | Computer Name = DANNY | Source = ipnathlp | ID = 30005
Description = The DHCP allocator has detected a DHCP server with IP address 192.168.0.22
on
the same network as the interface with IP address 192.168.0.1. The allocator has
disabled itself on the interface in order to avoid confusing DHCP clients.

Error - 10/11/2009 20:12:18 | Computer Name = DANNY | Source = ipnathlp | ID = 32003
Description = The Network Address Translator (NAT) was unable to request an operation
of
the kernel-mode translation module. This may indicate misconfiguration, insufficient
resources, or an internal error. The data is the error code.

Error - 11/11/2009 02:56:45 | Computer Name = DANNY | Source = ipnathlp | ID = 30005
Description = The DHCP allocator has detected a DHCP server with IP address 192.168.0.22
on
the same network as the interface with IP address 192.168.0.1. The allocator has
disabled itself on the interface in order to avoid confusing DHCP clients.

Error - 11/11/2009 02:56:45 | Computer Name = DANNY | Source = ipnathlp | ID = 30009
Description = The DHCP allocator encountered a network error while attempting to
reply on IP address 252.47.70.102 to a request from a client. The data is the error
code.

Error - 11/11/2009 05:15:03 | Computer Name = DANNY | Source = ipnathlp | ID = 32003
Description = The Network Address Translator (NAT) was unable to request an operation
of
the kernel-mode translation module. This may indicate misconfiguration, insufficient
resources, or an internal error. The data is the error code.


< End of report >

-----------------------------

GMER 1.0.15.15220 - http://www.gmer.net
Rootkit scan 2009-11-11 10:02:25
Windows 5.1.2600 Service Pack 3
Running: izbfktbb.exe; Driver: C:\DOCUME~1\HP\LOCALS~1\Temp\fgtdapow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\spoolsv.exe[184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\spoolsv.exe[184] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\spoolsv.exe[184] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\spoolsv.exe[184] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\spoolsv.exe[184] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\spoolsv.exe[184] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\spoolsv.exe[184] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[364] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[364] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[364] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[364] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[364] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[364] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[364] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\svchost.exe[756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\svchost.exe[756] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\svchost.exe[756] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\svchost.exe[756] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\svchost.exe[756] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\svchost.exe[756] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\svchost.exe[756] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[792] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[792] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[792] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[792] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[792] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[792] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[792] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\winlogon.exe[828] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\winlogon.exe[828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\winlogon.exe[828] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\winlogon.exe[828] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\winlogon.exe[828] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\winlogon.exe[828] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\winlogon.exe[828] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\winlogon.exe[828] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\services.exe[880] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\services.exe[880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\services.exe[880] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\services.exe[880] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\services.exe[880] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\services.exe[880] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\services.exe[880] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\services.exe[880] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\lsass.exe[892] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\lsass.exe[892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\lsass.exe[892] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\lsass.exe[892] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\lsass.exe[892] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\lsass.exe[892] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\lsass.exe[892] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\lsass.exe[892] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[936] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[936] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[936] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[936] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[936] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[936] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[936] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\Java\jre6\bin\jqs.exe[980] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\Java\jre6\bin\jqs.exe[980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\Java\jre6\bin\jqs.exe[980] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\Java\jre6\bin\jqs.exe[980] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\Java\jre6\bin\jqs.exe[980] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\Java\jre6\bin\jqs.exe[980] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\Java\jre6\bin\jqs.exe[980] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\Java\jre6\bin\jqs.exe[980] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\nvsvc32.exe[1072] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\nvsvc32.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\nvsvc32.exe[1072] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\nvsvc32.exe[1072] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\nvsvc32.exe[1072] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\nvsvc32.exe[1072] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\nvsvc32.exe[1072] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\nvsvc32.exe[1072] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\svchost.exe[1112] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\svchost.exe[1112] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\svchost.exe[1112] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\svchost.exe[1112] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\svchost.exe[1112] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\System32\svchost.exe[1420] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\System32\svchost.exe[1420] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\System32\svchost.exe[1420] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\System32\svchost.exe[1420] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\System32\svchost.exe[1420] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\svchost.exe[1680] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\svchost.exe[1680] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\svchost.exe[1680] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\svchost.exe[1680] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\svchost.exe[1680] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\svchost.exe[1680] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\System32\alg.exe[1868] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\System32\alg.exe[1868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\System32\alg.exe[1868] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\System32\alg.exe[1868] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\System32\alg.exe[1868] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\System32\alg.exe[1868] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\System32\alg.exe[1868] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\System32\alg.exe[1868] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe[2304] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe[2304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe[2304] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe[2304] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe[2304] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe[2304] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe[2304] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe[2304] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\WinZip\WZQKPICK.EXE[2496] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\WinZip\WZQKPICK.EXE[2496] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\WinZip\WZQKPICK.EXE[2496] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\WinZip\WZQKPICK.EXE[2496] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\WinZip\WZQKPICK.EXE[2496] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\WinZip\WZQKPICK.EXE[2496] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\WinZip\WZQKPICK.EXE[2496] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\WinZip\WZQKPICK.EXE[2496] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\wscntfy.exe[3612] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\wscntfy.exe[3612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\wscntfy.exe[3612] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\wscntfy.exe[3612] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\wscntfy.exe[3612] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\wscntfy.exe[3612] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\wscntfy.exe[3612] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\wscntfy.exe[3612] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

-----------------------------

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 AM

Posted 11 November 2009 - 05:26 AM

Hmm nothing shows in those logs.
I would uninstall anything these guys make:
IObit

They have been caught stealing malwarebytes malware definitions and using them in their own software.

After that please do the following.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 11 November 2009 - 02:40 PM

OK then, IOBit stuff has been removed, and I've run ComboFix. The log follows.

I've also got a bit more information on the "can't find file" error message I get on boot up sometimes. I tried installing a re-named Malwarebytes to a non-default folder (another failed attempt to get it to run!) - C:\xxxx. Unsurprisingly it didn't run so I uninstalled it again. Next time I booted I got the message "Cannot find file c:\xxxx\mbabgui.exe". So clearly something in there is detecting when I install Malwarebytes and a startup process tries to attack it next time I boot. I've just been uninstalling Malwarebytes every time after it's failed to run though, hence the error message saying it can't find it.

Anyway, that's possibly beside the point! The ComboFix log is next. Thanks for your efforts so far.

------------------------------------------------

ComboFix 09-11-11.02 - HP 11/11/2009 19:21.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.639 [GMT 0:00]
Running from: c:\documents and settings\HP\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.

2009-11-11 09:50 . 2009-11-11 09:50 291840 ----a-w- C:\izbfktbb.exe
2009-11-07 19:47 . 2009-11-07 19:47 -------- d-----w- c:\documents and settings\HP\Local Settings\Application Data\Threat Expert
2009-11-07 19:39 . 2009-11-07 19:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-07 17:15 . 2009-11-07 17:15 -------- d-----w- c:\documents and settings\HP\Application Data\IObit
2009-11-06 10:13 . 2009-11-06 10:13 152576 ----a-w- c:\documents and settings\HP\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-05 15:39 . 2009-11-05 15:39 -------- d-----w- c:\documents and settings\HP\Local Settings\Application Data\Help
2009-11-05 15:37 . 2009-11-05 15:37 2 --shatr- c:\windows\winstart.bat
2009-11-04 23:02 . 2009-11-04 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-04 23:02 . 2009-11-04 23:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 21:07 . 2009-11-04 21:07 -------- d-----w- c:\documents and settings\HP\Application Data\Malwarebytes
2009-11-04 21:07 . 2009-11-04 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-04 16:42 . 2009-11-04 16:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 09:01 . 2009-10-07 07:00 3510552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-01 10:47 . 2009-10-28 10:47 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-25 10:45 . 2009-11-04 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-21 18:20 . 2009-10-21 21:17 -------- d-----w- c:\documents and settings\HP\Application Data\Download Manager
2009-10-21 18:16 . 2009-10-21 18:16 -------- d-----w- c:\documents and settings\HP\Application Data\GARMIN
2009-10-21 18:16 . 2009-10-21 18:16 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-10-21 18:16 . 2009-11-04 23:32 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-21 18:16 . 2009-10-21 18:16 -------- d-----w- c:\program files\DIFX
2009-10-21 18:16 . 2009-10-21 18:16 -------- d-----w- c:\program files\Garmin
2009-10-21 07:13 . 2009-10-07 07:00 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-17 07:49 . 2009-10-17 07:48 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 19:42 . 2008-11-01 09:06 -------- d-----w- c:\program files\Puppy Luv A New Breed
2009-11-07 17:15 . 2008-08-01 08:40 -------- d-----w- c:\program files\IObit
2009-11-06 10:14 . 2008-08-01 08:46 -------- d-----w- c:\program files\Java
2009-10-11 04:17 . 2008-12-22 08:10 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-10-09 16:52 . 2008-09-20 18:25 -------- d-----w- c:\program files\DKXP
2009-10-07 07:00 . 2009-10-08 14:53 1142552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-10-02 06:26 . 2008-09-06 11:20 -------- d-----w- c:\program files\eGames
2009-09-23 06:44 . 2009-09-23 06:44 -------- d-----w- c:\program files\LEGO Media
2009-09-23 06:44 . 2009-09-23 06:44 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-09-23 06:44 . 2009-09-23 06:44 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-09-21 19:25 . 2008-09-15 20:38 -------- d-----w- c:\documents and settings\HP\Application Data\FileZilla
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 14:46 . 2008-09-06 11:01 19832 -c--a-w- c:\documents and settings\HP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 08:08 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 16:37 . 2009-05-07 19:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 16:37 . 2009-05-07 19:28 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-28 16:37 . 2009-05-07 19:28 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-16 12:06 . 2009-08-16 12:06 10134 ----a-r- c:\documents and settings\HP\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-08-14 13:21 . 2004-08-04 12:00 1850624 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 11:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-21 68856]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 69632]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-17 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 16:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/05/2009 19:28 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [07/05/2009 19:28 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07/05/2009 19:27 297752]
R3 AEILAB;AEI USB To Fast Ethernet Adapter;c:\windows\system32\drivers\AEILAB.SYS [10/10/2008 14:13 24299]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\User_Feed_Synchronization-{3C2A9A05-3E89-4C90-AE87-3454265031E6}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-11 19:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(1336)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-11 19:30
ComboFix-quarantined-files.txt 2009-11-11 19:30

Pre-Run: 2,212,225,024 bytes free
Post-Run: 2,527,444,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E4BB5A6A6EE707EB42AB8ABF030230E0

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 AM

Posted 12 November 2009 - 06:46 AM

Yes you are infected if mbam cannot run.
Nothing is showing in your logs at the moment.

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 12 November 2009 - 05:16 PM

Unfortunately that site won't let me in. I get the following error:

Method Not Implemented
IET to /online-scanner not supported.

I've tried the link on another computer and it works fine, so I'm assuming this is the virus protecting itself, as other websites work fine. The infection does occasionally hijack my Google searches and sends me to fake anti-malware sites as well though.

Is there any way round the ESET link problem?

IMPORTANT EDIT

The infection has just escalated from being an annoyance to being a crisis. The virus just hijacked a Google search and took me to a fake anti-virus site that did the normal thing of "scanning" the computer and telling me it was rife with infections (which ironically enough it probably is). Anyway, I just closed it down, but it had already downloaded 2 files to my desktop. I hadn't given permission for this, so clearly there's a backdoor open somewhere. One was an application simply called "a", whilst the other was an additional Internet Explorer shortcut. I started to delete them both, but before I did I got a pop-up message that said "Windows has to close now because the DCOM Server Process Launcher Service terminated unexpectedly", and the computer gave me a 60 second countdown to shutting down.

After rebooting I got a pop-up box with the message "Generic Host Process for Win32 Services has encountered a problem and needs to close". I OKed this and deleted the files but then I got the same shutdown message and the computer closed down.

This happens every time I log on with a network connection. I've tried Safe Model with Networking, Last Known Good Configuration, and Disable Automatic Restart on System Failure, but nothing helps. The system stays up if I boot without an internet connection so I can use it as a standalone, but if I try to boot up with an internet connection it shuts down every time.

I'd had a look in msconfig but I can't see any more suspicious startup processes. That aside, I've no idea what else to do!!

Edited by Kenickie, 12 November 2009 - 06:58 PM.


#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 AM

Posted 13 November 2009 - 08:25 AM

Hmm very strange.

From a different computer please download the following and then transfer it to your infected computer preferably via a cd.:
Download Dr.Web CureIt to the desktop.
  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow Posted Image at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.
NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 13 November 2009 - 11:03 AM

It's not getting any less strange I'm afraid. I did as you said with Dr.Web CureIt, but I couldn't run a Complete Scan. It starts up to the green screen with 2 options, "Start" and "Update". So I clicked "Start" and it performed the Express Scan of critical components, which came back clean. There's a dialogue box asking if I want to see the FAQ page, which I can't do anyway as I'm not connected to the net. So I clicked "Cancel" and I'm left with the green title screen now with just 1 option "Full Version Free Trial" - no "Complete Scan" option or anything.

I guess this is the infection attacking anything that might remove it again. Sorry!!

Oh, and it deleted my SoundMAX speaker drivers this morning too. The whole thing went, so the PC had no record of having speakers any more, and the SoundMAX icon went from the Control Panel. When I booted up it told me that it had found new hardware (ie the speakers). I've managed to reinstall and it's working OK now, but I thought I'd let you know in case it was relevant!

One more thing... at the moment 3 processes are continually running with high CPU usage. Two are AVG-related - avgcsrvx and avgrsx - and the other is csrss.

EDIT

OK, I've just run Dr Web on my clean computer and seen what's it's meant to be doing. Clearly the infection on the infected PC is simply stopping the scan from running, killing the scan window completely and just reporting back a clean system when it isn't. Having seen the real thing, the infection is definitely stopping the scan on the infected PC, it's not doing anything except bringing up a "system clean" message.

Edited by Kenickie, 13 November 2009 - 12:30 PM.


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 AM

Posted 14 November 2009 - 06:06 AM

ok we will try this method then.
From a clean computer burn this Dr Web image to a cd.
The image can be found here save it to your non infected desktop.
Documentation on how to use the live cd can be found here
A tutorial on how to burn an image to disk can be found here:
http://www.geekstogo.com/forum/HOW-TO-BURN...SC-t177373.html
=========================
Put the disk in and let it boot from it.
Once loaded at the top click on the green orb to update the definitions.
Then click on the Play button icon it will look like an arrow >.
Let it scan your main drive once it is done it will show any files that are infected.
Hit the select all button and then choose cure if it cannot be cured then choose delete.

Reboot the system and then come back here and let me know how it goes.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 16 November 2009 - 08:03 AM

I hope your hard drive is OK now - I'm assuming that if you're reading this then it is! :(

The good news is that the approach with the Dr Web boot disk has helped a lot, and I think we've made some real progress. It detected and removed the following files:

C:\System Volume Information\_restore{89200666-F8AA-442F-B648-C73B026D1C3\RP492\A0057164.exe (Trojan.Redirect.11)

C:\System Volume Information\_restore{89200666-F8AA-442F-B648-C73B026D1C3\RP499\A0062439.exe (Trojan.AuxSpy.56)

C:\System Volume Information\_restore{89200666-F8AA-442F-B648-C73B026D1C3\RP504\A0064023.exe (Trojan.PWS.Panda.114)

C:\Windows\miqb.tmp (Trojan.Packed.194)

C:\Windows\system 32\sdra64.exe (Trojan.PWS.Panda.114)

Obviously this is good news, although the virus scanner didn't run perfectly. When I tried to update the virus definitions a box appeared that said "Please Wait..." and had a Stop option, but as far as I can tell nothing updated and in fact the box just disappeared if I moved the mouse. This is exactly what happened if I tried to update the definitions without an internet connection, so I'm sure it didn't update anything. In addition, the scan hung when it got to a couple of exe files, one of which was AdAwareInstaller.exe, and one of which was in the System Restore backups. I deleted both of these by hand and the scan then ran right through.

After removing the infected files I booted up normally and found that the Dr Web virus scanner that failed before now worked, and a full system scan reported a clean system. My AVG also updates now, and certain applications that didn't run before are now fine.

So the system appears to be clean now, although I'm very much aware of viruses that reinstall themselves when they appear to have been removed. Do I need to take any other steps to try to prevent this happening, or is it just a matter of waiting and seeing if anything happens over the next few days?

Thanks for the help though - even if we're not home and dry yet, everything's looking much better than it was! :(

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 AM

Posted 16 November 2009 - 10:11 PM

Great finally getting somewhere and yeah I was able to replace my drive thankfully. :(

Can you get mbam to run now as well?
If so please update it then run a quick scan then remove what it finds and then post the log please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 17 November 2009 - 07:49 AM

Yup, mbam is also now working. I actually ran a full scan rather than a quick scan - I hope that's OK - and it found another 12 infected items that needed repairing: some files and some stuff in the registry. The log is attached.

As you can see from the log I removed the infections and the PC is continuing to at least appear to run OK at the moment. :(

-----------------------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 3181
Windows 5.1.2600 Service Pack 3

16/11/2009 21:27:44
mbam-log-2009-11-16 (21-27-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 170854
Time elapsed: 47 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 AM

Posted 17 November 2009 - 08:46 AM

Looks good let's try one more scanner to double check.

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 18 November 2009 - 12:45 PM

Hmmm, it found another couple of infections. I'm not sure if that's a good thing or not! Obviously if I had them it's good to be rid of them, but every scanner seems to find more problems!!

The log follows.

---------------------------------

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=32d62fed1663234985e7e5b7c3171fe4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-17 10:15:01
# local_time=2009-11-17 10:15:01 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 16766553 16766553 0 0
# compatibility_mode=1024 16777175 100 0 7998 7998 0 0
# compatibility_mode=8192 67108863 100 0 3717 3717 0 0
# scanned=73585
# found=2
# cleaned=2
# scan_time=2704
C:\Documents and Settings\HP\Local Settings\temp\Acr6ECD.tmp PDF/Exploit.Pidief.NIM.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\HP\Local Settings\Temporary Internet Files\Content.IE5\L10FHSL4\ajlrt[1].pdf PDF/Exploit.Pidief.NIM.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users