Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR rootkit, stubborn malware - told to post here by admin


  • This topic is locked This topic is locked
22 replies to this topic

#1 chaka

chaka

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 25 November 2009 - 04:35 PM

This is the thread where I started:

http://www.bleepingcomputer.com/forums/t/273562/malwarepacker-constant-crashes-and-other-mysterious-symptoms/

Problems aren't going away. See my attached DDS and RootRepeal logs. Thank you!

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:01 AM

Posted 25 November 2009 - 08:11 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5
    %SYSTEMDRIVE%\nvatabus.sys /s /md5
    %SYSTEMDRIVE%\viamraid.sys /s /md5
    %SYSTEMDRIVE%\nvata.sys /s /md5
    CREATERESTOREPOINT



  • Click the "Run Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 chaka

chaka
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 25 November 2009 - 09:40 PM

Hi Sam. Thanks so much for jumping in to help!

The logs from the OTL scan are attached.


OTL logfile created on: 11/25/2009 5:34:45 PM - Run 1
OTL by OldTimer - Version 3.1.10.1 Folder = G:\Documents and Settings\Charles Townsend\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): G:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = G: | %SystemRoot% = G:\WINDOWS | %ProgramFiles% = G:\Program Files
C: Drive not present or media not loaded
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 127.99 Gb Total Space | 76.83 Gb Free Space | 60.02% Space Free | Partition Type: NTFS
Drive H: | 170.10 Gb Total Space | 65.30 Gb Free Space | 38.39% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: CHARLES-ASUS
Current User Name: Charles Townsend
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/25 17:33:57 | 00,531,456 | ---- | M] (OldTimer Tools) -- G:\Documents and Settings\Charles Townsend\Desktop\OTL.exe
PRC - [2009/11/25 10:37:43 | 02,029,336 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/11/23 08:43:26 | 02,001,648 | ---- | M] (SUPERAntiSpyware.com) -- G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/11/02 19:23:08 | 00,908,248 | ---- | M] (Mozilla Corporation) -- G:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/08/17 08:43:11 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/17 08:43:05 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/06/20 12:03:47 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- G:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/01/13 20:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- G:\WINDOWS\system32\ati2evxx.exe
PRC - [2009/01/13 20:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- G:\WINDOWS\system32\ati2evxx.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\explorer.exe
PRC - [2008/01/11 12:54:44 | 00,090,112 | ---- | M] (brother) -- G:\Program Files\Brownie\brpjp04a.exe
PRC - [2008/01/08 09:28:02 | 00,864,256 | ---- | M] (brother) -- G:\Program Files\Brownie\BrStsWnd.exe
PRC - [2007/08/09 23:21:56 | 16,384,000 | R--- | M] (Realtek Semiconductor Corp.) -- G:\WINDOWS\RTHDCPL.exe
PRC - [2005/10/18 09:00:24 | 00,091,136 | ---- | M] (M-Audio, an Avid Technology, Inc. company) -- G:\WINDOWS\system32\M-AudioTaskBarIcon.exe
PRC - [2005/06/15 14:14:42 | 00,045,056 | ---- | M] (Nemesis) -- G:\Program Files\M-Audio\Ozone\Install\ozinst.exe


========== Modules (SafeList) ==========

MOD - [2009/11/25 17:33:57 | 00,531,456 | ---- | M] (OldTimer Tools) -- G:\Documents and Settings\Charles Townsend\Desktop\OTL.exe
MOD - [2009/08/17 08:43:11 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\WINDOWS\system32\avgrsstx.dll
MOD - [2008/04/13 16:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2006/05/03 21:53:54 | 00,174,592 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/08/17 08:43:05 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/06/20 12:03:47 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- G:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/01/13 20:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- G:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/01/13 20:05:00 | 00,593,920 | ---- | M] () -- G:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/28 09:12:14 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/07/18 02:21:17 | 00,295,424 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2008/04/13 16:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\PCHEALTH\HELPCTR\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- G:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2005/06/15 14:14:42 | 00,045,056 | ---- | M] (Nemesis) -- G:\Program Files\M-Audio\Ozone\Install\ozinst.exe -- (OzoneInstallerService)


========== Driver Services (SafeList) ==========

DRV - [2009/11/23 08:43:30 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- G:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/23 08:43:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- G:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/23 08:43:28 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- G:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/08/17 08:43:11 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/17 08:43:11 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/07/28 08:55:00 | 00,143,360 | ---- | M] (Realtek Semiconductor Corporation ) -- G:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/06/30 09:37:16 | 00,028,552 | ---- | M] (Panda Security, S.L.) -- G:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/06/17 04:22:06 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- G:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2009/01/13 23:14:01 | 03,455,488 | ---- | M] (ATI Technologies Inc.) -- G:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/08/27 17:20:35 | 00,047,360 | ---- | M] (VSO Software) -- G:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)
DRV - [2008/04/13 11:46:20 | 00,048,128 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2008/04/13 11:46:20 | 00,038,912 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2008/04/13 11:46:10 | 00,051,200 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2008/04/13 10:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 08:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- G:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 08:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- G:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/08/09 21:52:44 | 04,603,904 | R--- | M] (Realtek Semiconductor Corp.) -- G:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/10/18 11:12:16 | 00,012,664 | R--- | M] () -- G:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2006/07/24 15:05:00 | 00,005,632 | ---- | M] () -- G:\WINDOWS\system32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2005/12/22 11:24:52 | 00,137,884 | ---- | M] (MCCI) -- G:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/12/22 11:24:52 | 00,010,864 | ---- | M] (MCCI) -- G:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2005/12/22 11:24:50 | 00,080,272 | ---- | M] (MCCI) -- G:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2005/10/18 16:46:08 | 00,014,336 | ---- | M] (M-Audio) -- G:\WINDOWS\system32\drivers\MADFU008.sys -- (MADFU008)
DRV - [2005/10/18 16:45:28 | 00,063,872 | ---- | M] (M-Audio, Inc.) -- G:\WINDOWS\system32\drivers\MA763008.sys -- (ma763008)
DRV - [2005/06/22 09:37:46 | 00,022,272 | ---- | M] (Doug Fetter Software Wizardry) -- G:\WINDOWS\system32\drivers\usbnz1x1.sys -- (USBNZ1X1)
DRV - [2004/08/13 10:56:20 | 00,005,810 | R--- | M] () -- G:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/06/22 07:05:12 | 00,051,088 | ---- | M] (HP) -- G:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2004/06/22 07:05:12 | 00,021,744 | ---- | M] (HP) -- G:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2004/06/22 07:05:12 | 00,016,496 | ---- | M] (HP) -- G:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2001/08/18 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- G:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [1999/09/10 12:06:00 | 00,025,244 | ---- | M] (Adaptec) -- G:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI32)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1482476501-412668190-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1482476501-412668190-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1482476501-412668190-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1482476501-412668190-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1482476501-412668190-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ucr.edu/
IE - HKU\S-1-5-21-1482476501-412668190-839522115-1004\S-1-5-21-1482476501-412668190-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "webmail.ucr.edu"
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.7
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:3.3.18
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.11.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000006
FF - prefs.js..extensions.enabledItems: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9}:2.5.5
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: G:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/01 03:05:06 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: G:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/06/20 12:03:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: G:\Program Files\Mozilla Firefox\components [2009/11/23 18:54:49 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: G:\Program Files\Mozilla Firefox\plugins [2009/11/22 12:42:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Sunbird 0.8\extensions\\Components: G:\Program Files\Mozilla Sunbird\components [2008/12/29 18:31:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Sunbird 0.8\extensions\\Plugins: G:\Program Files\Mozilla Sunbird\plugins [2009/01/29 20:10:29 | 00,000,000 | ---D | M]

[2008/07/18 03:41:35 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Extensions
[2008/07/18 03:41:35 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/25 13:15:25 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions
[2009/11/09 14:45:45 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2009/09/01 16:09:19 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/06/30 16:26:57 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009/09/06 12:12:57 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/10/27 23:41:12 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2009/10/21 14:48:47 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
[2009/03/19 20:52:57 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\moveplayer@movenetworks.com
[2008/07/26 20:55:48 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Sunbird\Profiles\gfo0kjnj.default\extensions
[2009/11/25 13:15:25 | 00,000,000 | ---D | M] -- G:\Program Files\Mozilla Firefox\extensions
[2009/11/22 12:42:11 | 00,000,000 | ---D | M] -- G:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/21 19:11:58 | 00,000,000 | ---D | M] -- G:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/06/20 12:03:57 | 00,000,000 | ---D | M] -- G:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/11/02 19:23:26 | 00,023,512 | ---- | M] (Mozilla Foundation) -- G:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/02 19:23:27 | 00,137,176 | ---- | M] (Mozilla Foundation) -- G:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2007/04/10 16:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- G:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
[2008/06/17 15:12:42 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- G:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
[2009/06/20 12:03:47 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2008/06/27 16:03:12 | 01,446,440 | ---- | M] (Microsoft Corporation) -- G:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
[2009/11/02 19:23:28 | 00,064,984 | ---- | M] (mozilla.org) -- G:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2008/10/14 21:33:29 | 00,095,600 | ---- | M] (Adobe Systems Inc.) -- G:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2009/11/02 17:16:17 | 00,001,394 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/11/02 17:16:17 | 00,002,193 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/11/02 17:16:17 | 00,001,534 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/11/02 17:16:17 | 00,002,344 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/11/02 17:16:17 | 00,002,371 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/11/02 17:16:17 | 00,001,178 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/11/02 17:16:17 | 00,000,792 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (355926 bytes) - G:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 12234 more lines...
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1482476501-412668190-839522115-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] G:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BrStsWnd] G:\Program Files\Brownie\BrstsWnd.exe (brother)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [M-Audio Taskbar Icon] G:\WINDOWS\system32\M-AudioTaskBarIcon.exe (M-Audio, an Avid Technology, Inc. company)
O4 - HKLM..\Run: [RTHDCPL] G:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-1482476501-412668190-839522115-1004..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1482476501-412668190-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1482476501-412668190-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1482476501-412668190-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1482476501-412668190-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1482476501-412668190-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-21-1482476501-412668190-839522115-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre6\bin\npjpi160_14.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Webpage Capture - {1F958B09-6612-7a0e-9223-4C7324C57B23} - G:\Program Files\Webpage Capture\Webpage Capture.exe (Endicosoft.com)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1482476501-412668190-839522115-1004\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1216381608576 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1245547670500 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: Microsoft XML Parser for Java file://G:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.190.192.35 66.214.48.27
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (G:\WINDOWS\system32\avgrsstx.dll) - G:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - G:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - G:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - G:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - G:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{a1171244-550d-11dd-ae97-001fc6b113d4}\Shell\AutoRun\command - "" = I:\LinksysConnectPC.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - G:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - G:\WINDOWS\system32\ias [2008/07/17 19:12:28 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - G:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: TermService - G:\WINDOWS\system32\termsrv32.dll (Microsoft Corporation)
NetSvcs: helpsvc - G:\WINDOWS\PCHEALTH\HELPCTR\Binaries\pchsvc.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17455009083949056)

========== Files/Folders - Created Within 30 Days ==========

[2009/11/25 17:33:54 | 00,531,456 | ---- | C] (OldTimer Tools) -- G:\Documents and Settings\Charles Townsend\Desktop\OTL.exe
[2009/11/25 11:42:34 | 00,000,000 | ---D | C] -- G:\Documents and Settings\Charles Townsend\Desktop\Whittier
[2009/11/24 22:14:37 | 00,000,000 | ---D | C] -- G:\Program Files\ESET
[2009/11/24 21:35:02 | 00,000,000 | ---D | C] -- G:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/11/24 21:34:54 | 00,000,000 | ---D | C] -- G:\Documents and Settings\Charles Townsend\Application Data\SUPERAntiSpyware.com
[2009/11/24 21:34:54 | 00,000,000 | ---D | C] -- G:\Program Files\SUPERAntiSpyware
[2009/11/24 21:34:27 | 00,000,000 | ---D | C] -- G:\Program Files\Common Files\Wise Installation Wizard
[2009/11/24 21:29:31 | 00,050,688 | ---- | C] (Atribune.org) -- G:\Documents and Settings\Charles Townsend\Desktop\ATF-Cleaner.exe
[2009/11/24 18:17:48 | 00,472,064 | ---- | C] ( ) -- G:\Documents and Settings\Charles Townsend\Desktop\RootRepeal.exe
[2009/11/23 20:45:49 | 01,839,984 | ---- | C] (Trend Micro) -- G:\Documents and Settings\Charles Townsend\Desktop\HousecallLauncher.exe
[2009/11/22 12:27:39 | 00,000,000 | RH-D | C] -- G:\Documents and Settings\Charles Townsend\Recent
[2009/11/22 02:28:40 | 00,028,552 | ---- | C] (Panda Security, S.L.) -- G:\WINDOWS\System32\drivers\pavboot.sys
[2009/11/22 02:27:57 | 00,000,000 | ---D | C] -- G:\Program Files\Panda Security
[2009/11/04 19:16:21 | 00,000,000 | ---D | C] -- G:\Documents and Settings\Charles Townsend\My Documents\PcSetup
[2009/11/04 19:16:16 | 00,102,439 | ---- | C] (RealNetworks, Inc.) -- G:\WINDOWS\System32\sipr3260.dll
[2009/11/04 19:16:15 | 01,184,984 | ---- | C] (Microsoft Corporation) -- G:\WINDOWS\System32\wvc1dmod.dll
[2009/10/28 17:33:03 | 00,000,000 | ---D | C] -- G:\Documents and Settings\Charles Townsend\My Documents\My Art
[2008/08/27 17:20:35 | 00,047,360 | ---- | C] (VSO Software) -- G:\Documents and Settings\Charles Townsend\Application Data\pcouffin.sys
[6 G:\WINDOWS\*.tmp files -> G:\WINDOWS\*.tmp -> ]
[5 G:\WINDOWS\System32\*.tmp files -> G:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/25 17:33:57 | 00,531,456 | ---- | M] (OldTimer Tools) -- G:\Documents and Settings\Charles Townsend\Desktop\OTL.exe
[2009/11/25 17:31:53 | 00,000,327 | ---- | M] () -- G:\WINDOWS\Brownie.ini
[2009/11/25 17:31:24 | 00,000,006 | -H-- | M] () -- G:\WINDOWS\tasks\SA.DAT
[2009/11/25 17:31:21 | 00,002,048 | --S- | M] () -- G:\WINDOWS\bootstat.dat
[2009/11/25 13:09:21 | 00,000,000 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\settings.dat
[2009/11/25 13:01:20 | 00,524,800 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\dds.scr
[2009/11/25 11:46:18 | 10,747,904 | -H-- | M] () -- G:\Documents and Settings\Charles Townsend\NTUSER.DAT
[2009/11/25 10:38:19 | 45,710,353 | ---- | M] () -- G:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/25 10:38:19 | 00,105,663 | ---- | M] () -- G:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/25 01:11:58 | 00,000,178 | -HS- | M] () -- G:\Documents and Settings\Charles Townsend\ntuser.ini
[2009/11/24 22:14:28 | 02,672,312 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\esetsmartinstaller_enu.exe
[2009/11/24 22:13:24 | 04,319,420 | -H-- | M] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\IconCache.db
[2009/11/24 21:34:57 | 00,000,780 | ---- | M] () -- G:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/11/24 21:34:13 | 07,392,800 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\SUPERAntiSpyware.exe
[2009/11/24 21:29:32 | 00,050,688 | ---- | M] (Atribune.org) -- G:\Documents and Settings\Charles Townsend\Desktop\ATF-Cleaner.exe
[2009/11/24 18:17:51 | 00,472,064 | ---- | M] ( ) -- G:\Documents and Settings\Charles Townsend\Desktop\RootRepeal.exe
[2009/11/24 18:02:08 | 00,001,393 | ---- | M] () -- G:\WINDOWS\imsins.BAK
[2009/11/24 18:00:19 | 00,229,376 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/23 23:53:49 | 00,000,664 | ---- | M] () -- G:\WINDOWS\System32\d3d9caps.dat
[2009/11/23 20:50:53 | 01,839,984 | ---- | M] (Trend Micro) -- G:\Documents and Settings\Charles Townsend\Desktop\HousecallLauncher.exe
[2009/11/23 20:46:01 | 00,000,036 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\housecall.guid.cache
[2009/11/22 22:24:00 | 00,355,926 | R--- | M] () -- G:\WINDOWS\System32\drivers\etc\hosts
[2009/11/22 12:42:14 | 00,001,602 | ---- | M] () -- G:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/11/22 02:27:52 | 00,177,240 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\activescan2_en.exe
[2009/11/20 12:17:25 | 00,355,926 | R--- | M] () -- G:\WINDOWS\System32\drivers\etc\hosts.20091122-222359.backup
[2009/11/20 01:35:23 | 00,355,926 | R--- | M] () -- G:\WINDOWS\System32\drivers\etc\hosts.20091120-121725.backup
[2009/11/16 13:13:14 | 00,000,426 | ---- | M] () -- G:\WINDOWS\BRWMARK.INI
[2009/11/16 10:12:53 | 00,013,058 | ---- | M] () -- G:\WINDOWS\System32\wpa.dbl
[2009/11/12 22:59:26 | 00,018,483 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\Wawanesa.odt
[2009/11/12 06:36:44 | 00,182,632 | ---- | M] () -- G:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/05 09:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\System32\MRT.exe
[2009/11/04 21:49:30 | 00,001,041 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Application Data\vso_ts_preview.xml
[2009/11/01 12:45:16 | 00,508,956 | ---- | M] () -- G:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/01 12:45:16 | 00,432,356 | ---- | M] () -- G:\WINDOWS\System32\perfh009.dat
[2009/11/01 12:45:16 | 00,067,312 | ---- | M] () -- G:\WINDOWS\System32\perfc009.dat
[2009/10/29 22:54:33 | 00,018,174 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\Homes.odt
[2009/10/28 17:37:09 | 00,000,000 | ---- | M] () -- G:\Documents and Settings\All Users\Application Data\LauncherAccess.dt
[2009/10/28 17:37:06 | 00,000,020 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\My Documents\funrecent.fmp
[2009/10/28 07:07:15 | 00,046,080 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\System32\tzchange.exe
[2009/10/27 23:42:23 | 00,040,960 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\RLST 12 Midterm fall 2009.doc
[2009/10/26 21:31:32 | 00,000,605 | ---- | M] () -- G:\WINDOWS\win.ini
[6 G:\WINDOWS\*.tmp files -> G:\WINDOWS\*.tmp -> ]
[5 G:\WINDOWS\System32\*.tmp files -> G:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/25 13:09:21 | 00,000,000 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\settings.dat
[2009/11/25 13:01:17 | 00,524,800 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\dds.scr
[2009/11/24 22:14:18 | 02,672,312 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\esetsmartinstaller_enu.exe
[2009/11/24 21:34:57 | 00,000,780 | ---- | C] () -- G:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/11/24 21:30:32 | 07,392,800 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\SUPERAntiSpyware.exe
[2009/11/24 18:02:07 | 00,001,393 | ---- | C] () -- G:\WINDOWS\imsins.BAK
[2009/11/23 23:53:49 | 00,000,664 | ---- | C] () -- G:\WINDOWS\System32\d3d9caps.dat
[2009/11/23 20:46:01 | 00,000,036 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\housecall.guid.cache
[2009/11/22 02:27:51 | 00,177,240 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\activescan2_en.exe
[2009/11/12 22:51:35 | 00,018,483 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\Wawanesa.odt
[2009/10/28 17:37:06 | 00,000,020 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\My Documents\funrecent.fmp
[2009/10/27 23:41:56 | 00,040,960 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\RLST 12 Midterm fall 2009.doc
[2009/10/26 23:00:37 | 00,018,174 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\Homes.odt
[2009/09/01 17:42:31 | 00,163,840 | ---- | C] () -- G:\WINDOWS\System32\unrar.dll
[2009/09/01 17:42:29 | 03,596,288 | ---- | C] () -- G:\WINDOWS\System32\qt-dx331.dll
[2009/09/01 17:42:29 | 01,559,040 | ---- | C] () -- G:\WINDOWS\System32\xvidcore.dll
[2009/09/01 17:42:29 | 00,564,224 | ---- | C] () -- G:\WINDOWS\System32\x264vfw.dll
[2009/09/01 17:42:29 | 00,282,624 | ---- | C] () -- G:\WINDOWS\System32\xvidvfw.dll
[2009/09/01 17:42:28 | 00,007,680 | ---- | C] () -- G:\WINDOWS\System32\ff_vfw.dll
[2009/09/01 17:42:28 | 00,000,547 | ---- | C] () -- G:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/07/17 17:01:05 | 00,000,000 | ---- | C] () -- G:\Documents and Settings\All Users\Application Data\LauncherAccess.dt
[2009/07/08 04:05:20 | 00,073,728 | ---- | C] () -- G:\WINDOWS\System32\RtNicProp32.dll
[2009/07/06 14:10:47 | 00,000,394 | ---- | C] () -- G:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/06/23 15:58:59 | 00,000,724 | ---- | C] () -- G:\Program Files\INSTALL.LOG
[2009/06/23 15:58:58 | 00,149,504 | ---- | C] () -- G:\Program Files\UNWISE.EXE
[2009/06/17 16:00:44 | 00,005,493 | ---- | C] () -- G:\WINDOWS\wininit.ini
[2009/01/27 18:33:40 | 00,000,145 | ---- | C] () -- G:\WINDOWS\BRVIDEO.INI
[2009/01/27 18:33:40 | 00,000,000 | ---- | C] () -- G:\WINDOWS\brmx2001.ini
[2009/01/27 18:33:28 | 00,000,114 | ---- | C] () -- G:\WINDOWS\System32\brlmw03a.ini
[2009/01/27 18:33:27 | 00,009,853 | ---- | C] () -- G:\WINDOWS\HL-2140.INI
[2009/01/27 18:33:06 | 00,000,426 | ---- | C] () -- G:\WINDOWS\BRWMARK.INI
[2009/01/27 18:31:08 | 00,000,327 | ---- | C] () -- G:\WINDOWS\Brownie.ini
[2008/11/25 14:33:05 | 00,000,600 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\PUTTY.RND
[2008/08/27 17:20:45 | 00,001,041 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Application Data\vso_ts_preview.xml
[2008/08/27 17:20:39 | 00,000,034 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Application Data\pcouffin.log
[2008/08/27 17:20:35 | 00,007,887 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Application Data\pcouffin.cat
[2008/08/27 17:20:35 | 00,001,144 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Application Data\pcouffin.inf
[2008/08/15 13:23:27 | 00,005,632 | ---- | C] () -- G:\WINDOWS\System32\drivers\StarOpen.sys
[2008/07/18 12:05:04 | 00,229,376 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/18 04:36:25 | 00,024,576 | R--- | C] () -- G:\WINDOWS\System32\AsIO.dll
[2008/07/18 04:36:25 | 00,012,664 | R--- | C] () -- G:\WINDOWS\System32\drivers\AsIO.sys
[2008/07/18 04:36:23 | 00,012,096 | ---- | C] () -- G:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2008/07/18 04:36:23 | 00,010,304 | ---- | C] () -- G:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2008/07/18 03:38:07 | 00,035,520 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/07/18 03:16:18 | 00,013,569 | ---- | C] () -- G:\WINDOWS\Ascd_log.ini
[2008/07/18 03:08:59 | 00,007,842 | ---- | C] () -- G:\WINDOWS\Ascd_tmp.ini
[2008/07/18 03:08:59 | 00,005,810 | R--- | C] () -- G:\WINDOWS\System32\drivers\ASACPI.sys
[2008/07/18 03:08:47 | 00,012,536 | ---- | C] () -- G:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/07/18 02:56:57 | 04,319,420 | -H-- | C] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\IconCache.db
[2008/07/18 02:28:54 | 00,000,062 | -HS- | C] () -- G:\Documents and Settings\Charles Townsend\Application Data\desktop.ini
[2008/07/18 02:24:12 | 00,000,000 | ---- | C] () -- G:\WINDOWS\control.ini
[2008/07/18 02:22:05 | 00,000,037 | ---- | C] () -- G:\WINDOWS\vbaddin.ini
[2008/07/18 02:22:05 | 00,000,036 | ---- | C] () -- G:\WINDOWS\vb.ini
[2008/07/18 02:21:17 | 00,013,223 | ---- | C] () -- G:\WINDOWS\System32\tslabels.ini
[2008/07/18 02:21:15 | 00,001,931 | ---- | C] () -- G:\WINDOWS\System32\msdtcprf.ini
[2008/07/17 19:15:28 | 00,508,956 | ---- | C] () -- G:\WINDOWS\System32\PerfStringBackup.INI
[2008/07/17 19:15:27 | 00,004,161 | ---- | C] () -- G:\WINDOWS\ODBCINST.INI
[2008/07/17 19:15:08 | 00,000,062 | -HS- | C] () -- G:\Documents and Settings\All Users\Application Data\desktop.ini
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- G:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- G:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- G:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- G:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2004/08/03 23:56:44 | 00,270,848 | ---- | C] () -- G:\WINDOWS\System32\sbe.dll
[2004/08/03 23:56:42 | 00,186,880 | ---- | C] () -- G:\WINDOWS\System32\encdec.dll
[2001/08/18 04:00:00 | 01,291,264 | ---- | C] () -- G:\WINDOWS\System32\quartz.dll
[2001/08/18 04:00:00 | 01,015,477 | ---- | C] () -- G:\WINDOWS\System32\esentprf.ini
[2001/08/18 04:00:00 | 00,733,696 | ---- | C] () -- G:\WINDOWS\System32\qedwipes.dll
[2001/08/18 04:00:00 | 00,562,176 | ---- | C] () -- G:\WINDOWS\System32\qedit.dll
[2001/08/18 04:00:00 | 00,498,742 | ---- | C] () -- G:\WINDOWS\System32\dxmasf.dll
[2001/08/18 04:00:00 | 00,386,048 | ---- | C] () -- G:\WINDOWS\System32\qdvd.dll
[2001/08/18 04:00:00 | 00,355,112 | ---- | C] () -- G:\WINDOWS\System32\msjetoledb40.dll
[2001/08/18 04:00:00 | 00,279,040 | ---- | C] () -- G:\WINDOWS\System32\qdv.dll
[2001/08/18 04:00:00 | 00,252,928 | ---- | C] () -- G:\WINDOWS\System32\compatui.dll
[2001/08/18 04:00:00 | 00,199,168 | ---- | C] () -- G:\WINDOWS\System32\ir32_32.dll
[2001/08/18 04:00:00 | 00,192,512 | ---- | C] () -- G:\WINDOWS\System32\qcap.dll
[2001/08/18 04:00:00 | 00,094,282 | ---- | C] () -- G:\WINDOWS\System32\msencode.dll
[2001/08/18 04:00:00 | 00,070,656 | ---- | C] () -- G:\WINDOWS\System32\amstream.dll
[2001/08/18 04:00:00 | 00,059,904 | ---- | C] () -- G:\WINDOWS\System32\devenum.dll
[2001/08/18 04:00:00 | 00,053,478 | ---- | C] () -- G:\WINDOWS\System32\tcpmon.ini
[2001/08/18 04:00:00 | 00,042,809 | ---- | C] () -- G:\WINDOWS\System32\key01.sys
[2001/08/18 04:00:00 | 00,042,537 | ---- | C] () -- G:\WINDOWS\System32\keyboard.sys
[2001/08/18 04:00:00 | 00,035,648 | ---- | C] () -- G:\WINDOWS\System32\ntio411.sys
[2001/08/18 04:00:00 | 00,035,424 | ---- | C] () -- G:\WINDOWS\System32\ntio412.sys
[2001/08/18 04:00:00 | 00,035,328 | ---- | C] () -- G:\WINDOWS\System32\mciqtz32.dll
[2001/08/18 04:00:00 | 00,034,560 | ---- | C] () -- G:\WINDOWS\System32\ntio804.sys
[2001/08/18 04:00:00 | 00,034,560 | ---- | C] () -- G:\WINDOWS\System32\ntio404.sys
[2001/08/18 04:00:00 | 00,033,840 | ---- | C] () -- G:\WINDOWS\System32\ntio.sys
[2001/08/18 04:00:00 | 00,029,370 | ---- | C] () -- G:\WINDOWS\System32\ntdos411.sys
[2001/08/18 04:00:00 | 00,029,274 | ---- | C] () -- G:\WINDOWS\System32\ntdos412.sys
[2001/08/18 04:00:00 | 00,029,146 | ---- | C] () -- G:\WINDOWS\System32\ntdos804.sys
[2001/08/18 04:00:00 | 00,029,146 | ---- | C] () -- G:\WINDOWS\System32\ntdos404.sys
[2001/08/18 04:00:00 | 00,027,866 | ---- | C] () -- G:\WINDOWS\System32\ntdos.sys
[2001/08/18 04:00:00 | 00,027,097 | ---- | C] () -- G:\WINDOWS\System32\country.sys
[2001/08/18 04:00:00 | 00,015,360 | ---- | C] () -- G:\WINDOWS\System32\tsd32.dll
[2001/08/18 04:00:00 | 00,014,336 | ---- | C] () -- G:\WINDOWS\System32\msdmo.dll
[2001/08/18 04:00:00 | 00,013,312 | ---- | C] () -- G:\WINDOWS\System32\win87em.dll
[2001/08/18 04:00:00 | 00,012,082 | ---- | C] () -- G:\WINDOWS\System32\rsvp.ini
[2001/08/18 04:00:00 | 00,009,029 | ---- | C] () -- G:\WINDOWS\System32\ansi.sys
[2001/08/18 04:00:00 | 00,006,877 | ---- | C] () -- G:\WINDOWS\System32\pschdprf.ini
[2001/08/18 04:00:00 | 00,004,768 | ---- | C] () -- G:\WINDOWS\System32\himem.sys
[2001/08/18 04:00:00 | 00,004,126 | ---- | C] () -- G:\WINDOWS\System32\msdxmlc.dll
[2001/08/18 04:00:00 | 00,003,458 | ---- | C] () -- G:\WINDOWS\System32\rasctrs.ini
[2001/08/18 04:00:00 | 00,002,891 | ---- | C] () -- G:\WINDOWS\System32\perfci.ini
[2001/08/18 04:00:00 | 00,002,732 | ---- | C] () -- G:\WINDOWS\System32\perfwci.ini
[2001/08/18 04:00:00 | 00,001,405 | ---- | C] () -- G:\WINDOWS\msdfmap.ini
[2001/08/18 04:00:00 | 00,001,152 | ---- | C] () -- G:\WINDOWS\System32\perffilt.ini
[2001/08/18 04:00:00 | 00,000,605 | ---- | C] () -- G:\WINDOWS\win.ini
[2001/08/18 04:00:00 | 00,000,343 | ---- | C] () -- G:\WINDOWS\System32\prodspec.ini
[2001/08/18 04:00:00 | 00,000,227 | ---- | C] () -- G:\WINDOWS\system.ini
[2001/08/17 14:36:28 | 00,157,696 | ---- | C] () -- G:\WINDOWS\System32\paqsp.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/06/19 10:43:15 | 00,286,208 | ---- | M] () -- G:\9c9dhfgn.exe

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2004/08/03 23:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- G:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- G:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- G:\WINDOWS\system32\eventlog.dll
[5 G:\WINDOWS\system32\*.tmp files -> G:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2004/08/03 23:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- G:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- G:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- G:\WINDOWS\system32\scecli.dll
[5 G:\WINDOWS\system32\*.tmp files -> G:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2004/08/03 23:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- G:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- G:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- G:\WINDOWS\system32\netlogon.dll
[5 G:\WINDOWS\system32\*.tmp files -> G:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2004/08/03 21:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- G:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- G:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- G:\WINDOWS\system32\drivers\atapi.sys
[2001/08/18 04:00:00 | 00,086,656 | ---- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- G:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2004/08/03 22:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- G:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- G:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- G:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >

< %SYSTEMDRIVE%\nvata.sys /s /md5 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 129 bytes -> G:\Documents and Settings\All Users\Application Data\TEMP:4240575B
@Alternate Data Stream - 110 bytes -> G:\Documents and Settings\All Users\Application Data\TEMP:888AFB86
< End of report >

Attached Files


Edited by Buckeye_Sam, 27 November 2009 - 10:30 AM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:01 AM

Posted 27 November 2009 - 10:42 AM

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    @Alternate Data Stream - 129 bytes -> G:\Documents and Settings\All Users\Application Data\TEMP:4240575B
    @Alternate Data Stream - 110 bytes -> G:\Documents and Settings\All Users\Application Data\TEMP:888AFB86
    [2009/06/19 10:43:15 | 00,286,208 | ---- | M] () -- G:\9c9dhfgn.exe
    [6 G:\WINDOWS\*.tmp files -> G:\WINDOWS\*.tmp -> ]
    [5 G:\WINDOWS\System32\*.tmp files -> G:\WINDOWS\System32\*.tmp -> ]
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

Give me an update on the issues that you are still experiencing.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 chaka

chaka
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 27 November 2009 - 09:25 PM

Hi Sam - I ran OTL with the fixes you told me to. It ran, and the system restarted and OTL gave me the txt log. When it started up, the hard drive was still running, running, running, with no programs in use - now after the scan, it seems to be 'chilling out'. Here are the logs from after the fix, and after scanning again:

All processes killed
========== OTL ==========
ADS G:\Documents and Settings\All Users\Application Data\TEMP:4240575B deleted successfully.
ADS G:\Documents and Settings\All Users\Application Data\TEMP:888AFB86 deleted successfully.
G:\9c9dhfgn.exe moved successfully.
G:\WINDOWS\002235_.tmp deleted successfully.
G:\WINDOWS\004990_.tmp deleted successfully.
G:\WINDOWS\msdownld.tmp folder deleted successfully.
G:\WINDOWS\SET3.tmp deleted successfully.
G:\WINDOWS\SET7.tmp deleted successfully.
G:\WINDOWS\SETD.tmp deleted successfully.
G:\WINDOWS\System32\SET23C.tmp deleted successfully.
G:\WINDOWS\System32\SET240.tmp deleted successfully.
G:\WINDOWS\System32\SET241.tmp deleted successfully.
G:\WINDOWS\System32\SET248.tmp deleted successfully.
G:\WINDOWS\System32\SET28F.tmp deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 54320042 bytes

User: All Users

User: Charles Townsend
->Temp folder emptied: 1034349 bytes
->Temporary Internet Files folder emptied: 335290 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 36422816 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: HelpAssistant
->Temp folder emptied: 1034349 bytes
->Temporary Internet Files folder emptied: 572400 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 1472501 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 117257 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10934422 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 15960222 bytes

Total Files Cleaned = 116.61 mb


OTL by OldTimer - Version 3.1.10.1 log created on 11272009_181337

Files\Folders moved on Reboot...
File move failed. G:\WINDOWS\temp\$$$dq3e scheduled to be moved on reboot.
File move failed. G:\WINDOWS\temp\$67we.$ scheduled to be moved on reboot.

Registry entries deleted on Reboot...



OTL logfile created on: 11/27/2009 6:17:11 PM - Run 2
OTL by OldTimer - Version 3.1.10.1 Folder = G:\Documents and Settings\Charles Townsend\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): G:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = G: | %SystemRoot% = G:\WINDOWS | %ProgramFiles% = G:\Program Files
C: Drive not present or media not loaded
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 127.99 Gb Total Space | 76.86 Gb Free Space | 60.05% Space Free | Partition Type: NTFS
Drive H: | 170.10 Gb Total Space | 65.30 Gb Free Space | 38.39% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: CHARLES-ASUS
Current User Name: Charles Townsend
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/25 17:33:57 | 00,531,456 | ---- | M] (OldTimer Tools) -- G:\Documents and Settings\Charles Townsend\Desktop\OTL.exe
PRC - [2009/11/25 10:37:43 | 02,029,336 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/11/23 08:43:26 | 02,001,648 | ---- | M] (SUPERAntiSpyware.com) -- G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/11/02 19:23:08 | 00,908,248 | ---- | M] (Mozilla Corporation) -- G:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/08/17 08:43:11 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/17 08:43:05 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/06/20 12:03:47 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- G:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/02/06 02:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2009/01/13 20:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- G:\WINDOWS\system32\ati2evxx.exe
PRC - [2009/01/13 20:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- G:\WINDOWS\system32\ati2evxx.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\explorer.exe
PRC - [2008/01/11 12:54:44 | 00,090,112 | ---- | M] (brother) -- G:\Program Files\Brownie\brpjp04a.exe
PRC - [2008/01/08 09:28:02 | 00,864,256 | ---- | M] (brother) -- G:\Program Files\Brownie\BrStsWnd.exe
PRC - [2007/08/09 23:21:56 | 16,384,000 | R--- | M] (Realtek Semiconductor Corp.) -- G:\WINDOWS\RTHDCPL.exe
PRC - [2005/10/18 09:00:24 | 00,091,136 | ---- | M] (M-Audio, an Avid Technology, Inc. company) -- G:\WINDOWS\system32\M-AudioTaskBarIcon.exe
PRC - [2005/06/15 14:14:42 | 00,045,056 | ---- | M] (Nemesis) -- G:\Program Files\M-Audio\Ozone\Install\ozinst.exe


========== Modules (SafeList) ==========

MOD - [2009/11/25 17:33:57 | 00,531,456 | ---- | M] (OldTimer Tools) -- G:\Documents and Settings\Charles Townsend\Desktop\OTL.exe
MOD - [2009/08/17 08:43:11 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\WINDOWS\system32\avgrsstx.dll
MOD - [2008/04/13 16:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2006/05/03 21:53:54 | 00,174,592 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/08/17 08:43:05 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/06/20 12:03:47 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- G:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/01/13 20:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- G:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/01/13 20:05:00 | 00,593,920 | ---- | M] () -- G:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/28 09:12:14 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/07/18 02:21:17 | 00,295,424 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2008/04/13 16:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\PCHEALTH\HELPCTR\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- G:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2005/06/15 14:14:42 | 00,045,056 | ---- | M] (Nemesis) -- G:\Program Files\M-Audio\Ozone\Install\ozinst.exe -- (OzoneInstallerService)


========== Driver Services (SafeList) ==========

DRV - [2009/11/23 08:43:30 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- G:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/23 08:43:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- G:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/23 08:43:28 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- G:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/08/17 08:43:11 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/17 08:43:11 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- G:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/07/28 08:55:00 | 00,143,360 | ---- | M] (Realtek Semiconductor Corporation ) -- G:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/06/30 09:37:16 | 00,028,552 | ---- | M] (Panda Security, S.L.) -- G:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/06/17 04:22:06 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- G:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2009/01/13 23:14:01 | 03,455,488 | ---- | M] (ATI Technologies Inc.) -- G:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/08/27 17:20:35 | 00,047,360 | ---- | M] (VSO Software) -- G:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)
DRV - [2008/04/13 11:46:20 | 00,048,128 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2008/04/13 11:46:20 | 00,038,912 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2008/04/13 11:46:10 | 00,051,200 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2008/04/13 10:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 08:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- G:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 08:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- G:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/08/09 21:52:44 | 04,603,904 | R--- | M] (Realtek Semiconductor Corp.) -- G:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/10/18 11:12:16 | 00,012,664 | R--- | M] () -- G:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2006/07/24 15:05:00 | 00,005,632 | ---- | M] () -- G:\WINDOWS\system32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2005/12/22 11:24:52 | 00,137,884 | ---- | M] (MCCI) -- G:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/12/22 11:24:52 | 00,010,864 | ---- | M] (MCCI) -- G:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2005/12/22 11:24:50 | 00,080,272 | ---- | M] (MCCI) -- G:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2005/10/18 16:46:08 | 00,014,336 | ---- | M] (M-Audio) -- G:\WINDOWS\system32\drivers\MADFU008.sys -- (MADFU008)
DRV - [2005/10/18 16:45:28 | 00,063,872 | ---- | M] (M-Audio, Inc.) -- G:\WINDOWS\system32\drivers\MA763008.sys -- (ma763008)
DRV - [2005/06/22 09:37:46 | 00,022,272 | ---- | M] (Doug Fetter Software Wizardry) -- G:\WINDOWS\system32\drivers\usbnz1x1.sys -- (USBNZ1X1)
DRV - [2004/08/13 10:56:20 | 00,005,810 | R--- | M] () -- G:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/06/22 07:05:12 | 00,051,088 | ---- | M] (HP) -- G:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2004/06/22 07:05:12 | 00,021,744 | ---- | M] (HP) -- G:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2004/06/22 07:05:12 | 00,016,496 | ---- | M] (HP) -- G:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2001/08/18 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- G:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [1999/09/10 12:06:00 | 00,025,244 | ---- | M] (Adaptec) -- G:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI32)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ucr.edu/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "webmail.ucr.edu"
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.7
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:3.3.18
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.11.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000006
FF - prefs.js..extensions.enabledItems: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9}:2.5.5
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: G:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/01 03:05:06 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: G:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/06/20 12:03:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: G:\Program Files\Mozilla Firefox\components [2009/11/23 18:54:49 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: G:\Program Files\Mozilla Firefox\plugins [2009/11/22 12:42:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Sunbird 0.8\extensions\\Components: G:\Program Files\Mozilla Sunbird\components [2008/12/29 18:31:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Sunbird 0.8\extensions\\Plugins: G:\Program Files\Mozilla Sunbird\plugins [2009/01/29 20:10:29 | 00,000,000 | ---D | M]

[2008/07/18 03:41:35 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Extensions
[2008/07/18 03:41:35 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/25 17:42:11 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions
[2009/11/09 14:45:45 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2009/09/01 16:09:19 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/06/30 16:26:57 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009/09/06 12:12:57 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/10/27 23:41:12 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2009/10/21 14:48:47 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
[2009/03/19 20:52:57 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\moveplayer@movenetworks.com
[2008/07/26 20:55:48 | 00,000,000 | ---D | M] -- G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Sunbird\Profiles\gfo0kjnj.default\extensions
[2009/11/25 17:42:11 | 00,000,000 | ---D | M] -- G:\Program Files\Mozilla Firefox\extensions
[2009/11/22 12:42:11 | 00,000,000 | ---D | M] -- G:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/21 19:11:58 | 00,000,000 | ---D | M] -- G:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/06/20 12:03:57 | 00,000,000 | ---D | M] -- G:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/11/02 19:23:26 | 00,023,512 | ---- | M] (Mozilla Foundation) -- G:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/02 19:23:27 | 00,137,176 | ---- | M] (Mozilla Foundation) -- G:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2007/04/10 16:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- G:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
[2008/06/17 15:12:42 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- G:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
[2009/06/20 12:03:47 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2008/06/27 16:03:12 | 01,446,440 | ---- | M] (Microsoft Corporation) -- G:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
[2009/11/02 19:23:28 | 00,064,984 | ---- | M] (mozilla.org) -- G:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2008/10/14 21:33:29 | 00,095,600 | ---- | M] (Adobe Systems Inc.) -- G:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2008/12/29 18:31:57 | 00,143,360 | ---- | M] (Apple Inc.) -- G:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2009/11/02 17:16:17 | 00,001,394 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/11/02 17:16:17 | 00,002,193 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/11/02 17:16:17 | 00,001,534 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/11/02 17:16:17 | 00,002,344 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/11/02 17:16:17 | 00,002,371 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/11/02 17:16:17 | 00,001,178 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/11/02 17:16:17 | 00,000,792 | ---- | M] () -- G:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (355926 bytes) - G:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 12234 more lines...
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] G:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BrStsWnd] G:\Program Files\Brownie\BrstsWnd.exe (brother)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [M-Audio Taskbar Icon] G:\WINDOWS\system32\M-AudioTaskBarIcon.exe (M-Audio, an Avid Technology, Inc. company)
O4 - HKLM..\Run: [RTHDCPL] G:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: Append to existing PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre6\bin\npjpi160_14.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Webpage Capture - {1F958B09-6612-7a0e-9223-4C7324C57B23} - G:\Program Files\Webpage Capture\Webpage Capture.exe (Endicosoft.com)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1216381608576 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1245547670500 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: Microsoft XML Parser for Java file://G:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.190.192.35 66.214.48.27
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - G:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (G:\WINDOWS\system32\avgrsstx.dll) - G:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - G:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - G:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - G:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - G:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{a1171244-550d-11dd-ae97-001fc6b113d4}\Shell\AutoRun\command - "" = I:\LinksysConnectPC.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - G:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/27 18:13:37 | 00,000,000 | ---D | C] -- G:\_OTL
[2009/11/25 17:33:54 | 00,531,456 | ---- | C] (OldTimer Tools) -- G:\Documents and Settings\Charles Townsend\Desktop\OTL.exe
[2009/11/25 11:42:34 | 00,000,000 | ---D | C] -- G:\Documents and Settings\Charles Townsend\Desktop\Whittier
[2009/11/24 22:14:37 | 00,000,000 | ---D | C] -- G:\Program Files\ESET
[2009/11/24 21:35:02 | 00,000,000 | ---D | C] -- G:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/11/24 21:34:54 | 00,000,000 | ---D | C] -- G:\Documents and Settings\Charles Townsend\Application Data\SUPERAntiSpyware.com
[2009/11/24 21:34:54 | 00,000,000 | ---D | C] -- G:\Program Files\SUPERAntiSpyware
[2009/11/24 21:34:27 | 00,000,000 | ---D | C] -- G:\Program Files\Common Files\Wise Installation Wizard
[2009/11/24 21:29:31 | 00,050,688 | ---- | C] (Atribune.org) -- G:\Documents and Settings\Charles Townsend\Desktop\ATF-Cleaner.exe
[2009/11/24 18:17:48 | 00,472,064 | ---- | C] ( ) -- G:\Documents and Settings\Charles Townsend\Desktop\RootRepeal.exe
[2009/11/23 20:45:49 | 01,839,984 | ---- | C] (Trend Micro) -- G:\Documents and Settings\Charles Townsend\Desktop\HousecallLauncher.exe
[2009/11/22 12:27:39 | 00,000,000 | RH-D | C] -- G:\Documents and Settings\Charles Townsend\Recent
[2009/11/22 02:28:40 | 00,028,552 | ---- | C] (Panda Security, S.L.) -- G:\WINDOWS\System32\drivers\pavboot.sys
[2009/11/22 02:27:57 | 00,000,000 | ---D | C] -- G:\Program Files\Panda Security
[2009/11/04 19:16:21 | 00,000,000 | ---D | C] -- G:\Documents and Settings\Charles Townsend\My Documents\PcSetup
[2009/11/04 19:16:16 | 00,102,439 | ---- | C] (RealNetworks, Inc.) -- G:\WINDOWS\System32\sipr3260.dll
[2009/11/04 19:16:15 | 01,184,984 | ---- | C] (Microsoft Corporation) -- G:\WINDOWS\System32\wvc1dmod.dll
[2008/08/27 17:20:35 | 00,047,360 | ---- | C] (VSO Software) -- G:\Documents and Settings\Charles Townsend\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2009/11/27 18:15:51 | 00,000,327 | ---- | M] () -- G:\WINDOWS\Brownie.ini
[2009/11/27 18:14:55 | 00,000,006 | -H-- | M] () -- G:\WINDOWS\tasks\SA.DAT
[2009/11/27 18:14:52 | 00,002,048 | --S- | M] () -- G:\WINDOWS\bootstat.dat
[2009/11/27 18:14:12 | 10,747,904 | -H-- | M] () -- G:\Documents and Settings\Charles Townsend\NTUSER.DAT
[2009/11/27 18:14:06 | 00,000,178 | -HS- | M] () -- G:\Documents and Settings\Charles Townsend\ntuser.ini
[2009/11/27 18:12:51 | 45,823,947 | ---- | M] () -- G:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/27 18:12:51 | 00,105,805 | ---- | M] () -- G:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/26 21:33:19 | 00,229,376 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/25 17:33:57 | 00,531,456 | ---- | M] (OldTimer Tools) -- G:\Documents and Settings\Charles Townsend\Desktop\OTL.exe
[2009/11/25 13:09:21 | 00,000,000 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\settings.dat
[2009/11/25 13:01:20 | 00,524,800 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\dds.scr
[2009/11/24 22:14:28 | 02,672,312 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\esetsmartinstaller_enu.exe
[2009/11/24 22:13:24 | 04,319,420 | -H-- | M] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\IconCache.db
[2009/11/24 21:34:57 | 00,000,780 | ---- | M] () -- G:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/11/24 21:34:13 | 07,392,800 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\SUPERAntiSpyware.exe
[2009/11/24 21:29:32 | 00,050,688 | ---- | M] (Atribune.org) -- G:\Documents and Settings\Charles Townsend\Desktop\ATF-Cleaner.exe
[2009/11/24 18:17:51 | 00,472,064 | ---- | M] ( ) -- G:\Documents and Settings\Charles Townsend\Desktop\RootRepeal.exe
[2009/11/24 18:02:08 | 00,001,393 | ---- | M] () -- G:\WINDOWS\imsins.BAK
[2009/11/23 23:53:49 | 00,000,664 | ---- | M] () -- G:\WINDOWS\System32\d3d9caps.dat
[2009/11/23 20:50:53 | 01,839,984 | ---- | M] (Trend Micro) -- G:\Documents and Settings\Charles Townsend\Desktop\HousecallLauncher.exe
[2009/11/23 20:46:01 | 00,000,036 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\housecall.guid.cache
[2009/11/22 22:24:00 | 00,355,926 | R--- | M] () -- G:\WINDOWS\System32\drivers\etc\hosts
[2009/11/22 12:42:14 | 00,001,602 | ---- | M] () -- G:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/11/22 02:27:52 | 00,177,240 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\activescan2_en.exe
[2009/11/20 12:17:25 | 00,355,926 | R--- | M] () -- G:\WINDOWS\System32\drivers\etc\hosts.20091122-222359.backup
[2009/11/20 01:35:23 | 00,355,926 | R--- | M] () -- G:\WINDOWS\System32\drivers\etc\hosts.20091120-121725.backup
[2009/11/16 13:13:14 | 00,000,426 | ---- | M] () -- G:\WINDOWS\BRWMARK.INI
[2009/11/16 10:12:53 | 00,013,058 | ---- | M] () -- G:\WINDOWS\System32\wpa.dbl
[2009/11/12 22:59:26 | 00,018,483 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\Wawanesa.odt
[2009/11/12 06:36:44 | 00,182,632 | ---- | M] () -- G:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/05 09:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\System32\MRT.exe
[2009/11/04 21:49:30 | 00,001,041 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Application Data\vso_ts_preview.xml
[2009/11/01 12:45:16 | 00,508,956 | ---- | M] () -- G:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/01 12:45:16 | 00,432,356 | ---- | M] () -- G:\WINDOWS\System32\perfh009.dat
[2009/11/01 12:45:16 | 00,067,312 | ---- | M] () -- G:\WINDOWS\System32\perfc009.dat
[2009/10/29 22:54:33 | 00,018,174 | ---- | M] () -- G:\Documents and Settings\Charles Townsend\Desktop\Homes.odt

========== Files Created - No Company Name ==========

[2009/11/25 13:09:21 | 00,000,000 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\settings.dat
[2009/11/25 13:01:17 | 00,524,800 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\dds.scr
[2009/11/24 22:14:18 | 02,672,312 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\esetsmartinstaller_enu.exe
[2009/11/24 21:34:57 | 00,000,780 | ---- | C] () -- G:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/11/24 21:30:32 | 07,392,800 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\SUPERAntiSpyware.exe
[2009/11/24 18:02:07 | 00,001,393 | ---- | C] () -- G:\WINDOWS\imsins.BAK
[2009/11/23 23:53:49 | 00,000,664 | ---- | C] () -- G:\WINDOWS\System32\d3d9caps.dat
[2009/11/23 20:46:01 | 00,000,036 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\housecall.guid.cache
[2009/11/22 02:27:51 | 00,177,240 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\activescan2_en.exe
[2009/11/12 22:51:35 | 00,018,483 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Desktop\Wawanesa.odt
[2009/09/01 17:42:31 | 00,163,840 | ---- | C] () -- G:\WINDOWS\System32\unrar.dll
[2009/09/01 17:42:29 | 03,596,288 | ---- | C] () -- G:\WINDOWS\System32\qt-dx331.dll
[2009/09/01 17:42:29 | 01,559,040 | ---- | C] () -- G:\WINDOWS\System32\xvidcore.dll
[2009/09/01 17:42:29 | 00,564,224 | ---- | C] () -- G:\WINDOWS\System32\x264vfw.dll
[2009/09/01 17:42:29 | 00,282,624 | ---- | C] () -- G:\WINDOWS\System32\xvidvfw.dll
[2009/09/01 17:42:28 | 00,007,680 | ---- | C] () -- G:\WINDOWS\System32\ff_vfw.dll
[2009/09/01 17:42:28 | 00,000,547 | ---- | C] () -- G:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/07/17 17:01:05 | 00,000,000 | ---- | C] () -- G:\Documents and Settings\All Users\Application Data\LauncherAccess.dt
[2009/07/08 04:05:20 | 00,073,728 | ---- | C] () -- G:\WINDOWS\System32\RtNicProp32.dll
[2009/07/06 14:10:47 | 00,000,394 | ---- | C] () -- G:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/06/23 15:58:59 | 00,000,724 | ---- | C] () -- G:\Program Files\INSTALL.LOG
[2009/06/23 15:58:58 | 00,149,504 | ---- | C] () -- G:\Program Files\UNWISE.EXE
[2009/06/17 16:00:44 | 00,005,493 | ---- | C] () -- G:\WINDOWS\wininit.ini
[2009/01/27 18:33:40 | 00,000,145 | ---- | C] () -- G:\WINDOWS\BRVIDEO.INI
[2009/01/27 18:33:40 | 00,000,000 | ---- | C] () -- G:\WINDOWS\brmx2001.ini
[2009/01/27 18:33:28 | 00,000,114 | ---- | C] () -- G:\WINDOWS\System32\brlmw03a.ini
[2009/01/27 18:33:27 | 00,009,853 | ---- | C] () -- G:\WINDOWS\HL-2140.INI
[2009/01/27 18:33:06 | 00,000,426 | ---- | C] () -- G:\WINDOWS\BRWMARK.INI
[2009/01/27 18:31:08 | 00,000,327 | ---- | C] () -- G:\WINDOWS\Brownie.ini
[2008/11/25 14:33:05 | 00,000,600 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\PUTTY.RND
[2008/08/27 17:20:45 | 00,001,041 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Application Data\vso_ts_preview.xml
[2008/08/27 17:20:39 | 00,000,034 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Application Data\pcouffin.log
[2008/08/27 17:20:35 | 00,007,887 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Application Data\pcouffin.cat
[2008/08/27 17:20:35 | 00,001,144 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Application Data\pcouffin.inf
[2008/08/15 13:23:27 | 00,005,632 | ---- | C] () -- G:\WINDOWS\System32\drivers\StarOpen.sys
[2008/07/18 12:05:04 | 00,229,376 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/18 04:36:25 | 00,024,576 | R--- | C] () -- G:\WINDOWS\System32\AsIO.dll
[2008/07/18 04:36:25 | 00,012,664 | R--- | C] () -- G:\WINDOWS\System32\drivers\AsIO.sys
[2008/07/18 04:36:23 | 00,012,096 | ---- | C] () -- G:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2008/07/18 04:36:23 | 00,010,304 | ---- | C] () -- G:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2008/07/18 03:38:07 | 00,035,520 | ---- | C] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/07/18 03:16:18 | 00,013,569 | ---- | C] () -- G:\WINDOWS\Ascd_log.ini
[2008/07/18 03:08:59 | 00,007,842 | ---- | C] () -- G:\WINDOWS\Ascd_tmp.ini
[2008/07/18 03:08:59 | 00,005,810 | R--- | C] () -- G:\WINDOWS\System32\drivers\ASACPI.sys
[2008/07/18 03:08:47 | 00,012,536 | ---- | C] () -- G:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/07/18 02:56:57 | 04,319,420 | -H-- | C] () -- G:\Documents and Settings\Charles Townsend\Local Settings\Application Data\IconCache.db
[2008/07/18 02:28:54 | 00,000,062 | -HS- | C] () -- G:\Documents and Settings\Charles Townsend\Application Data\desktop.ini
[2008/07/18 02:24:12 | 00,000,000 | ---- | C] () -- G:\WINDOWS\control.ini
[2008/07/18 02:22:05 | 00,000,037 | ---- | C] () -- G:\WINDOWS\vbaddin.ini
[2008/07/18 02:22:05 | 00,000,036 | ---- | C] () -- G:\WINDOWS\vb.ini
[2008/07/18 02:21:17 | 00,013,223 | ---- | C] () -- G:\WINDOWS\System32\tslabels.ini
[2008/07/18 02:21:15 | 00,001,931 | ---- | C] () -- G:\WINDOWS\System32\msdtcprf.ini
[2008/07/17 19:15:28 | 00,508,956 | ---- | C] () -- G:\WINDOWS\System32\PerfStringBackup.INI
[2008/07/17 19:15:27 | 00,004,161 | ---- | C] () -- G:\WINDOWS\ODBCINST.INI
[2008/07/17 19:15:08 | 00,000,062 | -HS- | C] () -- G:\Documents and Settings\All Users\Application Data\desktop.ini
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- G:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- G:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- G:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- G:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2004/08/03 23:56:44 | 00,270,848 | ---- | C] () -- G:\WINDOWS\System32\sbe.dll
[2004/08/03 23:56:42 | 00,186,880 | ---- | C] () -- G:\WINDOWS\System32\encdec.dll
[2001/08/18 04:00:00 | 01,291,264 | ---- | C] () -- G:\WINDOWS\System32\quartz.dll
[2001/08/18 04:00:00 | 01,015,477 | ---- | C] () -- G:\WINDOWS\System32\esentprf.ini
[2001/08/18 04:00:00 | 00,733,696 | ---- | C] () -- G:\WINDOWS\System32\qedwipes.dll
[2001/08/18 04:00:00 | 00,562,176 | ---- | C] () -- G:\WINDOWS\System32\qedit.dll
[2001/08/18 04:00:00 | 00,498,742 | ---- | C] () -- G:\WINDOWS\System32\dxmasf.dll
[2001/08/18 04:00:00 | 00,386,048 | ---- | C] () -- G:\WINDOWS\System32\qdvd.dll
[2001/08/18 04:00:00 | 00,355,112 | ---- | C] () -- G:\WINDOWS\System32\msjetoledb40.dll
[2001/08/18 04:00:00 | 00,279,040 | ---- | C] () -- G:\WINDOWS\System32\qdv.dll
[2001/08/18 04:00:00 | 00,252,928 | ---- | C] () -- G:\WINDOWS\System32\compatui.dll
[2001/08/18 04:00:00 | 00,199,168 | ---- | C] () -- G:\WINDOWS\System32\ir32_32.dll
[2001/08/18 04:00:00 | 00,192,512 | ---- | C] () -- G:\WINDOWS\System32\qcap.dll
[2001/08/18 04:00:00 | 00,094,282 | ---- | C] () -- G:\WINDOWS\System32\msencode.dll
[2001/08/18 04:00:00 | 00,070,656 | ---- | C] () -- G:\WINDOWS\System32\amstream.dll
[2001/08/18 04:00:00 | 00,059,904 | ---- | C] () -- G:\WINDOWS\System32\devenum.dll
[2001/08/18 04:00:00 | 00,053,478 | ---- | C] () -- G:\WINDOWS\System32\tcpmon.ini
[2001/08/18 04:00:00 | 00,042,809 | ---- | C] () -- G:\WINDOWS\System32\key01.sys
[2001/08/18 04:00:00 | 00,042,537 | ---- | C] () -- G:\WINDOWS\System32\keyboard.sys
[2001/08/18 04:00:00 | 00,035,648 | ---- | C] () -- G:\WINDOWS\System32\ntio411.sys
[2001/08/18 04:00:00 | 00,035,424 | ---- | C] () -- G:\WINDOWS\System32\ntio412.sys
[2001/08/18 04:00:00 | 00,035,328 | ---- | C] () -- G:\WINDOWS\System32\mciqtz32.dll
[2001/08/18 04:00:00 | 00,034,560 | ---- | C] () -- G:\WINDOWS\System32\ntio804.sys
[2001/08/18 04:00:00 | 00,034,560 | ---- | C] () -- G:\WINDOWS\System32\ntio404.sys
[2001/08/18 04:00:00 | 00,033,840 | ---- | C] () -- G:\WINDOWS\System32\ntio.sys
[2001/08/18 04:00:00 | 00,029,370 | ---- | C] () -- G:\WINDOWS\System32\ntdos411.sys
[2001/08/18 04:00:00 | 00,029,274 | ---- | C] () -- G:\WINDOWS\System32\ntdos412.sys
[2001/08/18 04:00:00 | 00,029,146 | ---- | C] () -- G:\WINDOWS\System32\ntdos804.sys
[2001/08/18 04:00:00 | 00,029,146 | ---- | C] () -- G:\WINDOWS\System32\ntdos404.sys
[2001/08/18 04:00:00 | 00,027,866 | ---- | C] () -- G:\WINDOWS\System32\ntdos.sys
[2001/08/18 04:00:00 | 00,027,097 | ---- | C] () -- G:\WINDOWS\System32\country.sys
[2001/08/18 04:00:00 | 00,015,360 | ---- | C] () -- G:\WINDOWS\System32\tsd32.dll
[2001/08/18 04:00:00 | 00,014,336 | ---- | C] () -- G:\WINDOWS\System32\msdmo.dll
[2001/08/18 04:00:00 | 00,013,312 | ---- | C] () -- G:\WINDOWS\System32\win87em.dll
[2001/08/18 04:00:00 | 00,012,082 | ---- | C] () -- G:\WINDOWS\System32\rsvp.ini
[2001/08/18 04:00:00 | 00,009,029 | ---- | C] () -- G:\WINDOWS\System32\ansi.sys
[2001/08/18 04:00:00 | 00,006,877 | ---- | C] () -- G:\WINDOWS\System32\pschdprf.ini
[2001/08/18 04:00:00 | 00,004,768 | ---- | C] () -- G:\WINDOWS\System32\himem.sys
[2001/08/18 04:00:00 | 00,004,126 | ---- | C] () -- G:\WINDOWS\System32\msdxmlc.dll
[2001/08/18 04:00:00 | 00,003,458 | ---- | C] () -- G:\WINDOWS\System32\rasctrs.ini
[2001/08/18 04:00:00 | 00,002,891 | ---- | C] () -- G:\WINDOWS\System32\perfci.ini
[2001/08/18 04:00:00 | 00,002,732 | ---- | C] () -- G:\WINDOWS\System32\perfwci.ini
[2001/08/18 04:00:00 | 00,001,405 | ---- | C] () -- G:\WINDOWS\msdfmap.ini
[2001/08/18 04:00:00 | 00,001,152 | ---- | C] () -- G:\WINDOWS\System32\perffilt.ini
[2001/08/18 04:00:00 | 00,000,605 | ---- | C] () -- G:\WINDOWS\win.ini
[2001/08/18 04:00:00 | 00,000,343 | ---- | C] () -- G:\WINDOWS\System32\prodspec.ini
[2001/08/18 04:00:00 | 00,000,227 | ---- | C] () -- G:\WINDOWS\system.ini
[2001/08/17 14:36:28 | 00,157,696 | ---- | C] () -- G:\WINDOWS\System32\paqsp.dll
< End of report >

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:01 AM

Posted 28 November 2009 - 10:49 AM

I see you're running AVG8, but the latest version is out now, so you should install it.
http://free.avg.com/us-en/download-avg-ant...us-free-edition

Once you have it installed and updated, run a full scan. Let me know if it detects anything.


Also I'd like to have you run an online scan to get a second opinion.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 chaka

chaka
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 28 November 2009 - 06:11 PM

Hey. I don't think we're making any progress yet :( . When I went to turn on the computer today I had the same blue screen error that was there at the beginning of all of this: "DRIVER_IRQL_NOT_LESS_OR_EQUAL".

I restarted the computer and then downloaded and installed AVG9, and updated it, but the computer froze midway through a scan. I had to hard restart it.

RootRepeal is still finding "MBR Rootkit". Here is my latest RootRepeal scan log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/28 14:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: G:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB0DD2000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: G:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5AC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: G:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAD88F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume G:\
Status: MBR Rootkit Detected!

Path: g:\windows\temp\$$$dq3e
Status: Size mismatch (API: 4091, Raw: 3764)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051817.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051835.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051853.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051800.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051801.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051802.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051803.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051804.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051805.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051806.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051807.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051808.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051809.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051810.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051811.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051812.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051813.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051814.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051815.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051816.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051796.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051797.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051798.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051799.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051818.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051819.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051820.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051821.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051822.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051823.ZFSendToTarget
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051824.DeskLink
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051825.ini
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051826.MAPIMail
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051827.mydocs
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051828.ini
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051829.ini
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051830.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051831.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051832.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051833.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051834.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051836.ini
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051837.ini
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051838.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051839.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051840.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051841.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051842.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051843.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051844.ini
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051845.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051846.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051847.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051848.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051849.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051850.ini
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051851.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051852.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051854.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051855.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051856.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051857.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051858.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051859.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051860.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051861.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051862.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051863.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051864.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051865.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051866.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051867.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051868.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051869.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051870.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051871.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051872.ini
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051873.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051874.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051875.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051876.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051877.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051878.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051879.lnk
Status: Could not get file information (Error 0xc0000008)

Path: G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP157\A0051880.sam
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\temp\c5ee251e-45cc-462d-94a8-85d716e82fd2.mht
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\temp\ce6790aa-4d81-4904-bc7e-e749fe41830e.mht
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\temp\f643d3ea-bdb1-4c54-923b-0490a9d4de4e.mht
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA00A5R3
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA03R11Y
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA0AUVD5
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA0BVY1F
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA0H776D
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA0KSFY7
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA0VRSXM
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA0YLGVZ
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA14C2IY
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA157NNY
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA15Z1X4
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA19WLX7
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA1NUERB
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA1PRCY3
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA1RCLCM
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA1YBITO
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA20DO0F
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAP9JTBR
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAPERUCO
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAPF0R2Y
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAPNKTI0
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAQ059V8
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAQ0NBRY
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAQ1A5IA
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAQ3WDU6
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAQC6AC5
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAQNYZH5
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAQO52OX
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAQQAA4C
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAQWYRQ2
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CAR4TD8L
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CARE82DR
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CARFUYZ7
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CARIU2HH
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CARUQBNK
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA26I109
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA2N390B
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA2SUFVO
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA2Y5SQQ
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA347ABR
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA34WX1M
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA36JHOD
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA3JYAOC
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA3LYZ7H
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA3NNU61
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA3Q6HJF
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA3R5E03
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA40WCTV
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA4QRIJI
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA4U8S27
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA552XPC
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA5HXM21
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA5LVRZW
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA5OA1BK
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA5ST8T0
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA5Z1OMB
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA6D9Z2U
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA6M9JI0
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA6P4K65
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA6SLATN
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA6TGOVO
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA6TR5G0
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA6WGV7C
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA701H1O
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA73RR8R
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA77AD1N
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA79I9SI
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA7EQ9LP
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA7O5Z1H
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA7VSTGT
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA7YVD04
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA801MT1
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA8IDJL1
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA8O3I3F
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA8VNZ9H
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA8YNYY9
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA928QCX
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA97G8FJ
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA9BI18N
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA9EVZ34
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA9NTAY6
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA9O9J0N
Status: Could not get file information (Error 0xc0000008)

Path: G:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\6TE9NLBN\CA9Q7N7C
StatSSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "G:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb0f060b0

Stealth Objects
-------------------
Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3f1f30 Size: 211

==EOF==

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:01 AM

Posted 28 November 2009 - 09:12 PM

Keep in mind that "DRIVER_IRQL_NOT_LESS_OR_EQUAL" is often related to hardware issues. I'm not saying that it's not being caused by your rootkit infection, but you should be aware that you may have faulty hardware also.

I'm assuming that you did not run the Eset online virus scan.

Please disable your antivirus program.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    G:\WINDOWS\ServicePackFiles\i386\atapi.sys | G:\WINDOWS\system32\drivers\atapi.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt). Please copy and paste this log into your next reply.

After this step let me know if you notice any improvement.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 chaka

chaka
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 28 November 2009 - 10:12 PM

I know that that particular blue screen error could be caused by hardware/driver conflicts, but I really doubt there is a hardware issue (unless it has been caused by the rootkit/viruses) because this system has been stable since I built it almost a year ago and I haven't changed the hardware at all. Those bluescreens started happening after I noticed the other problems with performance/viruses.

I ran Avenger as you instructed. The scan log is below. There doesn't seem to be any change. The hard drive is still running continuously for no reason. The system is extremely slow...

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at G:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "G:\WINDOWS\ServicePackFiles\i386\atapi.sys|G:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:01 AM

Posted 29 November 2009 - 09:34 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 chaka

chaka
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 29 November 2009 - 03:58 PM

Hey. I ran combofix, and the system froze during the first scan. I had to hard restart. I ran it a second time, and here is the log:


ComboFix 09-11-29.02 - Charles Townsend 11/29/2009 12:44.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3454.2837 [GMT -8:00]
Running from: g:\documents and settings\Charles Townsend\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

g:\program files\INSTALL.LOG
g:\windows\system32\UACnognvexwkmlwmmx.db

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-29 02:22 . 2009-11-29 02:22 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\AVG9
2009-11-28 20:44 . 2009-11-28 20:13 497944 ----a-w- g:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-28 20:44 . 2009-11-28 20:13 3963648 ----a-w- g:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-28 20:44 . 2009-11-28 20:13 877848 ----a-w- g:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-28 20:44 . 2009-11-28 20:13 1657112 ----a-w- g:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-28 20:14 . 2009-11-28 20:14 -------- d-----w- G:\$AVG
2009-11-28 20:14 . 2009-11-28 20:14 360584 ----a-w- g:\windows\system32\drivers\avgtdix.sys
2009-11-28 20:13 . 2009-11-28 20:13 -------- d-----w- g:\documents and settings\All Users\Application Data\avg9
2009-11-28 20:08 . 2009-11-28 20:10 -------- d-----w- g:\documents and settings\Charles Townsend\Local Settings\Application Data\ApplicationHistory
2009-11-28 20:07 . 2009-11-28 20:09 -------- d-----w- g:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-11-28 19:49 . 2009-11-28 19:49 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\Windows Desktop Search
2009-11-28 19:49 . 2009-11-28 20:17 -------- d-----w- g:\program files\Windows Desktop Search
2009-11-28 19:49 . 2009-11-28 19:49 -------- d-----w- g:\windows\system32\GroupPolicy
2009-11-28 19:47 . 2009-11-28 19:47 -------- d-----w- g:\windows\system32\URTTEMP
2009-11-28 19:47 . 2009-10-02 04:44 92160 -c----w- g:\windows\system32\dllcache\iecompat.dll
2009-11-28 02:13 . 2009-11-28 02:13 -------- d-----w- G:\_OTL
2009-11-25 06:14 . 2009-11-25 06:14 -------- d-----w- g:\program files\ESET
2009-11-25 05:35 . 2009-11-25 05:35 117760 ----a-w- g:\documents and settings\Charles Townsend\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-25 05:35 . 2009-11-25 05:35 -------- d-----w- g:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-25 05:34 . 2009-11-25 05:34 -------- d-----w- g:\program files\SUPERAntiSpyware
2009-11-25 05:34 . 2009-11-25 05:34 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\SUPERAntiSpyware.com
2009-11-25 05:34 . 2009-11-25 05:34 -------- d-----w- g:\program files\Common Files\Wise Installation Wizard
2009-11-24 07:53 . 2009-11-24 07:53 664 ----a-w- g:\windows\system32\d3d9caps.dat
2009-11-24 07:41 . 2009-11-24 07:41 -------- d-sh--w- g:\documents and settings\Administrator\IECompatCache
2009-11-22 10:28 . 2009-06-30 17:37 28552 ----a-w- g:\windows\system32\drivers\pavboot.sys
2009-11-22 10:27 . 2009-11-22 10:27 -------- d-----w- g:\program files\Panda Security
2009-11-20 20:15 . 2009-11-20 20:15 -------- d-sh--w- g:\documents and settings\Administrator\IETldCache
2009-11-20 08:14 . 2009-11-20 08:14 -------- d-----w- g:\documents and settings\HelpAssistant\UserData
2009-11-20 08:13 . 2009-11-20 08:13 -------- d-----w- g:\documents and settings\HelpAssistant\PrivacIE
2009-11-05 03:16 . 2009-09-03 00:41 102439 ----a-w- g:\windows\system32\sipr3260.dll
2009-11-05 03:16 . 2009-09-03 00:41 1184984 ----a-w- g:\windows\system32\wvc1dmod.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 20:14 . 2009-01-28 01:49 12464 ----a-w- g:\windows\system32\avgrsstx.dll
2009-11-28 20:14 . 2008-07-18 22:49 333192 ----a-w- g:\windows\system32\drivers\avgldx86.sys
2009-11-28 20:13 . 2008-07-18 22:49 28424 ----a-w- g:\windows\system32\drivers\avgmfx86.sys
2009-11-28 20:13 . 2008-07-18 22:49 -------- d-----w- g:\program files\AVG
2009-11-25 19:46 . 2009-07-22 03:30 1 ----a-w- g:\documents and settings\Charles Townsend\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-25 05:27 . 2008-07-28 19:21 -------- d-----w- g:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-24 09:38 . 2008-07-27 04:55 -------- d-----w- g:\program files\Mozilla Sunbird
2009-11-20 19:54 . 2009-01-01 23:07 -------- d-----w- g:\program files\Spybot - Search & Destroy
2009-11-20 09:35 . 2009-06-23 22:53 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2009-11-20 09:35 . 2009-08-31 04:00 4045528 ----a-w- g:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-19 01:17 . 2008-07-18 12:47 -------- d-----w- g:\program files\PeerGuardian2
2009-11-19 01:17 . 2008-07-18 12:43 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\uTorrent
2009-11-18 06:36 . 2008-11-25 22:30 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\FileZilla
2009-11-06 18:55 . 2008-07-18 11:31 177024 ----a-w- g:\windows\system32\drivers\Rtenicxp.sys
2009-11-05 05:49 . 2008-08-28 01:20 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\Vso
2009-11-05 03:44 . 2008-12-16 16:20 -------- d---a-w- g:\documents and settings\All Users\Application Data\TEMP
2009-11-05 03:44 . 2009-09-02 01:42 -------- d-----w- g:\program files\K-Lite Codec Pack
2009-10-08 22:57 . 2008-07-30 02:59 611328 ----a-w- g:\windows\system32\uiautomationcore.dll
2009-10-08 22:57 . 2001-08-18 12:00 220160 ----a-w- g:\windows\system32\oleacc.dll
2009-10-08 22:56 . 2001-08-18 12:00 20480 ----a-w- g:\windows\system32\oleaccrc.dll
2009-09-24 06:34 . 2008-07-18 11:38 35520 -c--a-w- g:\documents and settings\Charles Townsend\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2001-08-18 12:00 136192 ----a-w- g:\windows\system32\msv1_0.dll
2009-09-10 22:54 . 2009-06-23 22:53 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 22:53 . 2009-06-23 22:53 19160 ----a-w- g:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2001-08-18 12:00 58880 ----a-w- g:\windows\system32\msasn1.dll
1999-06-25 17:55 . 2009-06-23 23:58 149504 ----a-w- g:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="g:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrStsWnd"="g:\program files\Brownie\BrstsWnd.exe Autorun" [X]
"M-Audio Taskbar Icon"="g:\windows\System32\M-AudioTaskBarIcon.exe" [2005-10-18 91136]
"Malwarebytes Anti-Malware (reboot)"="g:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="g:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-28 2020120]
"RTHDCPL"="RTHDCPL.EXE" - g:\windows\RTHDCPL.exe [2007-08-10 16384000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

g:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - g:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "g:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "g:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- g:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-28 20:14 12464 ----a-w- g:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=g:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"=usbnz1x1.dll

[HKLM\~\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor.lnk]
path=g:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor.lnk
backup=g:\windows\pss\ImageMixer 3 SE Camera Monitor.lnkCommon Startup

[HKLM\~\startupfolder\G:^Documents and Settings^Charles Townsend^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=g:\documents and settings\Charles Townsend\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=g:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\startupfolder\G:^Documents and Settings^Charles Townsend^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=g:\documents and settings\Charles Townsend\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=g:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"g:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Common Files\\Macrovision Shared\\FLEXnet Publisher\\FNPLicensingService.exe"=
"g:\\WINDOWS\\system32\\spoolsv.exe"=
"g:\\Program Files\\M-Audio\\Ozone\\Install\\ozinst.exe"=
"g:\\WINDOWS\\system32\\sessmgr.exe"=
"g:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"g:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"g:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

R0 pavboot;pavboot;g:\windows\system32\drivers\pavboot.sys [11/22/2009 2:28 AM 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;g:\windows\system32\drivers\avgldx86.sys [7/18/2008 2:49 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;g:\windows\system32\drivers\avgtdix.sys [11/28/2009 12:14 PM 360584]
R1 SASDIFSV;SASDIFSV;g:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;g:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 avg9emc;AVG Free E-mail Scanner;g:\program files\AVG\AVG9\avgemc.exe [11/28/2009 12:13 PM 906520]
R2 avg9wd;AVG Free WatchDog;g:\program files\AVG\AVG9\avgwdsvc.exe [11/28/2009 12:13 PM 285392]
R3 SASENUM;SASENUM;g:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 ma763008;M-Audio Ozone;g:\windows\system32\drivers\MA763008.sys [7/23/2009 12:43 PM 63872]
S3 MADFU008;MADFU008;g:\windows\system32\drivers\MADFU008.sys [7/23/2009 12:43 PM 14336]
S3 RkPavproc1;RkPavproc1;\??\g:\windows\system32\drivers\RkPavproc1.sys --> g:\windows\system32\drivers\RkPavproc1.sys [?]
S3 USBNZ1X1;M-Audio Ozone Midi;g:\windows\system32\drivers\usbnz1x1.sys [7/23/2009 12:43 PM 22272]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.ucr.edu/
IE: Append to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
DPF: Microsoft XML Parser for Java - file://g:\windows\Java\classes\xmldso.cab
FF - ProfilePath - g:\documents and settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\
FF - prefs.js: browser.startup.homepage - webmail.ucr.edu
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: g:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: g:\documents and settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Native Instruments - Rig Kontrol 3 Driver - g:\program files\Native Instruments\Rig Kontrol 3 Driver\uninst.exe Software\Native Instruments\Rig Kontrol 3 Driver\Setup



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 12:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A39AF30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> 0x8a39af30
\Driver\atapi -> atapi.sys @ 0xb9f37852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> 0x8a3d7480
PacketIndicateHandler -> NDIS.sys @ 0xb9e32a0d
SendHandler -> NDIS.sys @ 0xb9e46b40
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x02542D6C1
malicious code @ sector 0x02542D6C4 !
PE file found in sector at 0x02542D6DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\Hw*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.7"
"DeviceInstanceIds"=multi:"f:\\drivers\\chipset\\driver\\x86_x64\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
g:\program files\SUPERAntiSpyware\SASWINLO.dll
g:\windows\system32\WININET.dll
g:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-29 12:52
ComboFix-quarantined-files.txt 2009-11-29 20:52

Pre-Run: 81,573,486,592 bytes free
Post-Run: 81,748,779,008 bytes free

- - End Of File - - 33BB5CEAC882F11CA840791D2765E477

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:01 AM

Posted 29 November 2009 - 09:08 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

MBR::
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 chaka

chaka
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 29 November 2009 - 11:18 PM

Hi. I ran combofix as directed. Here is the log. My hard drive still seems to be running like crazy...


ComboFix 09-11-29.02 - Charles Townsend 11/29/2009 19:30.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3454.2868 [GMT -8:00]
Running from: g:\documents and settings\Charles Townsend\Desktop\ComboFix.exe
Command switches used :: g:\documents and settings\Charles Townsend\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-29 02:22 . 2009-11-29 02:22 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\AVG9
2009-11-28 20:44 . 2009-11-28 20:13 497944 ----a-w- g:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-28 20:44 . 2009-11-28 20:13 3963648 ----a-w- g:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-28 20:44 . 2009-11-28 20:13 877848 ----a-w- g:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-28 20:44 . 2009-11-28 20:13 1657112 ----a-w- g:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-28 20:14 . 2009-11-28 20:14 -------- d-----w- G:\$AVG
2009-11-28 20:14 . 2009-11-28 20:14 360584 ----a-w- g:\windows\system32\drivers\avgtdix.sys
2009-11-28 20:13 . 2009-11-28 20:13 -------- d-----w- g:\documents and settings\All Users\Application Data\avg9
2009-11-28 20:08 . 2009-11-28 20:10 -------- d-----w- g:\documents and settings\Charles Townsend\Local Settings\Application Data\ApplicationHistory
2009-11-28 20:07 . 2009-11-28 20:09 -------- d-----w- g:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-11-28 19:49 . 2009-11-28 19:49 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\Windows Desktop Search
2009-11-28 19:49 . 2009-11-28 20:17 -------- d-----w- g:\program files\Windows Desktop Search
2009-11-28 19:49 . 2009-11-28 19:49 -------- d-----w- g:\windows\system32\GroupPolicy
2009-11-28 19:47 . 2009-11-28 19:47 -------- d-----w- g:\windows\system32\URTTEMP
2009-11-28 19:47 . 2009-10-02 04:44 92160 -c----w- g:\windows\system32\dllcache\iecompat.dll
2009-11-28 02:13 . 2009-11-28 02:13 -------- d-----w- G:\_OTL
2009-11-25 06:14 . 2009-11-25 06:14 -------- d-----w- g:\program files\ESET
2009-11-25 05:35 . 2009-11-25 05:35 117760 ----a-w- g:\documents and settings\Charles Townsend\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-25 05:35 . 2009-11-25 05:35 -------- d-----w- g:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-25 05:34 . 2009-11-25 05:34 -------- d-----w- g:\program files\SUPERAntiSpyware
2009-11-25 05:34 . 2009-11-25 05:34 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\SUPERAntiSpyware.com
2009-11-25 05:34 . 2009-11-25 05:34 -------- d-----w- g:\program files\Common Files\Wise Installation Wizard
2009-11-24 07:53 . 2009-11-24 07:53 664 ----a-w- g:\windows\system32\d3d9caps.dat
2009-11-24 07:41 . 2009-11-24 07:41 -------- d-sh--w- g:\documents and settings\Administrator\IECompatCache
2009-11-22 10:28 . 2009-06-30 17:37 28552 ----a-w- g:\windows\system32\drivers\pavboot.sys
2009-11-22 10:27 . 2009-11-22 10:27 -------- d-----w- g:\program files\Panda Security
2009-11-20 20:15 . 2009-11-20 20:15 -------- d-sh--w- g:\documents and settings\Administrator\IETldCache
2009-11-20 08:14 . 2009-11-20 08:14 -------- d-----w- g:\documents and settings\HelpAssistant\UserData
2009-11-20 08:13 . 2009-11-20 08:13 -------- d-----w- g:\documents and settings\HelpAssistant\PrivacIE
2009-11-05 03:16 . 2009-09-03 00:41 102439 ----a-w- g:\windows\system32\sipr3260.dll
2009-11-05 03:16 . 2009-09-03 00:41 1184984 ----a-w- g:\windows\system32\wvc1dmod.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 20:14 . 2009-01-28 01:49 12464 ----a-w- g:\windows\system32\avgrsstx.dll
2009-11-28 20:14 . 2008-07-18 22:49 333192 ----a-w- g:\windows\system32\drivers\avgldx86.sys
2009-11-28 20:13 . 2008-07-18 22:49 28424 ----a-w- g:\windows\system32\drivers\avgmfx86.sys
2009-11-28 20:13 . 2008-07-18 22:49 -------- d-----w- g:\program files\AVG
2009-11-25 19:46 . 2009-07-22 03:30 1 ----a-w- g:\documents and settings\Charles Townsend\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-25 05:27 . 2008-07-28 19:21 -------- d-----w- g:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-24 09:38 . 2008-07-27 04:55 -------- d-----w- g:\program files\Mozilla Sunbird
2009-11-20 19:54 . 2009-01-01 23:07 -------- d-----w- g:\program files\Spybot - Search & Destroy
2009-11-20 09:35 . 2009-06-23 22:53 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2009-11-20 09:35 . 2009-08-31 04:00 4045528 ----a-w- g:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-19 01:17 . 2008-07-18 12:47 -------- d-----w- g:\program files\PeerGuardian2
2009-11-19 01:17 . 2008-07-18 12:43 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\uTorrent
2009-11-18 06:36 . 2008-11-25 22:30 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\FileZilla
2009-11-06 18:55 . 2008-07-18 11:31 177024 ----a-w- g:\windows\system32\drivers\Rtenicxp.sys
2009-11-05 05:49 . 2008-08-28 01:20 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\Vso
2009-11-05 03:44 . 2008-12-16 16:20 -------- d---a-w- g:\documents and settings\All Users\Application Data\TEMP
2009-11-05 03:44 . 2009-09-02 01:42 -------- d-----w- g:\program files\K-Lite Codec Pack
2009-10-08 22:57 . 2008-07-30 02:59 611328 ----a-w- g:\windows\system32\uiautomationcore.dll
2009-10-08 22:57 . 2001-08-18 12:00 220160 ----a-w- g:\windows\system32\oleacc.dll
2009-10-08 22:56 . 2001-08-18 12:00 20480 ----a-w- g:\windows\system32\oleaccrc.dll
2009-09-24 06:34 . 2008-07-18 11:38 35520 -c--a-w- g:\documents and settings\Charles Townsend\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2001-08-18 12:00 136192 ----a-w- g:\windows\system32\msv1_0.dll
2009-09-10 22:54 . 2009-06-23 22:53 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 22:53 . 2009-06-23 22:53 19160 ----a-w- g:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2001-08-18 12:00 58880 ----a-w- g:\windows\system32\msasn1.dll
1999-06-25 17:55 . 2009-06-23 23:58 149504 ----a-w- g:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((( SnapShot@2009-11-29_20.49.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-30 03:24 . 2009-11-30 03:24 16384 g:\windows\Temp\Perflib_Perfdata_194.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="g:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrStsWnd"="g:\program files\Brownie\BrstsWnd.exe Autorun" [X]
"M-Audio Taskbar Icon"="g:\windows\System32\M-AudioTaskBarIcon.exe" [2005-10-18 91136]
"Malwarebytes Anti-Malware (reboot)"="g:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="g:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-28 2020120]
"RTHDCPL"="RTHDCPL.EXE" - g:\windows\RTHDCPL.exe [2007-08-10 16384000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

g:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - g:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "g:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "g:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- g:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-28 20:14 12464 ----a-w- g:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=g:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"=usbnz1x1.dll

[HKLM\~\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor.lnk]
path=g:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor.lnk
backup=g:\windows\pss\ImageMixer 3 SE Camera Monitor.lnkCommon Startup

[HKLM\~\startupfolder\G:^Documents and Settings^Charles Townsend^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=g:\documents and settings\Charles Townsend\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=g:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\startupfolder\G:^Documents and Settings^Charles Townsend^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=g:\documents and settings\Charles Townsend\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=g:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"g:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Common Files\\Macrovision Shared\\FLEXnet Publisher\\FNPLicensingService.exe"=
"g:\\WINDOWS\\system32\\spoolsv.exe"=
"g:\\Program Files\\M-Audio\\Ozone\\Install\\ozinst.exe"=
"g:\\WINDOWS\\system32\\sessmgr.exe"=
"g:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"g:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"g:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

R0 pavboot;pavboot;g:\windows\system32\drivers\pavboot.sys [11/22/2009 2:28 AM 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;g:\windows\system32\drivers\avgldx86.sys [7/18/2008 2:49 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;g:\windows\system32\drivers\avgtdix.sys [11/28/2009 12:14 PM 360584]
R1 SASDIFSV;SASDIFSV;g:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;g:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 avg9emc;AVG Free E-mail Scanner;g:\program files\AVG\AVG9\avgemc.exe [11/28/2009 12:13 PM 906520]
R2 avg9wd;AVG Free WatchDog;g:\program files\AVG\AVG9\avgwdsvc.exe [11/28/2009 12:13 PM 285392]
R3 SASENUM;SASENUM;g:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 ma763008;M-Audio Ozone;g:\windows\system32\drivers\MA763008.sys [7/23/2009 12:43 PM 63872]
S3 MADFU008;MADFU008;g:\windows\system32\drivers\MADFU008.sys [7/23/2009 12:43 PM 14336]
S3 RkPavproc1;RkPavproc1;\??\g:\windows\system32\drivers\RkPavproc1.sys --> g:\windows\system32\drivers\RkPavproc1.sys [?]
S3 USBNZ1X1;M-Audio Ozone Midi;g:\windows\system32\drivers\usbnz1x1.sys [7/23/2009 12:43 PM 22272]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.ucr.edu/
IE: Append to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
DPF: Microsoft XML Parser for Java - file://g:\windows\Java\classes\xmldso.cab
FF - ProfilePath - g:\documents and settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\
FF - prefs.js: browser.startup.homepage - webmail.ucr.edu
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: g:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: g:\documents and settings\Charles Townsend\Application Data\Mozilla\Firefox\Profiles\6nhnclfa.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 19:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A390F30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> 0x8a390f30
\Driver\atapi -> atapi.sys @ 0xb9f37852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> 0x8a3cd480
PacketIndicateHandler -> NDIS.sys @ 0xb9e32a0d
SendHandler -> NDIS.sys @ 0xb9e46b40
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x02542D6C1
malicious code @ sector 0x02542D6C4 !
PE file found in sector at 0x02542D6DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\Hw*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.7"
"DeviceInstanceIds"=multi:"f:\\drivers\\chipset\\driver\\x86_x64\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
g:\program files\SUPERAntiSpyware\SASWINLO.dll
g:\windows\system32\WININET.dll
g:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2752)
g:\windows\system32\WININET.dll
g:\windows\system32\ieframe.dll
g:\program files\Windows Desktop Search\deskbar.dll
g:\program files\Windows Desktop Search\en-us\dbres.dll.mui
g:\program files\Windows Desktop Search\dbres.dll
g:\program files\Windows Desktop Search\wordwheel.dll
g:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
g:\program files\Windows Desktop Search\msnlExtRes.dll
g:\windows\system32\webcheck.dll
g:\windows\system32\WPDShServiceObj.dll
g:\windows\system32\PortableDeviceTypes.dll
g:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-29 19:40
ComboFix-quarantined-files.txt 2009-11-30 03:39
ComboFix2.txt 2009-11-29 20:52

Pre-Run: 81,756,737,536 bytes free
Post-Run: 81,706,336,256 bytes free

- - End Of File - - F57A8AFB79F626BFEEAF80D925F8329C

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:01 AM

Posted 30 November 2009 - 08:01 AM

Download this file and save it to your C:\ directory.
http://www2.gmer.net/mbr/mbr.exe

Click Start -> Run -> mbr.exe -f

Note that there is a space between exe and -f

It should create a short log.
Please post that in your next reply.

Edited by Buckeye_Sam, 30 November 2009 - 08:02 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 chaka

chaka
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 30 November 2009 - 07:46 PM

I tried twice to run mbr.exe as instructed, and it ran, but it didn't generate any log (or at least I can't find any log on my computer). I then ran it by just double clicking mbr.exe in my G:\ directory and this is the log I got:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8a398f30
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> 0x8a3d5480
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x02542D6C1
malicious code @ sector 0x02542D6C4 !
PE file found in sector at 0x02542D6DA !
Use "Recovery Console" command "fixmbr" to clear infection !




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users