Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus found/deleted, and now When I try to open C or D Drive: "RUNDLL Error loading.\Thumbs.lnk The specified module could not be found"


  • This topic is locked This topic is locked
30 replies to this topic

#1 lugnuts9

lugnuts9

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 11 December 2009 - 03:31 PM

Problem:
When trying to open C or D Drive:

"RUNDLL

Error loading.Thumbs.lnk

The specified module could not be found"


- If I right-click on the C or D drive, on the top where it should say "Open",
it has some random/encrypted symbols instead.

-----------------------------------

Steps Taken / Timeline:
New computer, just started using this about a week ago.

Malwarebytes updated and scanned daily.

I did not have AVG installed (banghead) until this morning.

I was browsing a (non-porn!) site today, I went to open another link and got a "internet explorer error

(sorry, I do not know the exact error, I recognized it as a suspicious error).

Malwarebytes and AVG found and removed threats, I have these logs and a Hijackthis log ready to post, if it is appropriate here.
-------------------------------
System:
Dell Latitude C400 Laptop
Microsoft XP Service Pack 2
IE Browser Version 6.0.2900.2180
--------------------------------
Maintenance Programs:
Malwayebytes updated and scanned daily
AVG Free freshly installed, updated, and scanned
---------------------------------

Thank You!

Malwarebutes and AVG scans below the HJT log.


CURRENT HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:38 PM, on 12/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:Program FilesAVGAVG9avgfws9.exe
C:WINDOWSSYSTEM32DWRCS.EXE
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32MsPMSPSv.exe
C:Program FilesAVGAVG9avgemc.exe
C:Program FilesAVGAVG9avgnsx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSYSTEM32DWRCST.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:Program FilesJavajre1.5.0_06binjusched.exe
C:Program FilesApointApoint.exe
C:WINDOWSsystem32pctspk.exe
C:PROGRA~1AVGAVG9avgtray.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesApointApntex.exe
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.gmail.com/
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer provided by

Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat

7.0ActiveXAcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program

FilesAVGAVG9avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program

FilesJavajre1.5.0_06binssv.dll
O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavajre1.5.0_06binjusched.exe
O4 - HKLM..Run: [Apoint] C:Program FilesApointApoint.exe
O4 - HKLM..Run: [PCTVOICE] pctspk.exe
O4 - HKLM..Run: [RoxioEngineUtility] "C:Program FilesCommon FilesRoxio SharedSystemEngUtil.exe"
O4 - HKLM..Run: [RoxioDragToDisc] "C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe"
O4 - HKLM..Run: [AVG9_TRAY] C:PROGRA~1AVGAVG9avgtray.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:Program FilesCommon FilesVerizon OnlineConnMgrVerizon

Online.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program

FilesJavajre1.5.0_06binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program

FilesJavajre1.5.0_06binssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program

FilesMessengermsmsgs.exe
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) -

http://intel-drv-cdn.systemrequirementslab...reqlab_srlx.cab
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = bea.com
O17 - HKLMSoftware..Telephony: DomainName = bea.com
O17 - HKLMSystemCCSServicesTcpip..{1D834383-7741-4FC6-AAB2-70B4E1108F11}: NameServer = 71.242.0.12

71.252.0.12
O17 - HKLMSystemCCSServicesTcpip..{B23BC992-64E5-4BB6-A781-3C4218FE09C1}: NameServer = 192.168.128.1
O17 - HKLMSystemCS1ServicesTcpipParameters: Domain = bea.com
O17 - HKLMSystemCS1ServicesTcpip..{1D834383-7741-4FC6-AAB2-70B4E1108F11}: NameServer = 71.242.0.12

71.252.0.12
O17 - HKLMSystemCS2ServicesTcpipParameters: Domain = bea.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG9avgpp.dll
O20 - AppInit_DLLs: C:WINDOWSsystem32IPv6.dll
O20 - Winlogon Notify: avgrsstarter - C:WINDOWSSYSTEM32avgrsstx.dll
O20 - Winlogon Notify: cryptnet21 - C:WINDOWSsystem32cryptnet21.dll (file missing)
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:Program

FilesAVGAVG9avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:Program FilesAVGAVG9avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:Program FilesAVGAVG9avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:Program FilesAVGAVG9Identity

ProtectionAgentBinAVGIDSAgent.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC -

C:WINDOWSSYSTEM32DWRCS.EXE

--
End of file - 4996 bytes


-----------------------------------------------------------------------------------


OLD Malwarebytes scans, these items have been removed:
-------------------------------------------------------------
MWB SCAN #1:
-------------------------
Scan type: Quick Scan
Objects scanned: 133421
Time elapsed: 11 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 5

Memory Modules Infected:
C:WINDOWSsystem32WinXP.bmp (Trojan.BHO) -> Delete on reboot.
C:WINDOWSsystem32cryptnet21.dll (Backdoor.Bot) -> Delete on reboot.
C:WINDOWSsystem32IPv6.dll (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOTCLSID{00000231-1000-0010-8000-00aa006d2ea4} (Trojan.BHO) -> Quarantined and deleted

successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{00000231-1000-0010-8000-00aa006d2ea4}

(Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper

Objects{00000231-1000-0010-8000-00aa006d2ea4} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunigfxtray (Trojan.FakeAlert.H) -> Quarantined

and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunnvcpl (Backdoor.Bot) -> Quarantined and

deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs (Backdoor.Bot) -> Data:

c:windowssystem32ipv6.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs (Backdoor.Bot) -> Data:

system32ipv6.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterAntiVirusDisableNotify (Disabled.SecurityCenter) ->

Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterFirewallDisableNotify (Disabled.SecurityCenter) -> Bad:

(1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUpdatesDisableNotify (Disabled.SecurityCenter) -> Bad:

(1) Good: (0) -> Quarantined and deleted successfully.

Files Infected:
C:WINDOWSsystem32igfxtray.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:WINDOWSsystem32WinXP.bmp (Trojan.BHO) -> Delete on reboot.
C:WINDOWSsystem32cryptnet21.dll (Backdoor.Bot) -> Delete on reboot.
C:WINDOWSsystem32IPv6.dll (Backdoor.Bot) -> Delete on reboot.
C:WINDOWSsystem32NvCpl64.dll (Backdoor.Bot) -> Quarantined and deleted successfully.

---------------------------------------------------------
MWB SCAN #2:
--------------------------
Scan type: Full Scan (C:|D:|)
Objects scanned: 172339
Time elapsed: 37 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Modules Infected:
C:WINDOWSsystem32WinXP.bmp (Trojan.Downloader) -> Delete on reboot.
C:WINDOWSsystem32cryptnet21.dll (Backdoor.Bot) -> Delete on reboot.
C:WINDOWSsystem32IPv6.dll (Backdoor.Bot) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunnvcpl (Backdoor.Bot) -> Quarantined and

deleted successfully.

Files Infected:
C:WINDOWSsystem32WinXP.bmp (Trojan.Downloader) -> Delete on reboot.
C:WINDOWSsystem32cryptnet21.dll (Backdoor.Bot) -> Delete on reboot.
C:WINDOWSsystem32IPv6.dll (Backdoor.Bot) -> Delete on reboot.
C:WINDOWSsystem32NvCpl64.dll (Backdoor.Bot) -> Quarantined and deleted successfully.

--------------------------------------------------
MWB SCAN #3:
--------------------------
Scan type: Quick Scan
Objects scanned: 139893
Time elapsed: 16 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Registry Keys Infected:
HKEY_CLASSES_ROOTCLSID{00000231-1000-0010-8000-00aa006d2ea4} (Trojan.BHO) -> Quarantined and deleted

successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{00000231-1000-0010-8000-00aa006d2ea4}

(Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper

Objects{00000231-1000-0010-8000-00aa006d2ea4} (Trojan.BHO) -> Quarantined and deleted successfully.

--------------------------------------------------

I also installed AVG Free, scanned and removed 3 trojans:

- D:Thumbs.lnk
- C:WindowsSoftwareDistributionUninstall.bin
- C:Thumbs.lnk

I Scanned with AVG and MWB again, no infections.


- Now I am getting the above error message.


---------------------------------

Merged topics and posts and moved merged topic to HiJack This forum. ~ OB

Edited by Orange Blossom, 11 December 2009 - 07:28 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:19 PM

Posted 11 December 2009 - 07:34 PM

Hi lugnuts9,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified, because of it's backdoor functionality, your PC is very likely compromised. Some experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

If you decide to remove the infection please go on with the following steps.


Removal Instructions
  • Besides fixing the issue you are describing we need to check the system for any hidden infection or left overs.

  • Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Click Run Scan button.
  • Two reports will open, copy and paste them to your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

[*]Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Disconnect from the Internet and close all running programs.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
    • Sections
    • IAT/EAT
    • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
    • Show All (this one also should be unchecked)
  • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
  • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
[/list]

#3 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 12 December 2009 - 06:39 PM

Thank you very much farbar.

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-12 01:41:57
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: D:\TEMP\fwpyipob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xF7B14470]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xF7B14520]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xF7B145C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xF7B14660]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

#4 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 12 December 2009 - 06:43 PM

OTL logfile created on: 12/12/2009 12:31:54 AM - Run 1
OTL by OldTimer - Version 3.1.16.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.41 Mb Total Physical Memory | 641.71 Mb Available Physical Memory | 62.76% Memory free
2.40 Gb Paging File | 2.09 Gb Available in Paging File | 87.31% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 16.55 Gb Total Space | 9.41 Gb Free Space | 56.84% Space Free | Partition Type: NTFS
Drive D: | 20.70 Gb Total Space | 18.93 Gb Free Space | 91.45% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BEA-5765146AEA3
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/12 00:31:04 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009/12/11 08:17:36 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/12/11 08:17:35 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/12/11 08:17:35 | 00,502,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/12/11 08:17:34 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/12/11 08:17:29 | 02,020,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/12/11 08:17:28 | 02,304,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgfws9.exe
PRC - [2009/12/11 08:17:25 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2009/12/11 08:17:20 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/11/10 16:03:52 | 00,036,975 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
PRC - [2005/11/09 13:35:24 | 00,043,520 | ---- | M] (DameWare Development) -- C:\WINDOWS\system32\DWRCST.exe
PRC - [2005/11/09 13:34:54 | 00,159,744 | ---- | M] (DameWare Development LLC) -- C:\WINDOWS\system32\DWRCS.EXE
PRC - [2004/09/13 13:33:20 | 00,155,648 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2004/08/19 11:40:08 | 00,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2004/08/04 03:56:52 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2002/07/18 19:58:40 | 00,163,840 | ---- | M] () -- C:\WINDOWS\system32\pctspk.exe
PRC - [2001/05/01 20:06:22 | 00,053,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MsPMSPSv.exe


========== Modules (SafeList) ==========

MOD - [2009/12/12 00:31:04 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2006/08/25 10:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/11 08:17:28 | 02,304,192 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgfws9.exe -- (avgfws9)
SRV - [2009/12/11 08:17:25 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/12/11 08:17:20 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/12/11 08:17:17 | 05,832,712 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2005/11/09 13:34:54 | 00,159,744 | ---- | M] (DameWare Development LLC) [Auto | Running] -- C:\WINDOWS\System32\DWRCS.EXE -- (DWMRCS)
SRV - [2004/08/11 03:46:56 | 00,483,328 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- c:\Program Files\Windows Media Connect\mswmccds.exe -- (WmcCds) Windows Media Connect (WMC)
SRV - [2004/08/11 00:50:42 | 00,028,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect\mswmcls.exe -- (WmcCdsLs) Windows Media Connect (WMC)
SRV - [2004/07/15 04:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2001/05/01 20:06:22 | 00,053,248 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\MsPMSPSv.exe -- (WMDM PMSP Service)


========== Driver Services (SafeList) ==========

DRV - [2009/12/11 08:17:51 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/12/11 08:17:24 | 00,025,608 | ---- | M] (AVG Technologies ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\AVGIDSxx.sys -- (AVGIDSErHrxpx)
DRV - [2009/12/11 08:17:23 | 00,161,800 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2009/12/11 08:17:22 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/12/11 08:17:22 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/12/11 08:17:19 | 00,122,376 | ---- | M] (AVG Technologies ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys -- (AVGIDSDriverxpx)
DRV - [2009/12/11 08:17:18 | 00,030,216 | ---- | M] (AVG Technologies ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys -- (AVGIDSFilterxpx)
DRV - [2009/12/11 08:17:18 | 00,025,736 | ---- | M] (AVG Technologies ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys -- (AVGIDSShimxpx)
DRV - [2009/12/11 08:16:59 | 00,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwfd)
DRV - [2009/12/11 08:16:59 | 00,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwdx)
DRV - [2008/01/07 14:36:16 | 02,216,064 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/24 22:37:28 | 00,021,035 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2007/02/05 12:38:04 | 00,054,176 | ---- | M] (Ross-Tech, LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RT-USB.SYS -- (RT-USB)
DRV - [2006/04/28 13:07:20 | 00,010,880 | ---- | M] (VMware, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vmscsi.sys -- (vmscsi)
DRV - [2004/11/16 12:03:52 | 00,108,791 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2004/08/20 15:26:00 | 00,737,874 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/08/04 01:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 01:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2003/02/17 16:22:24 | 00,170,880 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2002/11/22 15:56:10 | 00,476,955 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vpctcom.sys -- (Vpctcom)
DRV - [2002/11/08 00:13:00 | 00,020,579 | ---- | M] (O2Micro) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OZSCR.SYS -- (O2SCBUS)
DRV - [2002/11/06 18:23:34 | 00,135,260 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptserial.sys -- (Ptserial)
DRV - [2002/11/06 18:23:16 | 00,066,111 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vvoice.sys -- (Vvoice)
DRV - [2002/11/06 18:22:50 | 00,689,821 | ---- | M] (PCTEL, INC.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vmodem.sys -- (Vmodem)
DRV - [2002/08/08 16:10:46 | 00,089,088 | ---- | M] (Cirrus Logic, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cwawdm.sys -- (cs429x)
DRV - [2001/08/23 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/17 16:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 16:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 16:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 16:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 16:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 15:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 15:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 15:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 15:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 15:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 15:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 15:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 15:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 15:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 15:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 15:11:06 | 00,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)
DRV - [2001/08/17 07:10:28 | 00,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-958956159-11567250-886126114-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-958956159-11567250-886126114-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
IE - HKU\S-1-5-21-958956159-11567250-886126114-500\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-958956159-11567250-886126114-500\S-1-5-21-958956159-11567250-886126114-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-958956159-11567250-886126114-500\S-1-5-21-958956159-11567250-886126114-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1



O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-958956159-11567250-886126114-500\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [PCTVOICE] C:\WINDOWS\System32\pctspk.exe ()
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe File not found
O4 - HKLM..\Run: [RoxioEngineUtility] C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-958956159-11567250-886126114-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} http://intel-drv-cdn.systemrequirementslab...reqlab_srlx.cab (System Requirements Lab Class)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc.cab (Office Update Installation Engine)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bea.com
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\IPv6.dll) - C:\WINDOWS\System32\IPv6.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\cryptnet21: DllName - C:\WINDOWS\system32\cryptnet21.dll - C:\WINDOWS\System32\cryptnet21.dll File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/14 13:12:15 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/12/11 07:45:23 | 00,000,165 | RHS- | M] () - C:\AutoRun.Inf -- [ NTFS ]
O32 - AutoRun File - [2009/12/11 07:45:23 | 00,000,165 | RHS- | M] () - D:\AutoRun.Inf -- [ NTFS ]
O33 - MountPoints2\{e822f890-df9f-11de-b51c-00166f1cf3bb}\Shell - "" = AutoRun
O33 - MountPoints2\{e822f890-df9f-11de-b51c-00166f1cf3bb}\Shell\1\Command - "" = RunDll32.exe .\Thumbs.lnk,GetPic
O33 - MountPoints2\{e822f890-df9f-11de-b51c-00166f1cf3bb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e822f891-df9f-11de-b51c-00166f1cf3bb}\Shell - "" = AutoRun
O33 - MountPoints2\{e822f891-df9f-11de-b51c-00166f1cf3bb}\Shell\1\Command - "" = RunDll32.exe .\Thumbs.lnk,GetPic
O33 - MountPoints2\{e822f891-df9f-11de-b51c-00166f1cf3bb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\C\Shell - "" = AutoRun
O33 - MountPoints2\C\Shell\1\Command - "" = RunDll32.exe .\Thumbs.lnk,GetPic
O33 - MountPoints2\C\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\1\Command - "" = RunDll32.exe .\Thumbs.lnk,GetPic
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/12 00:30:58 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/12/11 14:09:23 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/11 08:28:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVG9
[2009/12/11 08:27:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/12/11 08:18:15 | 00,000,000 | -H-D | C] -- C:\$AVG
[2009/12/11 08:17:53 | 00,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/12/11 08:17:51 | 00,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/12/11 08:17:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/12/11 08:17:24 | 00,025,608 | ---- | C] (AVG Technologies ) -- C:\WINDOWS\System32\drivers\AVGIDSxx.sys
[2009/12/11 08:17:23 | 00,161,800 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2009/12/11 08:17:22 | 00,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/12/11 08:17:22 | 00,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/12/11 08:16:59 | 00,050,968 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgfwdx.dll
[2009/12/11 08:16:59 | 00,030,104 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgfwdx.sys
[2009/12/11 08:16:58 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/12/11 08:16:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/12/06 23:00:37 | 00,000,000 | ---D | C] -- C:\Program Files\VemsTune12
[2009/12/04 19:40:22 | 00,000,000 | ---D | C] -- D:\MyData\VEMS_Files
[2009/12/04 19:39:46 | 00,000,000 | ---D | C] -- C:\Program Files\VemsTune
[2009/12/04 17:11:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Paul Caron
[2009/12/03 17:24:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[2009/12/03 12:12:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\KB905474
[2009/12/02 22:57:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\WinRAR
[2009/12/02 22:56:49 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2009/12/02 22:40:50 | 00,000,000 | ---D | C] -- C:\Program Files\Lugtune 1.1.47
[2009/12/02 22:36:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/12/02 22:36:43 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/02 22:36:41 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/02 22:36:41 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/02 22:36:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/02 19:03:19 | 00,017,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbohci.sys
[2009/12/02 19:02:38 | 00,049,536 | ---- | C] (OrangeWare Corporation) -- C:\WINDOWS\System32\drivers\ousb2hub.sys
[2009/12/02 19:02:38 | 00,034,176 | ---- | C] (OrangeWare Corporation) -- C:\WINDOWS\System32\drivers\ousbehci.sys
[2009/12/02 19:02:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\Drivers
[2009/12/02 17:37:31 | 00,331,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadce.dll
[2009/12/02 17:34:16 | 00,060,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\colbact.dll
[2009/12/02 17:32:20 | 00,655,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstscax.dll
[2009/12/02 15:43:56 | 00,000,000 | ---D | C] -- C:\Program Files\Lugtune 1.0.73
[2009/12/02 14:09:04 | 00,000,000 | ---D | C] -- C:\Program Files\MegaLogViewer
[2009/12/02 14:04:26 | 00,000,000 | ---D | C] -- C:\Program Files\Lugtune 1.0.78
[2009/12/02 13:53:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Help
[2009/12/02 13:30:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\InterVideo
[2009/12/02 13:20:53 | 02,732,032 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\Netw2r32.dll
[2009/12/02 13:20:53 | 02,216,064 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\w29n51.sys
[2009/12/02 13:20:53 | 00,557,056 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\Netw2c32.dll
[2009/12/02 12:52:56 | 00,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2009/12/02 12:43:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
[2009/12/02 12:39:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\Motive
[2009/12/02 12:39:12 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Motive
[2009/12/02 12:38:28 | 00,000,000 | ---D | C] -- C:\Program Files\Motive
[2009/12/02 12:37:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2009/12/02 12:33:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\VerizonOnline
[2009/12/02 12:33:05 | 00,049,210 | ---- | C] (Verizon Internet Solutions) -- C:\WINDOWS\System32\vzServices.dll
[2009/12/02 12:32:59 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Verizon Online
[2009/12/02 12:32:53 | 00,046,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\setdebug.exe
[2009/12/02 12:32:52 | 00,313,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dx3j.dll
[2009/12/02 12:32:52 | 00,171,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\jit.dll
[2009/12/02 12:32:52 | 00,139,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javaee.dll
[2009/12/02 12:32:46 | 00,171,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wjview.exe
[2009/12/02 12:32:45 | 00,286,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vmhelper.dll
[2009/12/02 12:32:45 | 00,021,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msjdbc10.dll
[2009/12/02 12:32:44 | 00,154,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msawt.dll
[2009/12/02 12:32:43 | 00,404,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javart.dll
[2009/12/02 12:32:43 | 00,187,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javacypt.dll
[2009/12/02 12:32:43 | 00,172,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\jview.exe
[2009/12/02 12:32:43 | 00,063,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javaprxy.dll
[2009/12/02 12:32:43 | 00,015,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\jdbgmgr.exe
[2009/12/02 12:32:41 | 00,049,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clspack.exe
[2009/12/02 12:32:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\FinePointLib
[2009/12/02 11:54:02 | 00,032,768 | ---- | C] (hp) -- C:\WINDOWS\iwlandrvxpver.dll
[2009/12/02 11:52:49 | 00,000,000 | ---D | C] -- C:\SWSetup
[2005/01/14 14:03:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/01/14 13:20:15 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2005/01/14 13:20:15 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/12 00:31:04 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/12/12 00:21:23 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/12 00:21:11 | 00,000,909 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Dialer.lnk
[2009/12/12 00:20:27 | 00,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/12/12 00:20:17 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/12 00:20:14 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/11 19:01:04 | 02,359,296 | -H-- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2009/12/11 19:01:04 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2009/12/11 19:00:57 | 04,282,952 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/12/11 18:59:55 | 46,509,712 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/11 18:59:22 | 00,123,577 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/11 17:32:00 | 00,006,094 | ---- | M] () -- D:\MyData\5pm AVG Scan.csv
[2009/12/11 14:11:03 | 00,001,510 | ---- | M] () -- C:\Documents and Settings\Administrator\mlvUser.properties
[2009/12/11 14:09:26 | 00,001,740 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2009/12/11 13:38:21 | 00,000,487 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/11 13:38:21 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/11 13:38:21 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/12/11 08:17:53 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/12/11 08:17:53 | 00,001,513 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 9.0.lnk
[2009/12/11 08:17:51 | 00,546,935 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavifw.avm
[2009/12/11 08:17:51 | 00,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2009/12/11 08:17:51 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/12/11 08:17:45 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/12/11 08:17:45 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/12/11 08:17:24 | 00,025,608 | ---- | M] (AVG Technologies ) -- C:\WINDOWS\System32\drivers\AVGIDSxx.sys
[2009/12/11 08:17:23 | 00,161,800 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2009/12/11 08:17:22 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/12/11 08:17:22 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/12/11 08:16:59 | 00,050,968 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgfwdx.dll
[2009/12/11 08:16:59 | 00,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgfwdx.sys
[2009/12/11 07:45:23 | 00,000,165 | RHS- | M] () -- C:\AutoRun.Inf
[2009/12/09 01:47:27 | 00,000,588 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\VAG-COM.lnk
[2009/12/09 00:07:39 | 00,000,702 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\VT12-4-09.lnk
[2009/12/04 19:40:01 | 00,001,554 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\VT11-27.lnk
[2009/12/04 15:53:16 | 00,004,679 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\idiotPart2.rtf
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/03 12:57:00 | 00,439,376 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/03 12:57:00 | 00,380,918 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/03 12:57:00 | 00,053,166 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/03 12:52:42 | 00,241,536 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/03 12:14:29 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/03 00:13:19 | 00,000,887 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MT 1.1.47.lnk
[2009/12/02 23:42:53 | 00,002,732 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Website 2009 Ben .rtf
[2009/12/02 22:36:46 | 00,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/02 19:28:01 | 00,006,144 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/02 15:44:37 | 00,001,087 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\LT 1.0.73.lnk
[2009/12/02 14:10:59 | 00,000,123 | ---- | M] () -- C:\Documents and Settings\Administrator\.mlvreg
[2009/12/02 14:10:10 | 00,000,748 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\LogViewer.lnk
[2009/12/02 14:06:37 | 00,000,887 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\LT1.0.78.lnk
[2009/12/02 12:37:48 | 00,000,891 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Verizon Online.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/11 17:32:00 | 00,006,094 | ---- | C] () -- D:\MyData\5pm AVG Scan.csv
[2009/12/11 14:09:26 | 00,001,740 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2009/12/11 08:17:53 | 00,001,513 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 9.0.lnk
[2009/12/11 08:17:51 | 00,546,935 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavifw.avm
[2009/12/11 08:17:51 | 00,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2009/12/11 08:17:45 | 46,509,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/11 08:17:45 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/12/11 08:17:45 | 00,492,629 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/12/11 08:17:45 | 00,123,577 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/11 07:47:25 | 00,001,763 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2009/12/09 01:47:27 | 00,000,588 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\VAG-COM.lnk
[2009/12/09 00:07:39 | 00,000,702 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\VT12-4-09.lnk
[2009/12/04 19:40:01 | 00,001,554 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\VT11-27.lnk
[2009/12/04 15:53:16 | 00,004,679 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\idiotPart2.rtf
[2009/12/03 12:12:43 | 00,000,260 | ---- | C] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/12/03 00:13:19 | 00,000,887 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MT 1.1.47.lnk
[2009/12/02 23:42:53 | 00,002,732 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Website 2009 Ben .rtf
[2009/12/02 22:36:46 | 00,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/02 19:26:29 | 00,006,144 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/02 19:11:02 | 00,000,165 | RHS- | C] () -- C:\AutoRun.Inf
[2009/12/02 15:44:37 | 00,001,087 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\LT 1.0.73.lnk
[2009/12/02 14:11:04 | 00,001,510 | ---- | C] () -- C:\Documents and Settings\Administrator\mlvUser.properties
[2009/12/02 14:10:59 | 00,000,123 | ---- | C] () -- C:\Documents and Settings\Administrator\.mlvreg
[2009/12/02 14:10:10 | 00,000,748 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\LogViewer.lnk
[2009/12/02 14:06:37 | 00,000,887 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\LT1.0.78.lnk
[2009/12/02 12:37:49 | 00,000,909 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Dialer.lnk
[2009/12/02 12:37:48 | 00,000,891 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Verizon Online.lnk
[2009/12/02 12:32:52 | 00,007,315 | ---- | C] () -- C:\WINDOWS\System32\javasup.vxd
[2009/12/02 12:32:52 | 00,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2009/12/02 12:32:46 | 00,000,113 | ---- | C] () -- C:\WINDOWS\System32\zonedon.reg
[2009/12/02 12:32:46 | 00,000,113 | ---- | C] () -- C:\WINDOWS\System32\zonedoff.reg
[2009/12/02 12:06:16 | 00,005,193 | ---- | C] () -- D:\MyData\RV042.exp
[2006/05/11 09:30:35 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/02/14 16:20:53 | 00,031,744 | ---- | C] () -- C:\WINDOWS\System32\mdmmoh.dll
[2005/01/28 02:00:25 | 00,002,677 | ---- | C] () -- C:\WINDOWS\System32\DWRCS.ini
[2005/01/26 18:51:34 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\oemdspif.dll
[2005/01/26 18:51:31 | 01,245,184 | ---- | C] () -- C:\WINDOWS\System32\igfxress.dll
[2005/01/26 18:51:30 | 00,225,280 | ---- | C] () -- C:\WINDOWS\System32\igfxpph.dll
[2005/01/26 18:51:29 | 00,225,280 | ---- | C] () -- C:\WINDOWS\System32\igfxeud.dll
[2005/01/26 18:51:29 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\igfxexps.dll
[2005/01/26 18:51:28 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\igfxdo.dll
[2005/01/26 18:51:28 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\igfxdgps.dll
[2005/01/26 18:51:27 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\ialmrem.dll
[2005/01/26 18:51:26 | 02,289,664 | ---- | C] () -- C:\WINDOWS\System32\ialmgicd.dll
[2005/01/26 18:51:26 | 00,495,616 | ---- | C] () -- C:\WINDOWS\System32\ialmgdev.dll
[2005/01/26 17:55:43 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/01/18 20:10:56 | 00,002,401 | ---- | C] () -- C:\WINDOWS\System32\drivers\AlKernel.sys
[2005/01/14 14:28:54 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2002/12/10 02:56:02 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\igfxres.dll

========== Files - Unicode (All) ==========
[2009/12/11 07:45:23 | 00,000,469 | ---- | M] ()(C:\????.lnk) -- C:\我的文档.lnk
[2009/12/02 19:11:02 | 00,000,469 | ---- | C] ()(C:\????.lnk) -- C:\我的文档.lnk
< End of report >


-------------------------------------------------------------------------





--------------------------------------------------------------------------



OTL Extras logfile created on: 12/12/2009 12:31:54 AM - Run 1
OTL by OldTimer - Version 3.1.16.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.41 Mb Total Physical Memory | 641.71 Mb Available Physical Memory | 62.76% Memory free
2.40 Gb Paging File | 2.09 Gb Available in Paging File | 87.31% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 16.55 Gb Total Space | 9.41 Gb Free Space | 56.84% Space Free | Partition Type: NTFS
Drive D: | 20.70 Gb Total Space | 18.93 Gb Free Space | 91.45% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BEA-5765146AEA3
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Altiris\AClient\AClntUsr.EXE" = C:\Program Files\Altiris\AClient\AClntUsr.EXE:*:Enabled:AClntUsr - AClient Interactive User Service -- File not found
"C:\Program Files\AVG\AVG9\avgam.exe" = C:\Program Files\AVG\AVG9\avgam.exe:*:Enabled:avgam.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgdiagex.exe" = C:\Program Files\AVG\AVG9\avgdiagex.exe:*:Enabled:avgdiagex.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{2851123E-5786-41BE-A3F1-A9B21E499EEB}" = Altiris Task Synchronization Agent
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{69DCD41A-DA0B-4707-BF29-1D9787D3BB18}" = MegaLogViewer
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{AC76BA86-7AD7-1033-7B44-A70700000002}" = Adobe Reader 7.0.7
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{F2545484-7B1C-484A-89B8-B0F8B38BC67F}" = O2Micro SmartCardBus Reader Windows Driver Installer
"{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}" = Windows Media Connect
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"AUTOTUNE_UNISTALL_REG" = Autronic calibration program AUTO TUNE
"AVG9Uninstall" = AVG 9.0
"D8F4D0E97D18692537E56F88DB4C16B9974FB603" = Windows Driver Package - Ross-Tech USB Driver Package (05/19/2006 6.0.1.0)
"Dvr Client Program" = Dvr Client Program
"ECUSM4_UNINSTALL_REG" = Autronic SM4 5v2x
"HijackThis" = HijackThis 2.0.2
"Installing HSP56 MicroModem Drivers" = PCTEL 2304WT V.92 MDC Modem Drivers
"LiveUpdate" = LiveUpdate 2.0 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"SystemRequirementsLab" = System Requirements Lab
"VAG-COM Release" = VAG-COM Release 704.1
"VCDS Release 908" = VCDS Release 908.1
"VemsTune" = VemsTune
"WGA" = Windows Genuine Advantage Validation Tool
"Windows Media Connect" = Windows Media Connect
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/21/2008 6:32:29 PM | Computer Name = BEA-5765146AEA3 | Source = Application Hang | ID = 1002
Description = Hanging application VagCom.exe, version 704.1.8.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/2/2009 9:32:39 PM | Computer Name = BEA-5765146AEA3 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/2/2009 9:32:42 PM | Computer Name = BEA-5765146AEA3 | Source = Application Hang | ID = 1001
Description = Fault bucket 126637809.

Error - 12/9/2009 1:10:00 AM | Computer Name = BEA-5765146AEA3 | Source = Application Hang | ID = 1002
Description = Hanging application vemsTune.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/9/2009 2:29:57 AM | Computer Name = BEA-5765146AEA3 | Source = Application Error | ID = 1000
Description = Faulting application megatune.exe, version 2.25.0.0, faulting module
megatune.exe, version 2.25.0.0, fault address 0x00040099.

Error - 12/9/2009 2:30:02 AM | Computer Name = BEA-5765146AEA3 | Source = Application Error | ID = 1000
Description = Faulting application megatune.exe, version 2.25.0.0, faulting module
megatune.exe, version 2.25.0.0, fault address 0x00040099.

Error - 12/9/2009 2:45:29 AM | Computer Name = BEA-5765146AEA3 | Source = Application Hang | ID = 1002
Description = Hanging application vemsTune.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/9/2009 2:47:42 AM | Computer Name = BEA-5765146AEA3 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 12/9/2009 2:47:42 AM | Computer Name = BEA-5765146AEA3 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 12/11/2009 3:44:59 PM | Computer Name = BEA-5765146AEA3 | Source = Application Hang | ID = 1002
Description = Hanging application javaw.exe, version 5.0.60.5, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 1/12/2008 9:15:30 PM | Computer Name = BEA-5765146AEA3 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 1/16/2008 3:04:03 PM | Computer Name = BEA-5765146AEA3 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 1/19/2008 4:47:18 PM | Computer Name = BEA-5765146AEA3 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 1/21/2008 6:30:49 PM | Computer Name = BEA-5765146AEA3 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:19 PM

Posted 12 December 2009 - 07:26 PM

Please open OTL.
  • Copy the text in code box and paste it to Custom Scans/Fixes section:

    :otl
    O32 - AutoRun File - [2009/12/11 07:45:23 | 00,000,165 | RHS- | M] () - C:\AutoRun.Inf -- [ NTFS ]
    O32 - AutoRun File - [2009/12/11 07:45:23 | 00,000,165 | RHS- | M] () - D:\AutoRun.Inf -- [ NTFS ]
    O20 - Winlogon\Notify\cryptnet21: DllName - C:\WINDOWS\system32\cryptnet21.dll - C:\WINDOWS\System32\cryptnet21.dll File not found
    O33 - MountPoints2\{e822f890-df9f-11de-b51c-00166f1cf3bb}\Shell\1\Command - "" = RunDll32.exe .\Thumbs.lnk,GetPic
    O33 - MountPoints2\{e822f890-df9f-11de-b51c-00166f1cf3bb}\Shell - "" = AutoRun
    O33 - MountPoints2\{e822f890-df9f-11de-b51c-00166f1cf3bb}\Shell\1\Command - "" = RunDll32.exe .\Thumbs.lnk,GetPic
    O33 - MountPoints2\{e822f890-df9f-11de-b51c-00166f1cf3bb}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{e822f891-df9f-11de-b51c-00166f1cf3bb}\Shell - "" = AutoRun
    O33 - MountPoints2\{e822f891-df9f-11de-b51c-00166f1cf3bb}\Shell\1\Command - "" = RunDll32.exe .\Thumbs.lnk,GetPic
    O33 - MountPoints2\{e822f891-df9f-11de-b51c-00166f1cf3bb}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\C\Shell - "" = AutoRun
    O33 - MountPoints2\C\Shell\1\Command - "" = RunDll32.exe .\Thumbs.lnk,GetPic
    O33 - MountPoints2\C\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\D\Shell - "" = AutoRun
    O33 - MountPoints2\D\Shell\1\Command - "" = RunDll32.exe .\Thumbs.lnk,GetPic
    [2009/12/11 07:45:23 | 00,000,469 | ---- | M] ()(C:\????.lnk) -- C:\????.lnk
    [2009/12/02 19:11:02 | 00,000,469 | ---- | C] ()(C:\????.lnk) -- C:\????.lnk

  • Click Run Fix button.
  • If the fix needed a reboot please do it.
  • After finished a log will open. Copy and paste the log to your reply.
  • Reboot the computer anyway if OTL didn't need a reboot and tell me if you have still the issue.


#6 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 13 December 2009 - 09:58 AM

========== OTL ==========
C:\AutoRun.Inf moved successfully.
D:\AutoRun.Inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet21\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e822f890-df9f-11de-b51c-00166f1cf3bb}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e822f890-df9f-11de-b51c-00166f1cf3bb}\ not found.
File RunDll32.exe .\Thumbs.lnk,GetPic not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e822f890-df9f-11de-b51c-00166f1cf3bb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e822f890-df9f-11de-b51c-00166f1cf3bb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e822f890-df9f-11de-b51c-00166f1cf3bb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e822f890-df9f-11de-b51c-00166f1cf3bb}\ not found.
File RunDll32.exe .\Thumbs.lnk,GetPic not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e822f890-df9f-11de-b51c-00166f1cf3bb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e822f890-df9f-11de-b51c-00166f1cf3bb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e822f891-df9f-11de-b51c-00166f1cf3bb}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e822f891-df9f-11de-b51c-00166f1cf3bb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e822f891-df9f-11de-b51c-00166f1cf3bb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e822f891-df9f-11de-b51c-00166f1cf3bb}\ not found.
File RunDll32.exe .\Thumbs.lnk,GetPic not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e822f891-df9f-11de-b51c-00166f1cf3bb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e822f891-df9f-11de-b51c-00166f1cf3bb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\ not found.
File RunDll32.exe .\Thumbs.lnk,GetPic not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ not found.
File RunDll32.exe .\Thumbs.lnk,GetPic not found.
File C:\????.lnk not found.
File C:\????.lnk not found.

OTL by OldTimer - Version 3.1.16.0 log created on 12132009_095632

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:19 PM

Posted 13 December 2009 - 10:17 AM

So please give me feedback about the question I asked.

#8 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 13 December 2009 - 10:31 AM

I posted the log file before I restarted the computer. You are too quick for me! :(

OK, the problem is fixed, I can access the C and D drives now!

Thank you, thank you, thank you.


I have two questions.

1) Is this computer 100% now? Please let me know if you need more scans, etc. to verify.


2) I have a second, exact same computer, that has the same problem now. This tells me that the virus is in my data (that I put on this computer after a friend erased the hard drive) somewhere.

- Is it possible to fine the location or the cause of this virus?

Thanks again,
Kevin

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:19 PM

Posted 13 December 2009 - 10:43 AM

Glad to see the problem is resolved.

1) Is this computer 100% now? Please let me know if you need more scans, etc. to verify.

In don't see anything on GMER and OTL log. But we will check to make sure.

But first tell me if you have flash drives or an external drive or any storage media? We have to make sure they are clean.

#10 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 13 December 2009 - 10:54 AM

Glad to see the problem is resolved.

1) Is this computer 100% now? Please let me know if you need more scans, etc. to verify.

In don't see anything on GMER and OTL log. But we will check to make sure.

But first tell me if you have flash drives or an external drive or any storage media? We have to make sure they are clean.



- I have 2 thumb drives, and one laptop hard drive in an enclosure.

- None of them have been connected to this laptop during our scans.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:19 PM

Posted 13 December 2009 - 11:06 AM

This type of infection affects the hard drives and removable storage devices (flash drive/ USB drive/ thumb drive/ ipod/ memory stick/ memory card/ photo camera memory card/ external hard drive, etc).
Please read this carefully: http://www.zyxware.com/articles/2007/08/14...virus-infection

Note: It is important to have autoplay feature turned off and not to open the thump drives by double clicking. Instead rightclick the drive and select Explore

Please make sure you have your removable devices ready to disinfect. Don't connect them yet.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Turn of the auto-protect or resident-shield of your antivirus.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning which takes only a few seconds and then exit the program.
  • Reboot your computer when done.
Note 1:Please temporarily disable your anti-virus program before downloading this tool as it can be falsely flagged as malware: How to disable anti-virus programs
Note 2: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


You may apply this tool to the other computer too.

#12 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 13 December 2009 - 11:23 AM

Thank you so much for the help.

Can you tell me how to (find the registry key) modify the registry key as described below?:

<<< To disable the autorun dialog that pops up when you connect a Firewire or USB drive,
create a new DWORD called "NoDriveTypeAutorun" (without the quotes) in the following
registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer >>>

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:19 PM

Posted 13 December 2009 - 11:47 AM

You don't need it if you apply the tool.

#14 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 13 December 2009 - 11:58 AM

OK, I installed and ran the Flash_Disinfector program. I scanned one thumb drive and the old laptop's hard drive.


- Is it normal for this program to just display a tiny window that says "Done!!" , and that is all?
- Is there any way to find out if the scan found any infections?


<<< I don't see anything on GMER and OTL log. But we will check to make sure. >>>

- OK let me know what you want me to do.



- I have to go for several hours, so i won't be able to reply here until tonight.
Thanks!

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:19 PM

Posted 13 December 2009 - 12:13 PM

Is it normal for this program to just display a tiny window that says "Done!!" , and that is all?

Yes.

Is there any way to find out if the scan found any infections?

The tool makes no log. regardless of being infected or not the tool removes the vulnerable autorun.inf and makes a folder with the same name to prevent reinstalling any infection using autorun.inf to infect the device.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
  • I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the Posted Image button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users