Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect/False Security Pop Ups


  • This topic is locked This topic is locked
25 replies to this topic

#1 EagerBeaver

EagerBeaver

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 24 December 2009 - 12:11 PM

Hi, I have read through the other threads related to this topic but I'd like to have step-by-step help in fixing my problem. I don't want to attempt it on my own and end up ruining things.

I have the browser redirect which opens windows like websitesurvey and local-news-now. Also, my desktop has gone to a lime green screen with a black box which says "System Infected", with a warning not to use my pc until I download fixes. I have not clicked on any of the popups except to close them by red X. Last week, I ran A2, Adaware, malwarebytes, and AVG, which found a few trojans and deleted/quarantined, but the problem persists. Today it manifested as a system crash and the green screen on reboot.

Thanks in advance for any help on Christmas Eve

DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 10:58:38.28 on Thu 12/24/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1021.423 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32Ati2evxx.exe
svchost.exe
C:PROGRAM FILESA-SQUARED FREEa2service.exe
C:Program FilesAmazonAmazon Games & Software DownloaderAmazonGSDownloaderService.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:Program FilesCommon FilesNew BoundaryPrismXLPRISMXL.SYS
C:WINDOWSsystem32svchost.exe -k imgsvc
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:WINDOWSsystem32dllhost.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:WINDOWSExplorer.EXE
C:WINDOWSehomeehtray.exe
C:Program FilesDigital Media Readershwiconem.exe
C:Program FilesCyberLinkPowerDVDPDVDServ.exe
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:Program FilesQuickTimeqttask.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesMattelBarbie GirlsMattel.BarbieGirls.Tray.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesAmazonAmazon Games & Software DownloaderAmazonGSDownloaderTray.exe
C:WINDOWSeHomeehmsas.exe
C:WINDOWSsystem32winupdate86.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesBigFixBigFix.exe
C:Program FilesHewlett-PackardDigital Imagingbinhpohmr08.exe
C:Program FilesHewlett-PackardDigital Imagingbinhpotdd01.exe
C:Program FilesHewlett-PackardDigital Imagingbinhpoevm08.exe
C:Program FilesHewlett-PackardDigital ImagingBinhpoSTS08.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsOwnerDesktopdds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:windowssystem32winlogon86.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg8avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:program filesyahoo!commonyiesrvc.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg8toolbarIEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:windowssystem32Shdocvw.dll
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
uRun: [NBJ] "c:program filesaheadnero backitupNBJ.exe"
uRun: [notepad] rundll32.exe c:docume~1ownerntload.dll,_IWMPEvents@0
mRun: [ehTray] c:windowsehomeehtray.exe
mRun: [NeroFilterCheck] c:windowssystem32NeroCheck.exe
mRun: [SunKistEM] c:program filesdigital media readershwiconem.exe
mRun: [<NO NAME>]
mRun: [CHotkey] zHotkey.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IntelAudioStudio] "c:program filesintel audio studioIntelAudioStudio.exe" BOOT
mRun: [RemoteControl] "c:program filescyberlinkpowerdvdPDVDServ.exe"
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [ATIPTA] "c:program filesati technologiesati control panelatiptaxx.exe"
mRun: [ATIMACE] MACE.exe
mRun: [PRISMSVR.EXE] "c:windowssystem32PRISMSVR.EXE" /APPLY
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [BarbieGirlsTray] c:program filesmattelbarbie girlsMattel.BarbieGirls.Tray.exe
mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe
mRun: [AmazonGSDownloaderTray] c:program filesamazonamazon games & software downloaderAmazonGSDownloaderTray.exe
mRun: [notepad] rundll32.exe c:windowssystem32notepad.dll,_IWMPEvents@0
mRun: [winupdate86.exe] c:windowssystem32winupdate86.exe
mRun: [kakiziguv] Rundll32.exe "c:windowssystem32mutebuka.dll",a
dRun: [notepad] rundll32.exe c:windowssystem32configsystem~1ntload.dll,_IWMPEvents@0
StartupFolder: c:documents and settingsownerstart menuprogramsstartupscandisk.dll
StartupFolder: c:docume~1ownerstartm~1programsstartupscandisk.lnk - c:windowssystem32rundll32.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupbigfix.lnk - c:program filesbigfixBigFix.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphppsc1~1.lnk - c:program fileshewlett-packarddigital imagingbinhpohmr08.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpoddt~1.lnk - c:program fileshewlett-packarddigital imagingbinhpotdd01.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupinstal~1.lnk - c:program filessifxinstSIFXINST.EXE
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: &AOL Toolbar search - c:program filesaol toolbartoolbar.dll/SEARCH.HTML
IE: &eBay Search - c:program filesebayebay toolbar2eBayTb.dll/RCSearch.html
IE: &Search
IE: &Yahoo! Search - file:///c:program filesyahoo!Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:program filesyahoo!Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:program filesyahoo!Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:program filesyahoo!Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:program filesjavajre1.5.0_02binnpjpi150_02.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:program filesyahoo!commonyiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:program filesyahoo!commonyinsthelper.dll
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://www.egotvonline.com/watchvideo/497/155/Turn_Me_On_2_Danny_Klein_Interview_presented_by_JVC_Mobile/
TCP: {0591BA7B-8AE4-4133-BCE8-2818BD9D6590} = 193.104.110.38,4.2.2.1,192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg8avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: tuwivimo.dll c:windowssystem32mutebuka.dll
SSODL: lalinuyun - {8cdf1ee4-17e1-4120-b73c-a332f49d15e5} - c:windowssystem32mutebuka.dll
STS: tokatiluy: {8cdf1ee4-17e1-4120-b73c-a332f49d15e5} - c:windowssystem32mutebuka.dll
LSA: Notification Packages = scecli zamelolo.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:docume~1ownerapplic~1mozillafirefoxprofiles6lc06y9v.default
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?.home=ytff
FF - component: c:program filesavgavg8firefoxcomponentsavgssff.dll
FF - component: c:program filesavgavg8toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils2.dll
FF - component: c:program filesavgavg8toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils3.dll
FF - component: c:program filesavgavg8toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils35.dll
FF - component: c:program filesavgavg8toolbarfirefoxavg@igearedcomponentsxpavgtbapi.dll
FF - component: c:program filesmozilla firefoxextensionstalkback@mozilla.orgcomponentsqfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-9-3 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2009-9-3 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-9-3 108552]
R2 a2free;a-squared Free Service;c:program filesa-squared freea2service.exe [2009-7-19 1858144]
R2 Amazon Download Agent;Amazon Download Agent;c:program filesamazonamazon games & software downloaderAmazonGSDownloaderService.exe [2009-8-21 401920]
R2 avg8wd;AVG Free8 WatchDog;c:progra~1avgavg8avgwdsvc.exe [2009-9-3 297752]
R2 Iprip;Network Security;c:windowssystem32svchost.exe -k netsvcs [2005-4-13 14336]
S0 smpbfa8;smpbfa8;SystemRootSystemRootSystem32driverssmpbfa8.sys --> SystemRootSystemRootSystem32driverssmpbfa8.sys [?]
S1 ecfba17d.sys;ecfba17d.sys;??c:windowssystem32driversecfba17d.sys --> c:windowssystem32driversecfba17d.sys [?]
S3 ndisdrv;ndisdrv;c:windowssystem32ndisdrv.sys [2005-4-13 2304]
S3 winsts;winsts;c:windowssystem32winsts.sys [2005-4-13 2304]

=============== Created Last 30 ================

2009-12-24 16:24:33 1744 ---ha-w- c:windowssystem32robetisi
2009-12-24 16:24:10 95 ----a-w- c:windowswininit.ini
2009-12-24 12:14:51 915968 ----a-w- c:windowssystem32AVR10.exe
2009-12-24 12:14:50 16896 ----a-w- c:windowssystem32winhelper86.dll
2009-12-24 12:14:34 2854 ----a-w- c:windowssystem32critical_warning.html
2009-12-24 12:14:20 31232 ----a-w- c:windowssystem32winupdate86.exe
2009-12-24 12:14:20 31232 ----a-w- c:windowssystem32winlogon86.exe
2009-12-24 12:14:13 52736 ----a-w- C:uwlwfa.exe
2009-12-24 12:14:08 31232 ----a-w- C:waxfhosk.exe
2009-12-24 12:14:04 155648 ----a-w- C:srwq.exe
2009-12-19 15:04:02 0 d-----w- c:program filesThe Magicians Handbook II BlackLore
2009-12-13 21:36:23 0 d-----w- c:docume~1alluse~1applic~1Fugazo
2009-12-13 21:07:34 0 d-----w- c:program filesCooking Academy 2 World Cuisine
2009-12-13 16:37:40 0 d-----w- c:program filesMortimer Beckett And The Time Paradox
2009-12-13 16:07:07 0 d-----w- c:docume~1ownerapplic~1IronCode
2009-12-13 05:37:12 0 d-----w- c:program filesPahelika Secret Legends
2009-12-01 05:21:36 0 d-----w- c:docume~1alluse~1applic~1FarmFrenzy-PizzaParty
2009-12-01 04:40:11 0 d-----w- c:program filesFarm Frenzy Pizza Party

==================== Find3M ====================

2009-12-22 22:22:40 284 ----a-w- c:docume~1ownerapplic~1wklnhst.dat
2009-12-06 06:21:31 95360 ----a-w- c:windowssystem32driversatapi.sys
2009-12-03 22:14:06 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-12-03 22:13:56 19160 -c--a-w- c:windowssystem32driversmbam.sys
2009-10-29 05:48:04 662016 ----a-w- c:windowssystem32wininet.dll
2009-10-21 06:00:55 75776 ----a-w- c:windowssystem32strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:windowssystem32httpapi.dll
2009-10-13 10:53:29 266752 ----a-w- c:windowssystem32oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:windowssystem32raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:windowssystem32rastls.dll
2009-09-24 12:19:49 45568 --sha-w- c:windowssystem32bibasivo.dll
2009-09-24 12:19:49 39424 --sha-w- c:windowssystem32tegimeru.dll
2009-09-24 12:14:29 52736 --sha-w- c:windowssystem32tuwivimo.dll
2009-09-24 12:14:26 52736 --sha-w- c:windowssystem32zamelolo.dll
2009-09-24 12:14:28 52736 --sha-w- c:windowssystem32zazijiva.dll
2009-03-21 14:18:57 27136 --sha-w- c:windowssystem32configsystemprofilestart menuprogramsstartupscandisk.dll

============= FINISH: 11:00:42.62 ===============

attach.txt file
rootrepeal file

Attached Files


Edited by garmanma, 24 December 2009 - 01:33 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 AM

Posted 24 December 2009 - 01:42 PM

Hi EagerBeaver,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please don't reboot the system after running the fix.
  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Copy and paste the following in the Custom Scan/Fixes section:

      c:\windows\sytem32\userinit.exe
    • Click Run Scan button.
    • Two reports will open, copy and paste them to your reply:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


#3 EagerBeaver

EagerBeaver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 24 December 2009 - 04:13 PM

Thanks farbar:

Here's the "OTL" report:


OTL logfile created on: 12/24/2009 3:00:20 PM - Run 1
OTL by OldTimer - Version 3.1.20.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,021.00 Mb Total Physical Memory | 352.00 Mb Available Physical Memory | 34.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.23 Gb Total Space | 179.92 Gb Free Space | 78.83% Space Free | Partition Type: NTFS
Drive D: | 4.64 Gb Total Space | 2.41 Gb Free Space | 51.87% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 577.14 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KATHY
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/24 14:55:59 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/12/24 06:14:08 | 00,031,232 | ---- | M] (EaGgfFYBq) -- C:\WINDOWS\system32\winupdate86.exe
PRC - [2009/12/12 11:51:00 | 01,858,144 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2009/12/12 08:36:02 | 02,043,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/12/04 21:16:16 | 07,678,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/23 12:31:44 | 00,401,920 | ---- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
PRC - [2009/10/23 12:31:44 | 00,326,144 | ---- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
PRC - [2009/09/03 21:45:44 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/09/03 21:45:44 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/09/03 21:45:35 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2008/06/02 10:13:26 | 00,267,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/06/02 10:13:16 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/05/27 09:50:30 | 00,413,696 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2007/06/13 04:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/14 20:59:22 | 00,024,576 | ---- | M] () -- C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
PRC - [2005/08/12 11:11:58 | 00,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2005/06/28 21:55:40 | 00,376,832 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/06/28 21:05:00 | 00,344,064 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2004/11/15 16:04:32 | 00,135,168 | ---- | M] (Alcor Micro, Corp.) -- C:\Program Files\Digital Media Reader\shwiconEM.exe
PRC - [2004/11/02 21:24:46 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PRC - [2003/04/06 01:17:18 | 00,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
PRC - [2003/04/06 01:06:58 | 00,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2003/04/06 00:55:04 | 00,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/06 00:45:10 | 00,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
PRC - [2002/07/31 11:22:26 | 01,742,384 | ---- | M] (BigFix Inc.) -- C:\Program Files\BigFix\BigFix.exe


========== Modules (SafeList) ==========

MOD - [2009/12/24 14:55:59 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2009/09/24 06:14:29 | 00,052,736 | -HS- | M] () -- C:\WINDOWS\system32\tuwivimo.dll
MOD - [2006/08/25 09:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/12 11:51:00 | 01,858,144 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\PROGRAM FILES\A-SQUARED FREE\a2service.exe -- (a2free)
SRV - [2009/10/23 12:31:44 | 00,401,920 | ---- | M] (Amazon.com) [Auto | Running] -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent)
SRV - [2009/09/03 21:45:35 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2008/06/02 10:13:16 | 00,504,104 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2005/08/12 11:11:58 | 00,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2005/06/28 21:55:40 | 00,376,832 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2005/06/28 21:05:00 | 00,516,096 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/08/10 13:00:00 | 00,061,440 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\Ipripv32.dll -- (Iprip)
SRV - [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/03/08 22:31:02 | 00,065,795 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/09/06 09:35:03 | 00,045,344 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\smpbfa8.sys -- (smpbfa8)
DRV - [2009/09/03 21:46:20 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/09/03 21:46:15 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/09/03 21:46:14 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2008/01/29 11:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2006/10/30 20:42:26 | 00,044,288 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2005/08/12 11:15:07 | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2005/07/20 14:37:22 | 00,035,712 | ---- | M] (Sonic Focus, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32)
DRV - [2005/07/18 19:40:40 | 01,019,064 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/06/28 22:01:58 | 01,241,088 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/04/25 11:56:18 | 00,889,628 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/03/05 02:10:38 | 00,157,696 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2004/11/15 18:41:54 | 00,036,804 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Sunkfilt.sys -- (SunkFilt)
DRV - [2004/11/10 18:30:18 | 00,024,832 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2004/10/07 19:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/12 18:45:54 | 00,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/10 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/10 13:00:00 | 00,002,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\winsts.sys -- (winsts)
DRV - [2004/08/10 13:00:00 | 00,002,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\ndisdrv.sys -- (ndisdrv)
DRV - [2004/08/10 11:39:56 | 00,019,840 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2004/08/04 07:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 07:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/03 23:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/06/17 16:56:22 | 00,220,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/06/17 16:55:38 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 16:55:04 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/04/13 19:20:08 | 00,015,781 | R--- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2004/03/17 13:04:14 | 00,013,059 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2003/03/08 22:31:02 | 00,021,456 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2003/03/08 22:31:02 | 00,016,080 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2003/03/08 22:31:00 | 00,051,024 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2003/01/10 15:13:04 | 00,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 22:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 22:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 22:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 22:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 22:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 21:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 21:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 21:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 21:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 21:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 21:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 21:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 21:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 21:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 21:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 14:49:32 | 00,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\CNNSI, = search.sportsillustrated.cnn.com/pages/search.jsp?query=%s
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\Dictionary, = dictionary.reference.com/search?q=%s
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\Google, = google.com/search?q=%s
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\GoogleGroups, = groups-beta.google.com/groups?q=%s
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\GoogleImages, = images.google.com/images?hl=en&lr=&q=%s
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\GoogleNews, = news.google.com/news?tab=gn&hl=en&ie=UTF-8&q=%s&btnG=Search+News
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\KB, = support.microsoft.com/search/default.aspx?query=%s
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\KBDLL, = support.microsoft.com/dllhelp/default.aspx?dlltype=file&l=55&alpha=%s&S=1
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\Movies, = fandango.com/my_box_office.asp?searchby=2&txtCityZip=%s
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\MSN, = search.msn.com/results.asp?q=%s
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\Thesaurus, = thesaurus.reference.com/search?q=%s
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\Weather, = weather.com/weather/local/%s
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Internet Explorer\SearchURL\Yahoo, = search.yahoo.com/search?p=%s
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\..\URLSearchHook: *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/?.home=ytff"

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/12/22 08:24:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/10/17 07:52:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Flock\Extensions\\Plugins: C:\Program Files\Flock\flock\plugins [2008/06/18 16:21:51 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Flock\Extensions\\Components: C:\Program Files\Flock\flock\components [2008/06/18 16:21:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/04 21:16:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/04 21:16:23 | 00,000,000 | ---D | M]

[2009/10/19 07:04:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lc06y9v.default\extensions
[2007/02/03 12:12:28 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lc06y9v.default\extensions\{075538f3-a7a9-498a-8e0d-12f2e2ff862a}
[2007/02/03 12:19:33 | 00,000,000 | ---D | M] (Ebay Negs!) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lc06y9v.default\extensions\{265b0520-499e-11d9-9669-0800200c9a66}
[2007/02/03 12:05:17 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lc06y9v.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2007/02/03 12:11:24 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lc06y9v.default\extensions\{74b288e6-77b6-41c7-8138-bb81f4539689}
[2007/02/03 12:02:32 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lc06y9v.default\extensions\{800e72c4-0a2c-4bc5-a10a-1ee66dfd762a}
[2009/05/11 14:32:29 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lc06y9v.default\extensions\{8B72860F-C5F8-4286-865E-D2C2DB98A9E6}
[2007/02/03 12:10:45 | 00,000,000 | ---D | M] (Blue Ice) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lc06y9v.default\extensions\{a8dd47cf-239f-48c4-8379-e6b4cbafdcfa}
[2009/05/11 14:27:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lc06y9v.default\extensions\exif_viewer@mozilla.doslash.org
[2007/02/03 12:14:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lc06y9v.default\extensions\ffe_opaque@game-point.net
[2009/09/17 17:52:54 | 00,001,854 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lc06y9v.default\searchplugins\all-the-internet.xml
[2007/03/27 11:29:24 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/04 21:16:23 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\inspector@mozilla.org
[2009/12/04 21:16:23 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org
[2009/12/04 21:16:07 | 00,067,688 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2009/12/04 21:16:08 | 00,054,368 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2009/12/04 21:16:08 | 00,034,944 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2009/12/04 21:16:11 | 00,046,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2009/12/04 21:16:11 | 00,172,136 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2007/08/09 13:44:41 | 00,147,456 | ---- | M] (PopCap Games) -- C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll

O1 HOSTS File: (327693 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11212 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O3 - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe (Amazon.com)
O4 - HKLM..\Run: [ATIMACE] File not found
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe ()
O4 - HKLM..\Run: [CHotkey] File not found
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelAudioStudio] C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [kakiziguv] C:\WINDOWS\System32\mutebuka.DLL File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [notepad] C:\WINDOWS\System32\notepad.DLL File not found
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [PRISMSVR.EXE] C:\WINDOWS\System32\PRISMSVR.EXE File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] File not found
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconEM.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe (EaGgfFYBq)
O4 - HKU\.DEFAULT..\Run: [notepad] C:\WINDOWS\System32\config\SYSTEM~1\ntload.DLL File not found
O4 - HKU\S-1-5-18..\Run: [notepad] C:\WINDOWS\System32\config\SYSTEM~1\ntload.DLL File not found
O4 - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006..\Run: [notepad] C:\DOCUME~1\Owner\ntload.DLL File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk = C:\Program Files\BigFix\BigFix.exe (BigFix Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE (New Boundary Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.dll ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2006/12/07 15:15:34 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2006/12/07 15:15:34 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2006/12/07 15:15:34 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2006/12/07 15:15:34 | 00,000,000 | ---D | M]
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1657600060-2263395094-2059379632-1006\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoftware.com/activescan/as5free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (tuwivimo.dll) - C:\WINDOWS\System32\tuwivimo.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\mutebuka.dll) - C:\WINDOWS\System32\mutebuka.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: lalinuyun - {8cdf1ee4-17e1-4120-b73c-a332f49d15e5} - C:\WINDOWS\System32\mutebuka.dll File not found
O22 - SharedTaskScheduler: {8cdf1ee4-17e1-4120-b73c-a332f49d15e5} - tokatiluy - C:\WINDOWS\System32\mutebuka.dll File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/04/13 11:20:25 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 00,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2007/08/17 14:29:12 | 01,070,488 | R--- | M] (Microsoft Corporation) - F:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2007/06/04 11:38:36 | 00,000,167 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{5bbf6df1-0b51-11da-bd5a-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{5bbf6df1-0b51-11da-bd5a-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e03e4405-2402-11da-93f4-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{e03e4405-2402-11da-93f4-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/24 14:56:03 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/12/24 11:21:57 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/12/24 06:14:51 | 00,915,968 | ---- | C] (fSSvXQ) -- C:\WINDOWS\System32\AVR10.exe
[2009/12/24 06:14:20 | 00,031,232 | ---- | C] (EaGgfFYBq) -- C:\WINDOWS\System32\winupdate86.exe
[2009/12/24 06:14:20 | 00,031,232 | ---- | C] (EaGgfFYBq) -- C:\WINDOWS\System32\winlogon86.exe
[2009/12/24 06:14:08 | 00,031,232 | ---- | C] (EaGgfFYBq) -- C:\waxfhosk.exe
[2009/12/24 06:14:04 | 00,155,648 | ---- | C] (Microsoft Corporation) -- C:\srwq.exe
[2009/12/19 09:04:02 | 00,000,000 | ---D | C] -- C:\Program Files\The Magicians Handbook II BlackLore
[2009/12/13 15:36:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Fugazo
[2009/12/13 15:07:34 | 00,000,000 | ---D | C] -- C:\Program Files\Cooking Academy 2 World Cuisine
[2009/12/13 11:00:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\TimeParadox
[2009/12/13 10:37:40 | 00,000,000 | ---D | C] -- C:\Program Files\Mortimer Beckett And The Time Paradox
[2009/12/13 10:07:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\IronCode
[2009/12/12 23:37:12 | 00,000,000 | ---D | C] -- C:\Program Files\Pahelika Secret Legends
[2009/12/08 20:57:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2009/11/30 23:21:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FarmFrenzy-PizzaParty
[2009/11/30 22:40:11 | 00,000,000 | ---D | C] -- C:\Program Files\Farm Frenzy Pizza Party
[2009/09/03 21:44:32 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/09/03 21:44:32 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/09/03 21:44:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/09/03 21:44:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/01/05 07:59:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/24 15:07:45 | 00,001,744 | -H-- | M] () -- C:\WINDOWS\System32\robetisi
[2009/12/24 14:55:59 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/12/24 14:55:07 | 00,000,137 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\regfix.reg
[2009/12/24 11:22:37 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2009/12/24 11:21:59 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/12/24 10:58:21 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/12/24 10:40:19 | 00,915,968 | ---- | M] (fSSvXQ) -- C:\WINDOWS\System32\AVR10.exe
[2009/12/24 10:40:08 | 00,000,724 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/24 10:40:05 | 00,016,896 | ---- | M] () -- C:\WINDOWS\System32\winhelper86.dll
[2009/12/24 10:39:56 | 00,002,854 | ---- | M] () -- C:\WINDOWS\System32\critical_warning.html
[2009/12/24 10:31:48 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/24 10:31:44 | 00,000,433 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2009/12/24 10:31:11 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/24 10:31:07 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/24 10:31:04 | 10,710,63040 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/24 10:24:58 | 06,553,600 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2009/12/24 10:24:58 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2009/12/24 10:24:45 | 03,179,258 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/12/24 10:24:10 | 00,000,095 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/12/24 08:57:30 | 46,994,093 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/24 08:57:30 | 00,127,929 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/24 06:14:16 | 00,000,649 | -HS- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.lnk
[2009/12/24 06:14:14 | 00,052,736 | ---- | M] () -- C:\uwlwfa.exe
[2009/12/24 06:14:08 | 00,155,648 | ---- | M] (Microsoft Corporation) -- C:\srwq.exe
[2009/12/24 06:14:08 | 00,031,232 | ---- | M] (EaGgfFYBq) -- C:\WINDOWS\System32\winupdate86.exe
[2009/12/24 06:14:08 | 00,031,232 | ---- | M] (EaGgfFYBq) -- C:\WINDOWS\System32\winlogon86.exe
[2009/12/24 06:14:08 | 00,031,232 | ---- | M] (EaGgfFYBq) -- C:\waxfhosk.exe
[2009/12/22 16:22:40 | 00,018,944 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\tvschedfall09.xlr
[2009/12/22 16:22:40 | 00,000,284 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2009/12/22 15:25:05 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/12/19 09:04:17 | 00,000,958 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\The Magicians Handbook II BlackLore.lnk
[2009/12/17 08:42:50 | 00,000,522 | ---- | M] () -- C:\hpfr3420.xml
[2009/12/14 06:44:13 | 00,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/14 06:44:13 | 00,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/14 06:44:13 | 00,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/13 15:08:05 | 00,000,878 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Cooking Academy 2 World Cuisine.lnk
[2009/12/13 10:38:34 | 00,000,940 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Mortimer Beckett And The Time Paradox.lnk
[2009/12/12 23:37:33 | 00,000,822 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Pahelika Secret Legends.lnk
[2009/12/12 23:16:54 | 02,669,088 | ---- | M] (Amazon ) -- C:\Documents and Settings\Owner\Desktop\AmazonGSDownloaderSetup.exe
[2009/12/10 03:02:18 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/06 00:21:31 | 00,095,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2009/12/04 22:48:38 | 00,327,693 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/30 22:40:21 | 00,000,847 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Farm Frenzy Pizza Party.lnk
[2009/11/27 18:12:19 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/11/27 18:05:58 | 00,037,888 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/24 14:55:07 | 00,000,137 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\regfix.reg
[2009/12/24 11:22:37 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2009/12/24 10:58:25 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/12/24 10:24:33 | 00,001,744 | -H-- | C] () -- C:\WINDOWS\System32\robetisi
[2009/12/24 10:24:10 | 00,000,095 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/12/24 06:14:50 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\winhelper86.dll
[2009/12/24 06:14:34 | 00,002,854 | ---- | C] () -- C:\WINDOWS\System32\critical_warning.html
[2009/12/24 06:14:13 | 00,052,736 | ---- | C] () -- C:\uwlwfa.exe
[2009/12/19 09:04:17 | 00,000,958 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\The Magicians Handbook II BlackLore.lnk
[2009/12/13 15:08:05 | 00,000,878 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Cooking Academy 2 World Cuisine.lnk
[2009/12/13 10:38:34 | 00,000,940 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Mortimer Beckett And The Time Paradox.lnk
[2009/12/12 23:37:33 | 00,000,822 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Pahelika Secret Legends.lnk
[2009/11/30 22:40:21 | 00,000,847 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Farm Frenzy Pizza Party.lnk
[2009/09/24 06:19:49 | 00,045,568 | -HS- | C] () -- C:\WINDOWS\System32\bibasivo.dll
[2009/09/24 06:19:49 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\tegimeru.dll
[2009/09/24 06:14:29 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\tuwivimo.dll
[2009/09/24 06:14:28 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\zazijiva.dll
[2009/09/24 06:14:26 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\zamelolo.dll
[2009/09/05 12:49:24 | 00,045,344 | ---- | C] () -- C:\WINDOWS\System32\drivers\smpbfa8.sys
[2007/05/31 11:12:16 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2007/01/15 13:56:48 | 00,000,284 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2006/11/21 23:57:42 | 00,000,537 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2006/10/24 15:15:47 | 00,000,321 | ---- | C] () -- C:\WINDOWS\qtw.ini
[2006/05/02 16:38:24 | 00,000,748 | ---- | C] () -- C:\WINDOWS\SetBrowser.ini
[2006/04/19 13:57:02 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/01/12 19:16:13 | 00,000,203 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/01/12 19:15:35 | 00,561,152 | R--- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2005/12/30 23:27:13 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2005/12/30 13:34:59 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/12/29 19:38:47 | 00,037,888 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/08/12 11:13:49 | 00,532,544 | ---- | C] () -- C:\WINDOWS\PIC.dll
[2005/08/12 11:13:49 | 00,024,576 | ---- | C] () -- C:\WINDOWS\HKNTDLL.dll
[2005/08/12 11:10:40 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/04/13 13:02:03 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/04/13 10:57:05 | 00,001,270 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/04/13 10:57:05 | 00,000,494 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2005/04/13 10:55:46 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\Ipripv32.dll
[2005/04/13 10:55:46 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\Iasv32.dll
[2005/04/13 10:55:46 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\6to4v32.dll
[2005/04/13 10:55:46 | 00,002,304 | ---- | C] () -- C:\WINDOWS\System32\winsts.sys
[2005/04/13 10:55:46 | 00,002,304 | ---- | C] () -- C:\WINDOWS\System32\ndisdrv.sys
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< c:\windows\sytem32\userinit.exe >

========== Alternate Data Streams ==========

@Alternate Data Stream - 204 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:98DFF516
< End of report >

And Here's the "Extra" report:


OTL Extras logfile created on: 12/24/2009 3:00:21 PM - Run 1
OTL by OldTimer - Version 3.1.20.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,021.00 Mb Total Physical Memory | 352.00 Mb Available Physical Memory | 34.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.23 Gb Total Space | 179.92 Gb Free Space | 78.83% Space Free | Partition Type: NTFS
Drive D: | 4.64 Gb Total Space | 2.41 Gb Free Space | 51.87% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 577.14 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KATHY
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon -- File not found
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed -- File not found
"C:\Program Files\Common Files\AOL\1123866854\EE\AOLServiceHost.exe" = C:\Program Files\Common Files\AOL\1123866854\EE\AOLServiceHost.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe" = C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Microsoft Games\Age of Empires III\age3.exe" = C:\Program Files\Microsoft Games\Age of Empires III\age3.exe:*:Enabled:Age of Empires 3 -- (Ensemble Studios)
"C:\Documents and Settings\Owner\MY PROGRAMS\FTP\WS_FTP95.exe" = C:\Documents and Settings\Owner\MY PROGRAMS\FTP\WS_FTP95.exe:*:Enabled:WS_FTP 95 -- (Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA)
"C:\NeverwinterNights\NWN\nwmain.exe" = C:\NeverwinterNights\NWN\nwmain.exe:*:Enabled:Neverwinter Nights -- (Bioware Corp.)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe" = C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs -- (Ensemble Studios)
"C:\Program Files\EA GAMES\The Battle for Middle-earth ™\game.dat" = C:\Program Files\EA GAMES\The Battle for Middle-earth ™\game.dat:*:Enabled:The Battle for Middle-earth ™ -- File not found
"C:\Program Files\EA GAMES\The Battle for Middle-earth ™\patchget.dat" = C:\Program Files\EA GAMES\The Battle for Middle-earth ™\patchget.dat:*:Enabled:patchgrabber -- File not found
"C:\Program Files\Microsoft Games\Rise of Nations\rise.exe" = C:\Program Files\Microsoft Games\Rise of Nations\rise.exe:*:Enabled:Rise of Nations -- (Big Huge Games, Inc.)
"C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe" = C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe:*:Enabled:Rise of Nations -- (Big Huge Games, Inc.)
"C:\Program Files\Microsoft Games\Rise of Nations\patriots.exe" = C:\Program Files\Microsoft Games\Rise of Nations\patriots.exe:*:Enabled:Rise of Nations -- (Big Huge Games, Inc.)
"C:\Program Files\Microsoft Games\Age of Empires III\age3y.exe" = C:\Program Files\Microsoft Games\Age of Empires III\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties -- (Microsoft Corporation)
"C:\Program Files\Black Isle\Icewind Dale II\IWD2.exe" = C:\Program Files\Black Isle\Icewind Dale II\IWD2.exe:*:Disabled:Icewind Dale II -- (Interplay Entertainment Corp.)
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\WINDOWS\Temp\IXP000.TMP\pa0821.exe" = C:\WINDOWS\Temp\IXP000.TMP\pa0821.exe:*:Enabled:pa0821 -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0CB3C535-1171-4A20-B549-E2CB5DEB9723}" = MySQL Connector/ODBC 3.51
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite Gateway
"{16B18999-56D7-4E8F-A40C-385E68A6D0CD}" = Barbie Girls
"{1777A08D-668D-4A6F-8CB7-248E5547F0E4}" = ClickArt 750,000
"{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{24E3FB60-4589-45A1-9C7D-19184D1368FC}" = ATI MCE Control Panel
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35AD3FC5-D09D-4D9F-8E9C-E40794194EC5}" = Netflix Movie Viewer
"{3D008E41-F84D-4CC1-A8CF-B8419E51ACDF}" = Intel Audio Studio
"{3D1B20A6-E31D-4BB5-BC5C-DDD3B0D91728}" = Intel Audio Studio
"{3F262ADC-5AD2-48E5-A586-44315E04A9E2}" = Microsoft Picture It! Library 10
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{42756145-9997-4D28-809B-8756BFD00106}" = Microsoft Picture It! Premium 10
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{588C135F-0B15-4A02-8F2D-04697BE2904E}" = Icewind Dale II
"{5EC86106-2B0A-4595-B03C-15E2241C1AC5}_is1" = Community Expansion Pack - patch to version 1.50
"{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}" = PlayNC Launcher
"{629F65FB-7F3C-4D66-A1C0-20722744B7B6}" = Star Wars® Knights of the Old Republic® II: The Sith Lords™
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2
"{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}" = Multimedia Keyboard Driver
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"{7C503E58-B2BC-11D5-978A-0050BA84F5F7}" = Neverwinter Nights
"{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}" = Digital Media Reader
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8AB8D458-939E-403F-0097-9BA1C1F013D5}" = The Sims 2
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{9F70BF98-003C-491D-81FC-FF9792206AF0}" = iTunes
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}" = 2Wire Wireless Client
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7666229-351B-47D9-AA6F-DF777CF04BBF}" = Caesar IV
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties
"{C900EF06-2E76-49C7-8DB0-41F629B21DC5}" = hp psc 1200 series
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDBCD38C-C42A-4B60-94DB-1E9FB869ACBE}" = E-Crostic
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"All ATI Software" = ATI - Software Uninstall Utility
"Amazon Games & Software Downloader_is1" = Amazon Games & Software Downloader
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3
"a-squared Free_is1" = a-squared Free 2.1
"ATI Display Driver" = ATI Display Driver
"AVG8Uninstall" = AVG Free 8.5
"Beach Party Craze" = Beach Party Craze
"BFGC" = Big Fish Games Client
"BFG-Hidden Expedition - Everest" = Hidden Expedition: Everest
"Big Kahuna Reef_is1" = Big Kahuna Reef
"BigFix" = BigFix
"Build A Lot 3 Passport To Europe_is1" = Build A Lot 3 Passport To Europe
"Burger Shop_is1" = Burger Shop
"Cake Mania_is1" = Cake Mania
"CCleaner" = CCleaner (remove only)
"CEP patch v1.52_is1" = CEP patch v1.52
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = SoftV92 Data Fax Modem with SmartCP
"Cooking Academy 2 World Cuisine_is1" = Cooking Academy 2 World Cuisine
"Costume Chaos_is1" = Costume Chaos
"Farm Frenzy 2" = Farm Frenzy 2
"Farm Frenzy 3_is1" = Farm Frenzy 3
"Farm Frenzy Pizza Party_is1" = Farm Frenzy Pizza Party
"Fashion Craze" = Fashion Craze
"Flock" = Flock (Photobucket Edition) 0.7
"HijackThis" = HijackThis 1.99.1
"Hijackthis_is1" = Hijackthis 1.99.1
"HP PSC 1200 Series" = HP Photo and Imaging 2.0 - hp psc 1200 series
"InstallShield_{16B18999-56D7-4E8F-A40C-385E68A6D0CD}" = Barbie Girls
"InstallShield_{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs
"InstallShield_{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2
"InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"InstallShield_{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}" = Digital Media Reader
"InstallShield_{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties
"Jigsaw World" = Jigsaw World
"Magic Encyclopedia. First Story" = Magic Encyclopedia. First Story
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Masque Slots - IGT and MultiPlay Video Poker" = Masque Slots - IGT and MultiPlay Video Poker
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2005b" = Microsoft Money 2005
"Mortimer Beckett And The Time Paradox_is1" = Mortimer Beckett And The Time Paradox
"Mozilla Firefox (2.0.0.20)" = Mozilla Firefox (2.0.0.20)
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Nero BurnRights!UninstallKey" = Nero BurnRights
"Pahelika Secret Legends_is1" = Pahelika Secret Legends
"Panda ActiveScan" = Panda ActiveScan
"Pet Show Craze" = Pet Show Craze
"Pharaoh" = Pharaoh
"PictureItPrem_v10" = Microsoft Picture It! Premium 10
"PopCap Browser Plugin" = PopCap Browser Plugin
"Princess Isabella_is1" = Princess Isabella
"PROSet" = Intel® PRO Network Connections Drivers
"Ranch Rush_is1" = Ranch Rush
"RealPlayer 6.0" = RealPlayer Basic
"RiseOfNations 1.0" = Microsoft Rise Of Nations
"RiseofNationsExpansion 1.0" = Rise of Nations Thrones and Patriots
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Sprill - The Mystery of The Bermuda Triangle" = Sprill - The Mystery of The Bermuda Triangle
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"Stand O'Food" = Stand O'Food
"Supermarket Mania" = Supermarket Mania
"The Magicians Handbook II BlackLore_is1" = The Magicians Handbook II BlackLore
"The Scruffs_is1" = The Scruffs
"ViewpointMediaPlayer" = Viewpoint Media Player
"Westward_is1" = Westward
"WIC" = Windows Imaging Component
"WinRAR archiver" = WinRAR archiver
"Yahoo! Customizations" = Yahoo! Browser Services
"YInstHelper" = Yahoo! Install Manager

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1657600060-2263395094-2059379632-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"NCsoft-DungeonRunners" = Dungeon Runners

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/13/2009 1:12:20 AM | Computer Name = KATHY | Source = Amazon Download Agent | ID = 999
Description =

Error - 12/13/2009 1:15:27 AM | Computer Name = KATHY | Source = Amazon Download Agent | ID = 999
Description =

Error - 12/13/2009 7:58:00 PM | Computer Name = KATHY | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.8.20081.21709, faulting
module unknown, version 0.0.0.0, fault address 0x00000009.

Error - 12/14/2009 6:07:59 PM | Computer Name = KATHY | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.8.20081.21709, faulting
module xpcom_core.dll, version 1.8.20081.21709, fault address 0x000017ab.

Error - 12/14/2009 6:08:36 PM | Computer Name = KATHY | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.8.20081.21709, faulting
module xpcom_core.dll, version 1.8.20081.21709, fault address 0x000017ab.

Error - 12/17/2009 1:04:46 AM | Computer Name = KATHY | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.8.20081.21709, faulting
module xpcom_core.dll, version 1.8.20081.21709, fault address 0x000017ab.

Error - 12/17/2009 1:07:16 AM | Computer Name = KATHY | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.8.20081.21709, faulting
module xpcom_core.dll, version 1.8.20081.21709, fault address 0x000017ab.

Error - 12/24/2009 9:02:31 AM | Computer Name = KATHY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module mfc42.dll, version 6.2.4131.0, fault address 0x00092cc5.

Error - 12/24/2009 11:22:27 AM | Computer Name = KATHY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module mfc42.dll, version 6.2.4131.0, fault address 0x00092cc5.

Error - 12/24/2009 3:17:53 PM | Computer Name = KATHY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module mfc42.dll, version 6.2.4131.0, fault address 0x00092cc5.

[ System Events ]
Error - 12/18/2009 10:05:42 PM | Computer Name = KATHY | Source = ipnathlp | ID = 30013
Description = The DHCP allocator has disabled itself on IP address 192.168.1.64,
since
the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses
are being allocated to DHCP clients. To enable the DHCP allocator on this IP address,
please
change the scope to include the IP address, or change the IP address to fall within
the scope.

Error - 12/24/2009 11:26:47 AM | Computer Name = KATHY | Source = Service Control Manager | ID = 7034
Description = The Ati HotKey Poller service terminated unexpectedly. It has done
this 1 time(s).

Error - 12/24/2009 12:24:49 PM | Computer Name = KATHY | Source = Service Control Manager | ID = 7031
Description = The DCOM Server Process Launcher service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.

Error - 12/24/2009 12:24:49 PM | Computer Name = KATHY | Source = Service Control Manager | ID = 7034
Description = The Terminal Services service terminated unexpectedly. It has done
this 1 time(s).

Error - 12/24/2009 12:26:29 PM | Computer Name = KATHY | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/24/2009 12:26:29 PM | Computer Name = KATHY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/24/2009 12:26:47 PM | Computer Name = KATHY | Source = ipnathlp | ID = 30013
Description = The DHCP allocator has disabled itself on IP address 192.168.1.64,
since
the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses
are being allocated to DHCP clients. To enable the DHCP allocator on this IP address,
please
change the scope to include the IP address, or change the IP address to fall within
the scope.

Error - 12/24/2009 12:31:33 PM | Computer Name = KATHY | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/24/2009 12:31:33 PM | Computer Name = KATHY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/24/2009 12:31:44 PM | Computer Name = KATHY | Source = ipnathlp | ID = 30013
Description = The DHCP allocator has disabled itself on IP address 192.168.1.64,
since
the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses
are being allocated to DHCP clients. To enable the DHCP allocator on this IP address,
please
change the scope to include the IP address, or change the IP address to fall within
the scope.


< End of report >

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 AM

Posted 24 December 2009 - 04:48 PM

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c dir /a "c:\windows\system32\userinit.exe" > log.txt&start log.txt

A text file (dirlook.txt) will be open. Please post its content to your reply.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 AM

Posted 24 December 2009 - 05:12 PM

In addition to the previous post please do the following also:

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


@echo off
(ipconfig /all
nslookup google.com
ping -n 2 google.com
nslookup yahoo.com
ping -n 2 yahoo.com
route print) >Log1.txt
start Log1.txt
del %0
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select save in: desktop
  • Fill in File name: test.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click test.bat on the desktop.
  • A notepad opens, copy and paste the content it (log.txt) to your reply.


#6 EagerBeaver

EagerBeaver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 24 December 2009 - 05:12 PM

Volume in drive C has no label.
Volume Serial Number is 382A-C062

Directory of c:\windows\system32

08/10/2004 01:00 PM 24,576 userinit.exe
1 File(s) 24,576 bytes
0 Dir(s) 193,190,670,336 bytes free

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 AM

Posted 24 December 2009 - 05:14 PM

Good. Meanwhile I posted another request please do that also.

#8 EagerBeaver

EagerBeaver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 24 December 2009 - 05:15 PM

Windows IP Configuration



Host Name . . . . . . . . . . . . : KATHY

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : gateway.2wire.net



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : gateway.2wire.net

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-13-20-D0-3A-7D

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.64

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

DHCP Server . . . . . . . . . . . : 192.168.1.254

DNS Servers . . . . . . . . . . . : 193.104.110.38

4.2.2.1

192.168.1.254

Lease Obtained. . . . . . . . . . : Thursday, December 24, 2009 10:31:09 AM

Lease Expires . . . . . . . . . . : Friday, December 25, 2009 10:31:09 AM

Server: vnsc-pri.sys.gtei.net
Address: 4.2.2.1

Name: google.com
Addresses: 74.125.157.106, 74.125.157.147, 74.125.157.99, 74.125.157.103
74.125.157.104, 74.125.157.105



Pinging google.com [209.85.225.105] with 32 bytes of data:



Reply from 209.85.225.105: bytes=32 time=52ms TTL=53

Reply from 209.85.225.105: bytes=32 time=53ms TTL=53



Ping statistics for 209.85.225.105:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 52ms, Maximum = 53ms, Average = 52ms

Server: vnsc-pri.sys.gtei.net
Address: 4.2.2.1

Name: yahoo.com
Addresses: 69.147.114.224, 209.131.36.159, 209.191.93.53



Pinging yahoo.com [69.147.114.224] with 32 bytes of data:



Reply from 69.147.114.224: bytes=32 time=68ms TTL=56

Reply from 69.147.114.224: bytes=32 time=68ms TTL=56



Ping statistics for 69.147.114.224:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 68ms, Maximum = 68ms, Average = 68ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 20 d0 3a 7d ...... Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.64 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.64 192.168.1.64 20
192.168.1.64 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.64 192.168.1.64 20
224.0.0.0 240.0.0.0 192.168.1.64 192.168.1.64 20
255.255.255.255 255.255.255.255 192.168.1.64 192.168.1.64 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 AM

Posted 24 December 2009 - 05:19 PM

You have a DNS-Changer trojan we need to remove before removing other stuff.

Make sure the following setting is set as it is supposed to be set:
  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection) and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).
    Under General tab:
    • Select "Obtain an IP address automatically".
    • Select "Obtain DNS server address automatically".
  • Click OK twice to save the settings.
  • Reboot if you had to change any setting.
Please create and run test.bat once more and post the log.

#10 EagerBeaver

EagerBeaver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 24 December 2009 - 05:28 PM

Windows IP Configuration



Host Name . . . . . . . . . . . . : KATHY

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : gateway.2wire.net



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : gateway.2wire.net

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-13-20-D0-3A-7D

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.64

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

DHCP Server . . . . . . . . . . . : 192.168.1.254

DNS Servers . . . . . . . . . . . : 192.168.1.254

Lease Obtained. . . . . . . . . . : Thursday, December 24, 2009 4:25:08 PM

Lease Expires . . . . . . . . . . : Friday, December 25, 2009 4:25:08 PM

Server: home
Address: 192.168.1.254

Name: google.com
Addresses: 209.85.225.104, 209.85.225.105, 209.85.225.106, 209.85.225.99
209.85.225.103, 209.85.225.147



Pinging google.com [209.85.225.147] with 32 bytes of data:



Reply from 209.85.225.147: bytes=32 time=53ms TTL=53

Reply from 209.85.225.147: bytes=32 time=53ms TTL=53



Ping statistics for 209.85.225.147:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 53ms, Maximum = 53ms, Average = 53ms

Server: home
Address: 192.168.1.254

Name: yahoo.com
Addresses: 209.131.36.159, 209.191.93.53, 69.147.114.224



Pinging yahoo.com [209.191.93.53] with 32 bytes of data:



Reply from 209.191.93.53: bytes=32 time=24ms TTL=55

Reply from 209.191.93.53: bytes=32 time=24ms TTL=55



Ping statistics for 209.191.93.53:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 24ms, Maximum = 24ms, Average = 24ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 20 d0 3a 7d ...... Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.64 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.64 192.168.1.64 20
192.168.1.64 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.64 192.168.1.64 20
224.0.0.0 240.0.0.0 192.168.1.64 192.168.1.64 20
255.255.255.255 255.255.255.255 192.168.1.64 192.168.1.64 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 AM

Posted 24 December 2009 - 05:30 PM

  • Disable AVG Resident Shield:
    • Double click AVG system tray icon to open AVG.
    • In Overview section double click Resident Shield.
    • Uncheck Resident Shield Active.
    • Press Save Changes.

      Note: It is important to activate the resident shield immediately after ComboFix produced its log.
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#12 EagerBeaver

EagerBeaver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 24 December 2009 - 06:15 PM

Wow that took a long time, sorry.
------------------------------------------

ComboFix 09-12-24.02 - Owner 12/24/2009 16:48:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1021.588 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.lnk
c:\recycler\S-1-5-21-2770362777-133480984-3197513347-500
c:\recycler\S-1-5-21-3411350672-2408072866-3857614147-500
c:\windows\system32\6to4v32.dll
c:\windows\system32\AVR10.exe
c:\windows\system32\certstore.dat
c:\windows\system32\config\systemprofile\Desktop\Windows Police Pro.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\system32\critical_warning.html
c:\windows\system32\dumphive.exe
c:\windows\system32\Iasv32.dll
c:\windows\system32\Ipripv32.dll
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\tuwivimo.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winsts.sys
c:\windows\system32\winupdate86.exe
c:\windows\system32\zamelolo.dll
c:\windows\system32\zazijiva.dll
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_WINSTS
-------\Service_Iprip
-------\Service_winsts


((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-24 12:14 . 2009-12-24 12:14 52736 ----a-w- C:\uwlwfa.exe
2009-12-24 12:14 . 2009-12-24 12:14 31232 ----a-w- C:\waxfhosk.exe
2009-12-24 12:14 . 2009-12-24 12:14 155648 ----a-w- C:\srwq.exe
2009-12-19 15:04 . 2009-12-24 00:02 -------- d-----w- c:\program files\The Magicians Handbook II BlackLore
2009-12-13 21:36 . 2009-12-13 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Fugazo
2009-12-13 21:07 . 2009-12-13 21:36 -------- d-----w- c:\program files\Cooking Academy 2 World Cuisine
2009-12-13 17:00 . 2009-12-13 17:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\TimeParadox
2009-12-13 16:37 . 2009-12-14 14:49 -------- d-----w- c:\program files\Mortimer Beckett And The Time Paradox
2009-12-13 16:07 . 2009-12-13 16:07 -------- d-----w- c:\documents and settings\Owner\Application Data\IronCode
2009-12-13 05:37 . 2009-12-13 16:23 -------- d-----w- c:\program files\Pahelika Secret Legends
2009-12-10 05:05 . 2009-12-10 05:05 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-12-01 05:21 . 2009-12-01 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
2009-12-01 04:40 . 2009-12-13 15:23 -------- d-----w- c:\program files\Farm Frenzy Pizza Party

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 16:28 . 2007-05-31 06:26 -------- d-----w- c:\program files\a-squared Free
2009-12-24 16:26 . 2009-09-04 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-24 12:14 . 2009-09-10 01:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-23 02:59 . 2009-11-14 16:39 -------- d-----w- c:\program files\Farm Frenzy 3
2009-12-22 22:22 . 2007-01-15 19:56 284 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-12-16 00:53 . 2009-09-29 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2009-12-12 19:53 . 2009-08-22 04:41 -------- d-----w- c:\program files\Amazon
2009-12-12 14:36 . 2009-12-12 14:36 2065688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-06 21:17 . 2009-11-24 03:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-06 21:04 . 2009-11-24 03:04 -------- d-----w- c:\program files\Hidden Expedition - Everest
2009-12-06 21:02 . 2009-11-24 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-12-06 06:21 . 2004-08-04 05:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-05 04:46 . 2007-05-31 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-03 22:14 . 2009-09-10 01:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-09-10 01:24 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 14:03 . 2009-12-12 14:36 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-26 14:03 . 2009-12-12 14:36 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-24 02:27 . 2009-11-24 02:27 -------- d-----w- c:\program files\bfgclient
2009-11-15 22:31 . 2009-09-29 21:14 -------- d-----w- c:\program files\Viva Media
2009-11-14 17:31 . 2009-11-14 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy3
2009-11-14 15:08 . 2009-11-02 04:05 -------- d-----w- c:\program files\Princess Isabella
2009-11-13 01:41 . 2009-09-17 04:13 -------- d-----w- c:\program files\Ranch Rush
2009-11-04 04:18 . 2009-11-04 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Princess Isabella
2009-11-01 18:35 . 2009-11-01 18:33 -------- d-----w- c:\documents and settings\Owner\Application Data\JumpinJack
2009-11-01 18:31 . 2009-11-01 18:27 -------- d-----w- c:\documents and settings\Owner\Application Data\FunkyPython
2009-10-29 05:48 . 2005-04-13 16:56 662016 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2005-04-13 16:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2005-04-13 16:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 06:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2005-04-13 16:55 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2005-04-13 16:56 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54 . 2005-04-13 16:55 69632 ----a-w- c:\windows\system32\raschap.dll
2009-12-05 03:16 . 2006-01-10 22:44 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-12-05 03:16 . 2006-01-10 22:44 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-12-05 03:16 . 2006-12-07 21:52 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-12-05 03:16 . 2006-12-07 21:52 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-12-05 03:16 . 2006-01-10 22:44 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-09-24 12:19 . 2009-09-24 12:19 45568 --sha-w- c:\windows\system32\bibasivo.dll
2009-09-24 12:19 . 2009-09-24 12:19 39424 --sha-w- c:\windows\system32\tegimeru.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 17:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 1957888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-25 94208]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-25 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"BarbieGirlsTray"="c:\program files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe" [2007-03-15 24576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-8-12 1742384]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2005-8-12 729088]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-04 03:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Documents and Settings\\Owner\\MY PROGRAMS\\FTP\\WS_FTP95.exe"=
"c:\\NeverwinterNights\\NWN\\nwmain.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Black Isle\\Icewind Dale II\\IWD2.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/3/2009 9:46 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/3/2009 9:46 PM 108552]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [7/19/2009 8:25 PM 1858144]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [8/21/2009 10:41 PM 401920]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/3/2009 9:45 PM 297752]
S0 smpbfa8;smpbfa8;\SystemRoot\\SystemRoot\System32\drivers\smpbfa8.sys --> \SystemRoot\\SystemRoot\System32\drivers\smpbfa8.sys [?]
S1 ecfba17d.sys;ecfba17d.sys;\??\c:\windows\System32\drivers\ecfba17d.sys --> c:\windows\System32\drivers\ecfba17d.sys [?]
S3 ndisdrv;ndisdrv;c:\windows\system32\ndisdrv.sys [4/13/2005 10:55 AM 2304]
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lc06y9v.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?.home=ytff
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{b8eb7261-1de2-4063-9acd-c06aa461515d} - zazijiva.dll
HKLM-Run-CHotkey - zHotkey.exe
HKLM-Run-SigmatelSysTrayApp - sttray.exe
HKLM-Run-ATIMACE - MACE.exe
HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE
HKLM-Run-notepad - c:\windows\system32\notepad.dll
HKLM-Run-kakiziguv - c:\windows\system32\mutebuka.dll
HKLM-Run-yokitohovi - zamelolo.dll
HKU-Default-Run-notepad - c:\windows\system32\config\SYSTEM~1\ntload.dll
SharedTaskScheduler-{8cdf1ee4-17e1-4120-b73c-a332f49d15e5} - c:\windows\system32\mutebuka.dll
SSODL-lalinuyun-{8cdf1ee4-17e1-4120-b73c-a332f49d15e5} - c:\windows\system32\mutebuka.dll
AddRemove-Amazon MP3 Downloader - c:\program files\Amazon\MP3 Downloader\Uninstall.exe
AddRemove-Flock - c:\program files\Flock\uninst.exe
AddRemove-{8AB8D458-939E-403F-0097-9BA1C1F013D5} - c:\program files\EA GAMES\The Sims 2\EAUninstall.exe
AddRemove-{B7666229-351B-47D9-AA6F-DF777CF04BBF} - c:\program files\InstallShield Installation Information\{B7666229-351B-47D9-AA6F-DF777CF04BBF}\Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 16:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1657600060-2263395094-2059379632-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:30,2c,09,c9,4f,fa,61,53,ee,c3,4b,74,f5,ba,fb,f2,f0,f3,cd,78,35,79,b8,
f2,7a,fb,9e,f5,78,aa,ea,ad,17,9e,c0,19,0d,ed,c5,a5,c1,7f,97,28,b6,b7,8a,af,\
"??"=hex:4a,4b,b8,16,40,62,c6,2e,6d,be,4b,15,98,d8,6d,a5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2692)
c:\windows\system32\shdoclc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-12-24 17:09:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-24 23:09

Pre-Run: 193,090,138,112 bytes free
Post-Run: 192,753,479,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - A65C0DF3A79B5E4BC96754CB3086E157

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 AM

Posted 24 December 2009 - 06:23 PM

No worries about time. Well done. :(
  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#14 EagerBeaver

EagerBeaver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 24 December 2009 - 06:26 PM

Before I do this should I re-enable AVG Resident Shield?

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 AM

Posted 24 December 2009 - 06:31 PM

Yes, I had (red) colored it to emphasize it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users