Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IS2010, Backdoor.Bots, winsts.sys (Rootkit.Agent) "Not a Valid Win32 Application" W32.Bagle?


  • This topic is locked This topic is locked
23 replies to this topic

#1 Averus

Averus

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 25 December 2009 - 12:22 AM

The links in my search results from google and yahoo get redirected to random search engines, I get registry defender pop-ups ( along with several other types of pop ups ). System restore and safe mode don't work, my computer won't hibernate, netstat -a closes immediately after opening, AVG and MBAM rarely find anything, and now MBAM.exe can't be found. Process Explorer show several mutant type handles in most of the processes running during normal operation. That's the gist, here is a link to the original post I made where you can find a lot of much more specific information:

http://www.bleepingcomputer.com/forums/t/280283/safe-mode-registry-keys-missing-and-unfamiliar-registry-keys-appear/

DDS (Ver_09-12-01.01) - NTFSx86
Run by Sephiroth at 15:12:51.82 on Thu 12/24/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.73 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Sephiroth\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3516A
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {06e3d439-0da3-4c72-9f94-6879d3bcbc57} - bodahedo.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [notepad] rundll32.exe c:\windows\system32\notepad.dll,_IWMPEvents@0
mRun: [tqammy] RUNDLL32.EXE c:\windows\system32\msaouahn.dll,w
mRun: [dogewovel] Rundll32.exe "c:\windows\system32\lobiwaja.dll",a
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [notepad] rundll32.exe c:\windows\system32\config\system~1\ntload.dll,_IWMPEvents@0
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: &Search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: kavuduvi.dll c:\windows\system32\rawefike.dll c:\windows\system32\rufupiba.dll c:\windows\system32\yahosuze.dll c:\windows\system32\surarihi.dll c:\windows\system32\kiratero.dll kivumolo.dll c:\windows\system32\lobiwaja.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: rovubiwub - {f446b8cf-1aa9-4b71-946b-82f9abc10d26} - No File
SSODL: wotegojij - {9059de53-882c-40de-afef-d6abd04197d0} - No File
SSODL: holenamok - {a0b26ea0-e556-4e4e-8f3d-fcd387ae7d50} - No File
SSODL: nozakutan - {58e23e40-3b59-44aa-949b-b8cb5ad13489} - No File
SSODL: lojarimar - {9abf15f5-f9b8-4a8d-bb40-ee44d9c0aeb0} - No File
SSODL: surobajit - {e1bd5dcd-db46-4af7-8608-40a9eb667cf4} - c:\windows\system32\lobiwaja.dll
STS: kupuhivus: {e1bd5dcd-db46-4af7-8608-40a9eb667cf4} - c:\windows\system32\lobiwaja.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli fifuwoga.dll xmstst.dll molugivu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sephir~1\applic~1\mozilla\firefox\profiles\936nncv4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search & Win
FF - prefs.js: browser.startup.homepage - hxxp://search.pch.com/?src=hp
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\sephiroth\application data\mozilla\firefox\profiles\936nncv4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-20 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-27 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-20 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-2 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-2 297752]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2006-5-6 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-15 24652]
S2 fastnetsrv;fastnetsrv Service;c:\windows\system32\fastnetsrv.exe --> c:\windows\system32\FastNetSrv.exe [?]
S3 CEUSBAUD;DigiTech RP500 USB MIDI Driver;c:\windows\system32\drivers\ceusbaud.sys [2008-9-19 17920]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-6-30 69692]
S3 L6PODX3LV;POD X3 Live Service;c:\windows\system32\drivers\L6PODX3LV.sys [2008-11-17 530560]
S3 lgusbsmodem;LGE Mobile USB Modem;c:\windows\system32\drivers\lgusbsmodem.sys --> c:\windows\system32\drivers\lgusbsmodem.sys [?]
S3 XDva098;XDva098;\??\c:\windows\system32\xdva098.sys --> c:\windows\system32\XDva098.sys [?]
S3 XDva189;XDva189;\??\c:\windows\system32\xdva189.sys --> c:\windows\system32\XDva189.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\xdva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva208;XDva208;\??\c:\windows\system32\xdva208.sys --> c:\windows\system32\XDva208.sys [?]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-12-24 16:33:16 915968 ----a-w- c:\windows\system32\AVR10.exe
2009-12-24 16:33:14 16896 ----a-w- c:\windows\system32\winhelper86.dll
2009-12-24 16:33:09 32768 ----a-w- c:\windows\system32\msaouahn.dll
2009-12-23 23:20:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-22 17:43:25 0 d-----w- c:\program files\ESET
2009-12-21 06:46:07 0 d-----w- C:\a0ddfe9dce0856bdae
2009-12-20 21:13:43 0 d--h--w- c:\windows\PIF
2009-12-20 16:43:34 1089601 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-12-20 06:18:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 06:18:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

==================== Find3M ====================

2009-12-24 07:21:36 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll
2009-09-24 16:33:08 52736 --sha-w- c:\windows\system32\kivumolo.dll
2009-09-24 16:33:52 93696 --sha-w- c:\windows\system32\lobiwaja.dll
2009-09-24 16:33:08 52736 --sha-w- c:\windows\system32\molugivu.dll
2009-09-24 16:33:52 39424 --sha-w- c:\windows\system32\mozuzolo.dll
2009-03-21 14:18:57 27136 --sha-w- c:\windows\system32\notepad.dll
2009-09-24 16:33:52 61440 --sha-w- c:\windows\system32\vetidika.dll
2009-09-24 16:33:08 52736 --sha-w- c:\windows\system32\wawavara.dll
2009-03-21 14:18:57 27136 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll
2009-03-21 14:18:57 27136 --sha-w- c:\windows\system32\config\systemprofile\start menu\programs\startup\scandisk.dll

============= FINISH: 15:15:52.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 25 December 2009 - 12:59 AM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I reviewed your thread in "Am I Infected" and the logs you posted. You are seriously infected!!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Re-run RKill

==========

Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

With your next post please provide:

* Exehelper log
* Combofix.txt
* OTL.txt
* Extra.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 25 December 2009 - 11:27 PM

Had to switch over to IE to follow your instructions as firefox always downloads to the MyDocuments\downloads and doesn't give me the option to rename. Not important, but just incase somebody else in the future has a question about that. Got all the logs you've requested.


exeHelper by Raktor
Build 20091220
Run at 19:16:29 on 12/25/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\BtwSrv.dll
Error deleting C:\WINDOWS\system32\BtwSrv.dll - Set for removal on reboot - PLEASE REBOOT
Deleting file C:\WINDOWS\system32\lsm32.sys
Deleting file C:\WINDOWS\system32\opeia.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


ComboFix 09-12-25.03 - Sephiroth 12/25/2009 19:42:54.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.58 [GMT -8:00]
Running from: c:\documents and settings\Sephiroth\Desktop\thcbytes.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Sephiroth\Local Settings\Application Data\{47FED74E-1F6D-4215-8F6E-5AEA107F15FE}
c:\documents and settings\Sephiroth\Local Settings\Application Data\{47FED74E-1F6D-4215-8F6E-5AEA107F15FE}\chrome.manifest
c:\documents and settings\Sephiroth\Local Settings\Application Data\{47FED74E-1F6D-4215-8F6E-5AEA107F15FE}\chrome\content\_cfg.js
c:\documents and settings\Sephiroth\Local Settings\Application Data\{47FED74E-1F6D-4215-8F6E-5AEA107F15FE}\chrome\content\overlay.xul
c:\documents and settings\Sephiroth\Local Settings\Application Data\{47FED74E-1F6D-4215-8F6E-5AEA107F15FE}\install.rdf
c:\recycler\S-1-5-21-179983998-1733515309-3983988648-1003
c:\recycler\S-1-5-21-2445810432-2914882101-1291228572-1003
c:\windows\Install.txt
c:\windows\system32\AVR10.exe
c:\windows\system32\BtwSrv.dll
c:\windows\system32\FastNetSrv.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\kivumolo.dll
c:\windows\system32\logs
c:\windows\system32\molugivu.dll
c:\windows\system32\nuwuzeku.dll
c:\windows\system32\wawavara.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\wmdtc.exe
c:\windows\Tasks\thcaqofw.job
c:\windows\TEMP\mta13187.dll
c:\windows\Temp\tmp3.tmp
c:\windows\uhutofiw.dll
c:\windows\xmstst.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_BTWSRV
-------\Legacy_FASTNETSRV
-------\Legacy_TDIDRV32.SYS
-------\Legacy_WINSTS
-------\Service_BtwSrv
-------\Service_fastnetsrv


((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-12-25 04:47 . 2009-12-25 15:15 0 ----a-w- c:\windows\Wvecipusovomado.bin
2009-12-25 04:47 . 2009-12-25 15:14 120 ----a-w- c:\windows\Qqofisuba.dat
2009-12-24 16:33 . 2009-12-24 16:33 32768 ----a-w- c:\windows\system32\msaouahn.dll
2009-12-23 23:20 . 2009-12-23 23:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-22 17:43 . 2009-12-22 17:43 -------- d-----w- c:\program files\ESET
2009-12-21 06:46 . 2009-12-21 06:46 -------- d-----w- C:\a0ddfe9dce0856bdae
2009-12-20 21:13 . 2009-12-20 21:13 -------- d--h--w- c:\windows\PIF
2009-12-20 06:18 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 06:18 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 16:33 . 2008-03-31 05:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-24 07:21 . 2004-08-04 05:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-20 16:11 . 2006-12-26 00:07 29928 -c--a-w- c:\documents and settings\Sephiroth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-20 06:18 . 2009-12-20 06:18 4844295 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-04 16:03 . 2008-06-20 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-25 16:55 . 2009-12-12 16:44 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-25 16:55 . 2009-12-12 16:44 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-25 16:55 . 2009-12-12 16:44 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-19 19:48 . 2009-12-01 15:55 872960 ----a-w- c:\documents and settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 19:48 . 2009-12-01 15:55 43008 ----a-w- c:\documents and settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 19:48 . 2009-12-01 15:55 340480 ----a-w- c:\documents and settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 19:48 . 2009-12-01 15:55 346624 ----a-w- c:\documents and settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-10-31 23:02 . 2009-10-31 23:02 -------- d-----w- c:\program files\MSBuild
2009-10-31 23:01 . 2009-10-31 23:01 -------- d-----w- c:\program files\Reference Assemblies
2009-10-31 22:55 . 2009-10-31 22:55 -------- d-----w- c:\program files\MSXML 6.0
2009-10-29 07:46 . 2006-05-07 00:24 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2006-05-07 00:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2006-05-07 00:24 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2006-05-07 00:24 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2006-05-07 00:24 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 06:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2006-05-07 00:24 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2006-05-07 00:24 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2006-05-07 00:24 112128 ----a-w- c:\windows\system32\rastls.dll
2009-09-25 05:34 . 2009-09-25 05:34 39424 --sha-w- c:\windows\system32\fevahiva.dll
2009-09-24 16:33 . 2009-09-24 16:33 39424 --sha-w- c:\windows\system32\mozuzolo.dll
2009-09-25 05:34 . 2009-09-25 05:34 92672 --sha-w- c:\windows\system32\musebehi.dll
2009-09-26 03:30 . 2009-09-26 03:30 39424 --sha-w- c:\windows\system32\netojeke.dll
2009-09-26 03:30 . 2009-09-26 03:30 61440 --sha-w- c:\windows\system32\ritujute.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 19:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tqammy"="c:\windows\system32\msaouahn.dll" [2009-12-24 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 16:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 -c--a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2008-11-20 18:06 178688 -c--a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2007-10-05 02:38 307200 -c--a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-09-15 04:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2009-12-12 16:43 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 19:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus NX400 Series]
2007-12-17 06:00 188928 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIEGA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 14:03 221184 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 14:03 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 17:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 -c--a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 01:24 966656 -c--a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 10:01 32768 -c--a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-10-12 01:36 16267776 -c--a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 -c--a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-08-30 01:11 61440 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 12:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2004-11-22 15:18 307200 -c--a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgcsrvx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Documents and Settings\\Sephiroth\\Desktop\\procexp.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/20/2008 2:32 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/20/2008 2:32 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 7:21 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 7:21 AM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/15/2008 4:18 PM 24652]
S3 CEUSBAUD;DigiTech RP500 USB MIDI Driver;c:\windows\system32\drivers\ceusbaud.sys [9/19/2008 10:41 PM 17920]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/30/2006 8:44 PM 69692]
S3 L6PODX3LV;POD X3 Live Service;c:\windows\system32\drivers\L6PODX3LV.sys [11/17/2008 6:39 PM 530560]
S3 lgusbsmodem;LGE Mobile USB Modem;c:\windows\system32\DRIVERS\lgusbsmodem.sys --> c:\windows\system32\DRIVERS\lgusbsmodem.sys [?]
S3 XDva098;XDva098;\??\c:\windows\system32\XDva098.sys --> c:\windows\system32\XDva098.sys [?]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva208;XDva208;\??\c:\windows\system32\XDva208.sys --> c:\windows\system32\XDva208.sys [?]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3516A
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: &Search
FF - ProfilePath - c:\documents and settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search & Win
FF - prefs.js: browser.startup.homepage - hxxp://search.pch.com/?src=hp
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .
- - - - ORPHANS REMOVED - - - -

BHO-{06e3d439-0da3-4c72-9f94-6879d3bcbc57} - wawavara.dll
HKLM-Run-Nsise - c:\windows\uhutofiw.dll
HKLM-Run-dogewovel - c:\windows\system32\nuwuzeku.dll
HKLM-Run-nebididafa - molugivu.dll
SharedTaskScheduler-{f03809d7-56e9-44d2-aa3f-09150c2bb7f9} - c:\windows\system32\nuwuzeku.dll
SSODL-rovubiwub-{f446b8cf-1aa9-4b71-946b-82f9abc10d26} - (no file)
SSODL-wotegojij-{9059de53-882c-40de-afef-d6abd04197d0} - (no file)
SSODL-holenamok-{a0b26ea0-e556-4e4e-8f3d-fcd387ae7d50} - (no file)
SSODL-nozakutan-{58e23e40-3b59-44aa-949b-b8cb5ad13489} - (no file)
SSODL-lojarimar-{9abf15f5-f9b8-4a8d-bb40-ee44d9c0aeb0} - (no file)
SSODL-vodafuwav-{f03809d7-56e9-44d2-aa3f-09150c2bb7f9} - c:\windows\system32\nuwuzeku.dll
SafeBoot-tdidrv32.sys
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-dogewovel - c:\windows\system32\kiratero.dll
MSConfigStartUp-nebididafa - fifuwoga.dll
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-25 19:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2896)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msaouahn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-12-25 20:03:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-26 04:03

Pre-Run: 99,633,119,232 bytes free
Post-Run: 99,900,956,672 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 4F68D89B5A5CDFD9E2E47577E0F196C3




OTL logfile created on: 12/25/2009 8:09:06 PM - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Sephiroth\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

383.00 Mb Total Physical Memory | 122.00 Mb Available Physical Memory | 32.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2048 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.34 Gb Total Space | 93.06 Gb Free Space | 86.70% Space Free | Partition Type: NTFS
Drive D: | 4.44 Gb Total Space | 2.59 Gb Free Space | 58.26% Space Free | Partition Type: FAT32
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAY_CHI
Current User Name: Sephiroth
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/25 20:07:02 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sephiroth\Desktop\OTL.exe
PRC - [2009/10/27 22:54:16 | 00,634,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/08/16 08:20:57 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/16 08:20:56 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/16 08:20:48 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/16 08:20:41 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/16 08:20:26 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/01/13 20:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2008/11/19 09:47:24 | 00,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2007/06/13 02:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 13:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2004/08/04 11:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe


========== Modules (SafeList) ==========

MOD - [2009/12/25 20:07:02 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sephiroth\Desktop\OTL.exe
MOD - [2009/12/24 08:33:10 | 00,032,768 | ---- | M] (USA) -- C:\WINDOWS\system32\msaouahn.dll
MOD - [2006/08/25 07:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (PrismXL)
SRV - [2009/08/16 08:20:41 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/16 08:20:26 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/01/13 21:05:00 | 00,593,920 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2009/01/13 20:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2008/11/19 09:47:24 | 00,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2007/01/04 13:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2009/08/16 08:20:57 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/08/16 08:20:56 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/05/18 08:47:11 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/01/13 23:14:01 | 03,455,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/10/23 14:51:02 | 00,530,560 | ---- | M] (Line 6) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L6PODX3LV.sys -- (L6PODX3LV)
DRV - [2008/03/25 14:21:41 | 00,044,288 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2006/10/26 20:06:07 | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/10/12 08:52:04 | 04,387,328 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/07/18 14:16:08 | 00,990,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/07/18 14:15:18 | 00,256,128 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2006/07/18 14:15:10 | 00,728,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/06/19 13:26:58 | 00,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2006/02/27 04:46:20 | 00,081,408 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/10/26 23:06:30 | 00,356,096 | R--- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt61.sys -- (RT61) Linksys Wireless-G PCI Adapter Driver(RT61)
DRV - [2005/01/07 16:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/11/10 16:30:18 | 00,024,832 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2004/08/04 11:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 05:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 05:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/03 22:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio)
DRV - [2004/08/03 21:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/11/01 12:19:38 | 00,017,920 | ---- | M] (CEntrance, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ceusbaud.sys -- (CEUSBAUD)
DRV - [2003/01/10 13:13:04 | 00,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 20:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 20:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 20:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 20:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 20:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 19:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 19:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 19:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 19:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 19:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 19:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 19:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 19:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 19:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 19:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 18:10:58 | 00,069,692 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el575ND5.sys -- (el575nd5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=T3516A
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=T3516A
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\S-1-5-21-179983998-1733515309-3983988648-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Search & Win"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://search.pch.com/?src=hp"
FF - prefs.js..extensions.enabledItems: avg@igeared:2.609.002.003
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {47FED74E-1F6D-4215-8F6E-5AEA107F15FE}:1.9.1
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p="


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/11/03 08:03:49 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/11/11 21:13:44 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/22 08:18:26 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/20 13:13:08 | 00,000,000 | ---D | M]

[2009/06/05 20:28:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Mozilla\Extensions
[2009/06/05 20:28:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009/12/25 07:17:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\extensions
[2009/10/05 07:21:31 | 00,001,503 | ---- | M] () -- C:\Documents and Settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\searchplugins\search--win.xml
[2008/12/19 13:06:18 | 00,000,653 | ---- | M] () -- C:\Documents and Settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\searchplugins\yahoo-search.xml
[2009/12/25 07:17:48 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/12/03 17:50:14 | 00,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2007/04/16 09:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [tqammy] C:\WINDOWS\System32\msaouahn.DLL (USA)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-179983998-1733515309-3983988648-1007_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-179983998-1733515309-3983988648-1007\..Trusted Domains: internet ([]about in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 74.84.119.150 97.64.180.153
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/06 16:38:36 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 00,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/05/06 16:37:54 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (53483750268338176)

========== Files/Folders - Created Within 30 Days ==========

[2009/12/25 20:06:55 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sephiroth\Desktop\OTL.exe
[2009/12/25 19:37:52 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/12/25 19:33:03 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/12/25 19:33:03 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/12/25 19:33:03 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/12/25 19:33:03 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/12/25 19:32:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/25 19:31:32 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/25 07:15:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/12/24 09:35:41 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Sephiroth\Recent
[2009/12/24 08:33:09 | 00,032,768 | ---- | C] (USA) -- C:\WINDOWS\System32\msaouahn.dll
[2009/12/22 09:43:25 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/12/20 22:46:07 | 00,000,000 | ---D | C] -- C:\a0ddfe9dce0856bdae
[2009/12/20 13:13:43 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/12/19 22:18:23 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/19 22:18:18 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/29 07:14:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR
[2009/02/12 10:51:50 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/02/12 10:51:50 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/02/12 10:51:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/02/12 10:51:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/02/08 21:10:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/02/11 20:37:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/25 20:07:02 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sephiroth\Desktop\OTL.exe
[2009/12/25 19:53:48 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/25 19:53:22 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/25 19:52:56 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/25 19:52:50 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/25 19:52:47 | 40,205,1072 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/25 19:51:41 | 04,194,304 | ---- | M] () -- C:\Documents and Settings\Sephiroth\NTUSER.DAT
[2009/12/25 19:51:41 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Sephiroth\ntuser.ini
[2009/12/25 19:47:03 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\nojudofe
[2009/12/25 19:38:01 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/12/25 19:30:04 | 03,865,543 | R--- | M] () -- C:\Documents and Settings\Sephiroth\Desktop\thcbytes.exe
[2009/12/25 07:15:02 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Wvecipusovomado.bin
[2009/12/25 07:14:56 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Qqofisuba.dat
[2009/12/24 19:41:43 | 00,005,106 | ---- | M] () -- C:\Documents and Settings\Sephiroth\My Documents\AvGscan3.csv
[2009/12/24 14:08:12 | 46,994,093 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/24 14:08:12 | 00,127,929 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/24 08:33:10 | 00,032,768 | ---- | M] (USA) -- C:\WINDOWS\System32\msaouahn.dll
[2009/12/23 23:21:36 | 00,095,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2009/12/23 15:20:26 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/21 12:48:38 | 00,000,924 | ---- | M] () -- C:\Documents and Settings\Sephiroth\My Documents\AVGScan1.csv
[2009/12/21 07:58:59 | 00,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/21 07:58:59 | 00,441,454 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/21 07:58:59 | 00,071,264 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/21 07:56:21 | 00,146,016 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/20 08:11:31 | 00,029,928 | ---- | M] () -- C:\Documents and Settings\Sephiroth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/12/19 10:30:05 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/12/18 11:23:48 | 03,550,592 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Sephiroth\Desktop\procexp.exe
[2009/12/18 11:23:44 | 00,072,138 | ---- | M] () -- C:\Documents and Settings\Sephiroth\Desktop\procexp.chm
[2009/12/17 07:43:03 | 00,000,563 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/17 07:43:03 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/12/09 22:54:07 | 00,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/25 19:38:01 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/12/25 19:37:55 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/12/25 19:33:03 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/12/25 19:33:03 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/12/25 19:33:03 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/12/25 19:33:03 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/12/25 19:33:03 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/12/25 19:30:04 | 03,865,543 | R--- | C] () -- C:\Documents and Settings\Sephiroth\Desktop\thcbytes.exe
[2009/12/24 20:47:00 | 00,000,120 | ---- | C] () -- C:\WINDOWS\Qqofisuba.dat
[2009/12/24 20:47:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Wvecipusovomado.bin
[2009/12/24 19:41:43 | 00,005,106 | ---- | C] () -- C:\Documents and Settings\Sephiroth\My Documents\AvGscan3.csv
[2009/12/23 15:20:26 | 00,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/21 12:48:38 | 00,000,924 | ---- | C] () -- C:\Documents and Settings\Sephiroth\My Documents\AVGScan1.csv
[2009/12/15 07:32:16 | 40,205,1072 | -HS- | C] () -- C:\hiberfil.sys
[2009/09/25 19:30:51 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\netojeke.dll
[2009/09/25 19:30:50 | 00,061,440 | -HS- | C] () -- C:\WINDOWS\System32\ritujute.dll
[2009/09/24 21:34:30 | 00,092,672 | -HS- | C] () -- C:\WINDOWS\System32\musebehi.dll
[2009/09/24 21:34:30 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\fevahiva.dll
[2009/09/24 08:33:52 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\mozuzolo.dll
[2009/01/29 20:00:41 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/11/03 18:15:26 | 00,000,132 | ---- | C] () -- C:\Documents and Settings\Sephiroth\Local Settings\Application Data\fusioncache.dat
[2008/09/15 12:30:42 | 00,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/09/15 12:28:42 | 00,000,044 | ---- | C] () -- C:\WINDOWS\EPSNX400.ini
[2008/02/06 19:17:04 | 00,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/09/02 21:17:54 | 00,001,392 | ---- | C] () -- C:\Documents and Settings\Sephiroth\Application Data\wklnhst.dat
[2007/03/09 10:00:17 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2007/03/09 10:00:17 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2007/03/09 10:00:17 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2007/03/08 22:12:47 | 00,000,025 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2007/01/08 05:07:38 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/01/04 14:57:37 | 00,029,696 | ---- | C] () -- C:\WINDOWS\System32\asutl8.dll
[2006/12/25 16:45:27 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\Sephiroth\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/06/30 22:01:25 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/05/06 16:24:27 | 00,001,442 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/05/06 16:24:27 | 00,000,501 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/08/03 15:00:00 | 00,773,120 | ---- | C] () -- C:\WINDOWS\System32\RGSS100J.dll

========== LOP Check ==========

[2008/03/27 17:44:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\AVG7
[2006/10/26 20:12:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView
[2006/10/26 20:12:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.MAY_CHI\Application Data\SampleView
[2006/10/26 20:12:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.MAY_CHI.000\Application Data\SampleView
[2009/07/18 11:41:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2008/09/19 11:03:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2008/11/17 19:05:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Line 6
[2007/12/03 17:54:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
[2006/10/26 20:03:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2008/08/12 10:28:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Outspark
[2007/12/08 09:35:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2008/06/10 21:53:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2008/03/25 15:03:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/06/15 16:18:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/12/25 16:08:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2008/09/19 22:42:02 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{19E3ECD3-BDEB-4ACA-8EE2-B67A915773A3}
[2006/10/26 20:12:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\SampleView
[2009/06/29 07:14:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR
[2009/08/28 15:06:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Aim
[2007/01/04 15:05:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Anvil Studio
[2008/03/22 13:07:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Aveyond II
[2009/06/17 16:23:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\AVGTOOLBAR
[2009/08/28 15:07:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\BitZipper
[2008/09/15 12:45:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Leadertech
[2007/11/01 15:52:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Opera
[2007/12/02 19:02:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\PlayFirst
[2006/10/26 20:12:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\SampleView
[2009/08/28 15:19:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Sony
[2007/09/02 21:17:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Template
[2007/04/01 15:20:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Viewpoint
[2006/12/25 16:08:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\WildTangent

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2004/08/04 05:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ERDNT\cache\AGP440.SYS
[2004/08/04 05:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\dllcache\agp440.sys
[2004/08/04 05:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2009/12/23 23:21:36 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2009/12/23 23:21:36 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2009/12/23 23:21:36 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 11:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 11:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2009/02/06 10:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 10:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 11:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 11:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 11:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 11:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3AB8D21A
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A11F741D
< End of report >


OTL Extras logfile created on: 12/25/2009 8:09:06 PM - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Sephiroth\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

383.00 Mb Total Physical Memory | 122.00 Mb Available Physical Memory | 32.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2048 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.34 Gb Total Space | 93.06 Gb Free Space | 86.70% Space Free | Partition Type: NTFS
Drive D: | 4.44 Gb Total Space | 2.59 Gb Free Space | 58.26% Space Free | Partition Type: FAT32
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAY_CHI
Current User Name: Sephiroth
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx -- (AVG Technologies CZ, s.r.o.)
"C:\WINDOWS\system32\ati2evxx.exe" = C:\WINDOWS\system32\ati2evxx.exe:*:Enabled:Ati2evxx -- (ATI Technologies Inc.)
"C:\Program Files\AVG\AVG8\avgcsrvx.exe" = C:\Program Files\AVG\AVG8\avgcsrvx.exe:*:Enabled:avgcsrvx -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgui.exe" = C:\Program Files\AVG\AVG8\avgui.exe:*:Enabled:avgui -- (AVG Technologies CZ, s.r.o.)
"C:\Documents and Settings\Sephiroth\Desktop\procexp.exe" = C:\Documents and Settings\Sephiroth\Desktop\procexp.exe:*:Enabled:procexp -- (Sysinternals - www.sysinternals.com)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02DC3C69-02AF-47C2-9B68-AA2A69631CF8}" = DigiTech X-Edit 2.4.1
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite eMachines
"{1B15D991-5619-4BC1-B71E-3DE793B792FC}" = ArcSoft MediaConverter 2
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{2A947CBB-4F5E-38D8-F49E-6C2C0D9D848E}" = Catalyst Control Center Graphics Previews Common
"{2D62916C-976C-4425-8833-8814D9A7A54D}" = ArcSoft Print Creations
"{30DE45EC-48B3-7617-193A-7B4CDCE18D22}" = Skins
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{4661CE0D-11BA-4AC0-A7CE-72F69AF721CF}" = DigiTech RP500 Drivers
"{5C08205C-C9E0-A607-9EB1-EB0D7C5659B3}" = Catalyst Control Center Core Implementation
"{5D95AD35-368F-47D5-B63A-A082DDF00111}" = Microsoft Digital Image Starter Edition 2006 Editor
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{691F4068-81BF-49E3-B32E-FE3E16400111}" = Microsoft Digital Image Starter Edition 2006 Library
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6F45C51F-A0E8-4547-83C8-CCDD4B0E4877}" = RPG Maker XP - Postality Knights Edition ENHANCED
"{72736F5F-520D-472A-88CC-7B02872FD34E}" = ATI Catalyst Registration
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{90A2EB5A-8446-1554-235A-D174E39AF4E5}" = Catalyst Control Center Graphics Full Existing
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{B48442EE-FF84-3A89-CA50-EA2D1C64733E}" = ccc-utility
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC1086AD-1635-01EF-3137-04AB16B46F9F}" = ccc-core-preinstall
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D01B4212-C867-9074-217D-B40BB5A578FE}" = Catalyst Control Center Graphics Full New
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{DCFF3DB2-0E96-6DF5-DF22-AB1C18CF5E86}" = Catalyst Control Center Graphics Light
"{DE9D0AF5-08ED-70A5-66FA-4C3B3E2A85E8}" = Catalyst Control Center HydraVision Full
"{E5EC3E84-F3D6-4ECB-9486-69FCF11694B3}" = Opera 9.20
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F104E135-A5EF-9551-4924-2A7B94DDDADF}" = ccc-core-static
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FBB6D1D6-BD35-50E0-37B7-375BAB8E199B}" = CCC Help English
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AudibleManager" = AudibleManager
"AVG8Uninstall" = AVG Free 8.5
"CCleaner" = CCleaner (remove only)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F40&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP
"DigiTech RP500 Drivers" = DigiTech RP500 Drivers
"EPSON Scanner" = EPSON Scan
"EPSON Stylus NX400 Series" = EPSON Stylus NX400 Series Printer Uninstall
"ESET Online Scanner" = ESET Online Scanner v3
"Gateway Game Console" = Gateway Game Console
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2006b" = Microsoft Money 2006
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PictureItSuiteTrial_v11" = Microsoft Digital Image Starter Edition 2006
"RealPlayer 6.0" = RealPlayer Basic
"ROSE Online Evolution182" = ROSE Online Evolution
"Silent Package Run-Time Sample" = EPSON NX400 User's Guide
"ST5UNST #1" = Anvil Studio
"ViewpointMediaPlayer" = Viewpoint Media Player
"WIC" = Windows Imaging Component
"WildTangent CDA" = WildTangent Web Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/21/2009 11:57:41 AM | Computer Name = MAY_CHI | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module user32.dll, version 5.1.2600.3099, fault address 0x0001d3df.

Error - 12/21/2009 11:58:51 AM | Computer Name = MAY_CHI | Source = Application Error | ID = 1001
Description = Fault bucket 1598733707.

Error - 12/21/2009 2:07:47 PM | Computer Name = MAY_CHI | Source = Application Error | ID = 1000
Description = Faulting application ogstiuu.exe, version 1.0.0.6, faulting module
ogstiuu.exe, version 1.0.0.6, fault address 0x00004442.

Error - 12/21/2009 2:10:27 PM | Computer Name = MAY_CHI | Source = Application Error | ID = 1001
Description = Fault bucket 1619005398.

Error - 12/22/2009 12:16:34 PM | Computer Name = MAY_CHI | Source = MsiInstaller | ID = 11704
Description = Product: WebFldrs XP -- Error 1704. An installation for Microsoft
.NET Framework 2.0 Service Pack 2 is currently suspended. You must undo the changes
made by that installation to continue. Do you want to undo those changes?

Error - 12/23/2009 12:59:01 PM | Computer Name = MAY_CHI | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3622, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/23/2009 12:59:27 PM | Computer Name = MAY_CHI | Source = Application Hang | ID = 1001
Description = Fault bucket 1589847310.

Error - 12/24/2009 4:33:21 PM | Computer Name = MAY_CHI | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00011a42.

Error - 12/24/2009 4:33:55 PM | Computer Name = MAY_CHI | Source = Application Error | ID = 1001
Description = Fault bucket 1598107222.

Error - 12/25/2009 12:39:29 AM | Computer Name = MAY_CHI | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ Application Events ]
Error - 12/21/2009 11:57:41 AM | Computer Name = MAY_CHI | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module user32.dll, version 5.1.2600.3099, fault address 0x0001d3df.

Error - 12/21/2009 11:58:51 AM | Computer Name = MAY_CHI | Source = Application Error | ID = 1001
Description = Fault bucket 1598733707.

Error - 12/21/2009 2:07:47 PM | Computer Name = MAY_CHI | Source = Application Error | ID = 1000
Description = Faulting application ogstiuu.exe, version 1.0.0.6, faulting module
ogstiuu.exe, version 1.0.0.6, fault address 0x00004442.

Error - 12/21/2009 2:10:27 PM | Computer Name = MAY_CHI | Source = Application Error | ID = 1001
Description = Fault bucket 1619005398.

Error - 12/22/2009 12:16:34 PM | Computer Name = MAY_CHI | Source = MsiInstaller | ID = 11704
Description = Product: WebFldrs XP -- Error 1704. An installation for Microsoft
.NET Framework 2.0 Service Pack 2 is currently suspended. You must undo the changes
made by that installation to continue. Do you want to undo those changes?

Error - 12/23/2009 12:59:01 PM | Computer Name = MAY_CHI | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3622, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/23/2009 12:59:27 PM | Computer Name = MAY_CHI | Source = Application Hang | ID = 1001
Description = Fault bucket 1589847310.

Error - 12/24/2009 4:33:21 PM | Computer Name = MAY_CHI | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00011a42.

Error - 12/24/2009 4:33:55 PM | Computer Name = MAY_CHI | Source = Application Error | ID = 1001
Description = Fault bucket 1598107222.

Error - 12/25/2009 12:39:29 AM | Computer Name = MAY_CHI | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 12/23/2009 7:40:44 PM | Computer Name = MAY_CHI | Source = Service Control Manager | ID = 7031
Description = The DCOM Server Process Launcher service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.

Error - 12/23/2009 7:40:44 PM | Computer Name = MAY_CHI | Source = Service Control Manager | ID = 7034
Description = The Terminal Services service terminated unexpectedly. It has done
this 1 time(s).

Error - 12/24/2009 12:53:58 PM | Computer Name = MAY_CHI | Source = Service Control Manager | ID = 7034
Description = The fastnetsrv Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 12/24/2009 3:56:45 PM | Computer Name = MAY_CHI | Source = Service Control Manager | ID = 7031
Description = The AVG8 WatchDog service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 0 milliseconds: Restart
the service.

Error - 12/24/2009 6:03:12 PM | Computer Name = MAY_CHI | Source = Service Control Manager | ID = 7031
Description = The AVG8 WatchDog service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 0 milliseconds: Restart
the service.

Error - 12/25/2009 12:43:30 AM | Computer Name = MAY_CHI | Source = Service Control Manager | ID = 7000
Description = The fastnetsrv Service service failed to start due to the following
error: %%2

Error - 12/25/2009 11:10:10 AM | Computer Name = MAY_CHI | Source = Service Control Manager | ID = 7000
Description = The fastnetsrv Service service failed to start due to the following
error: %%2

Error - 12/25/2009 11:35:18 AM | Computer Name = MAY_CHI | Source = Service Control Manager | ID = 7034
Description = The fastnetsrv Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 12/25/2009 10:32:03 PM | Computer Name = MAY_CHI | Source = Service Control Manager | ID = 7034
Description = The fastnetsrv Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 12/25/2009 11:42:49 PM | Computer Name = MAY_CHI | Source = Service Control Manager | ID = 7034
Description = The fastnetsrv Service service terminated unexpectedly. It has done
this 1 time(s).


< End of report >


Wow, that was a lot of stuff. If you wanted me to upload them instead of copying and pasting, let me know and I'll do that instead; it might make it a little easier for you. I know all of this is purely volunteer work, so I'd like to be as little trouble as possible.

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 26 December 2009 - 09:16 AM

Hello,

Well done. :(
Actually copy and paste is easiest for me. Thanks.

Do you have other computers that are networked with this computer?

Firefox is safer than IE.

Open Firefox
  • Tools (upper left)
  • Options
  • Main
  • Check "Always ask me where to save files"
Now you can send your download to the location of your choice and name it as you desire.

==========

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Viewpoint
MBAM


Additional instructions can be found here if needed.

==========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\Wvecipusovomado.bin
c:\windows\Qqofisuba.dat
c:\windows\system32\msaouahn.dll
c:\windows\system32\mozuzolo.dll
c:\windows\system32\musebehi.dll
c:\windows\system32\netojeke.dll
c:\windows\system32\ritujute.dll
c:\windows\system32\fevahiva.dll

Folder::
C:\a0ddfe9dce0856bdae
c:\program files\Viewpoint

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
"NoActiveDesktopChanges"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tqammy"=-

Driver::
Viewpoint Manager Service


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
==========

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
==========

With your next post please provide:

* Answer to networking question
* Combofix.txt
* MBAM log
* Bitdefender log
* What problems remain? (Safe mode, redirection, hibernate issues you described earlier....??)

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 26 December 2009 - 11:31 AM

Sorry, before I go through the next steps I just wanted to clarify something. When I uninstalled MBAM it said not all the files were removed and that they could be uninstalled manually. Should I uninstall the remaining files manually, and if so how should I go about doing that?

Viewpoint uninstalled just fine.

I checked the link you gave about removing uninstalled programs, but I didn't find any information I felt was useful to my situation.

Edited by Averus, 26 December 2009 - 11:33 AM.


#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 26 December 2009 - 11:37 AM

Please download the Revo Uninstaller to your desktop.
  • Double click Revo.exe to install and run.
  • Highlight MBAM.
  • Choose Uninstall.
  • Are you sure - Yes
  • Mode - Advanced
  • Are you sure - Yes
  • Initial Uninstall - Next
  • Scanning for leftovers - Next
  • Check the bolded boxes only!!!! <--- Important!!
  • Delete
  • Yes
  • Finish
Then please proceed.

Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 26 December 2009 - 11:58 AM

When I run Revo it can't seem to find MBAM, I even checked in advanced mode. I did already uninstall it with Add/Remove Programs, it just said some files were left over but didn't say which ones or where they were. The icon is gone from my desktop now though. Should I just go ahead, or do I need to make sure that ALL of the previous MBAM files are completely removed?

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 26 December 2009 - 01:09 PM

Yep. Proceed. :(
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 26 December 2009 - 03:14 PM

In my house I have this computer and one other, that are both connected to the internet via a Linksys Wireless router, so I guess they would be on the same wireless network, though they share no physical connection. My network is unencrypted as I haven't figured out how to set up a password for it.

Here come the logs:

ComboFix 09-12-25.03 - Sephiroth 12/26/2009 10:37:49.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.210 [GMT -8:00]
Running from: c:\documents and settings\Sephiroth\Desktop\thcbytes.exe
Command switches used :: c:\documents and settings\Sephiroth\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\Qqofisuba.dat"
"c:\windows\system32\fevahiva.dll"
"c:\windows\system32\mozuzolo.dll"
"c:\windows\system32\msaouahn.dll"
"c:\windows\system32\musebehi.dll"
"c:\windows\system32\netojeke.dll"
"c:\windows\system32\ritujute.dll"
"c:\windows\Wvecipusovomado.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a0ddfe9dce0856bdae
c:\a0ddfe9dce0856bdae\$shtdwn$.req
c:\a0ddfe9dce0856bdae\1025\eula.rtf
c:\a0ddfe9dce0856bdae\1025\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1028\eula.rtf
c:\a0ddfe9dce0856bdae\1028\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1029\eula.rtf
c:\a0ddfe9dce0856bdae\1029\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1030\eula.rtf
c:\a0ddfe9dce0856bdae\1030\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1031\eula.rtf
c:\a0ddfe9dce0856bdae\1031\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1032\eula.rtf
c:\a0ddfe9dce0856bdae\1032\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1033\eula.rtf
c:\a0ddfe9dce0856bdae\1033\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1035\eula.rtf
c:\a0ddfe9dce0856bdae\1035\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1036\eula.rtf
c:\a0ddfe9dce0856bdae\1036\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1037\eula.rtf
c:\a0ddfe9dce0856bdae\1037\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1038\eula.rtf
c:\a0ddfe9dce0856bdae\1038\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1040\eula.rtf
c:\a0ddfe9dce0856bdae\1040\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1041\eula.rtf
c:\a0ddfe9dce0856bdae\1041\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1042\eula.rtf
c:\a0ddfe9dce0856bdae\1042\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1043\eula.rtf
c:\a0ddfe9dce0856bdae\1043\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1044\eula.rtf
c:\a0ddfe9dce0856bdae\1044\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1045\eula.rtf
c:\a0ddfe9dce0856bdae\1045\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1046\eula.rtf
c:\a0ddfe9dce0856bdae\1046\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1049\eula.rtf
c:\a0ddfe9dce0856bdae\1049\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1053\eula.rtf
c:\a0ddfe9dce0856bdae\1053\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\1055\eula.rtf
c:\a0ddfe9dce0856bdae\1055\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\2052\eula.rtf
c:\a0ddfe9dce0856bdae\2052\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\2070\eula.rtf
c:\a0ddfe9dce0856bdae\2070\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\3076\eula.rtf
c:\a0ddfe9dce0856bdae\3076\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\3082\eula.rtf
c:\a0ddfe9dce0856bdae\3082\HotFixInstallerUI.dll
c:\a0ddfe9dce0856bdae\DHtmlHeader.html
c:\a0ddfe9dce0856bdae\header.bmp
c:\a0ddfe9dce0856bdae\HotFixInstaller.exe
c:\a0ddfe9dce0856bdae\NDP20SP2-KB974417.msp
c:\a0ddfe9dce0856bdae\ParameterInfo.xml
c:\a0ddfe9dce0856bdae\watermark.bmp
c:\windows\Qqofisuba.dat
c:\windows\system32\fevahiva.dll
c:\windows\system32\mozuzolo.dll
c:\windows\system32\msaouahn.dll
c:\windows\system32\musebehi.dll
c:\windows\system32\netojeke.dll
c:\windows\system32\ritujute.dll
c:\windows\Wvecipusovomado.bin

.
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-12-26 16:42 . 2009-12-26 16:42 -------- d-----w- c:\program files\VS Revo Group
2009-12-23 23:20 . 2009-12-23 23:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-22 17:43 . 2009-12-22 17:43 -------- d-----w- c:\program files\ESET
2009-12-20 21:13 . 2009-12-20 21:13 -------- d--h--w- c:\windows\PIF
2009-12-12 16:44 . 2009-11-25 16:55 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-12 16:44 . 2009-11-25 16:55 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-12-12 16:44 . 2009-11-25 16:55 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-12-01 15:55 . 2009-11-19 19:48 43008 ----a-w- c:\documents and settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-01 15:55 . 2009-11-19 19:48 340480 ----a-w- c:\documents and settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-01 15:55 . 2009-11-19 19:48 872960 ----a-w- c:\documents and settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-01 15:55 . 2009-11-19 19:48 346624 ----a-w- c:\documents and settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 16:15 . 2006-10-27 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-24 07:21 . 2004-08-04 05:59 95360 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-20 16:11 . 2006-12-26 00:07 29928 -c--a-w- c:\documents and settings\Sephiroth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-04 16:03 . 2008-06-20 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-31 23:02 . 2009-10-31 23:02 -------- d-----w- c:\program files\MSBuild
2009-10-31 23:01 . 2009-10-31 23:01 -------- d-----w- c:\program files\Reference Assemblies
2009-10-31 22:55 . 2009-10-31 22:55 -------- d-----w- c:\program files\MSXML 6.0
2009-10-29 07:46 . 2006-05-07 00:24 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2006-05-07 00:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2006-05-07 00:24 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2006-05-07 00:24 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2006-05-07 00:24 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 06:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2006-05-07 00:24 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2006-05-07 00:24 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2006-05-07 00:24 112128 ----a-w- c:\windows\system32\rastls.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 19:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 16:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 -c--a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2008-11-20 18:06 178688 -c--a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2007-10-05 02:38 307200 -c--a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-09-15 04:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2009-12-12 16:43 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 19:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus NX400 Series]
2007-12-17 06:00 188928 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIEGA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 14:03 221184 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 14:03 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 17:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 -c--a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 01:24 966656 -c--a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 10:01 32768 -c--a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-10-12 01:36 16267776 -c--a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 -c--a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-08-30 01:11 61440 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 12:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2004-11-22 15:18 307200 -c--a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgcsrvx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Documents and Settings\\Sephiroth\\Desktop\\procexp.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/20/2008 2:32 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/20/2008 2:32 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 7:21 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 7:21 AM 297752]
S3 CEUSBAUD;DigiTech RP500 USB MIDI Driver;c:\windows\system32\drivers\ceusbaud.sys [9/19/2008 10:41 PM 17920]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/30/2006 8:44 PM 69692]
S3 L6PODX3LV;POD X3 Live Service;c:\windows\system32\drivers\L6PODX3LV.sys [11/17/2008 6:39 PM 530560]
S3 lgusbsmodem;LGE Mobile USB Modem;c:\windows\system32\DRIVERS\lgusbsmodem.sys --> c:\windows\system32\DRIVERS\lgusbsmodem.sys [?]
S3 XDva098;XDva098;\??\c:\windows\system32\XDva098.sys --> c:\windows\system32\XDva098.sys [?]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva208;XDva208;\??\c:\windows\system32\XDva208.sys --> c:\windows\system32\XDva208.sys [?]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3516A
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: &Search
FF - ProfilePath - c:\documents and settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search & Win
FF - prefs.js: browser.startup.homepage - hxxp://search.pch.com/?src=hp
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\Sephiroth\Application Data\Mozilla\Firefox\Profiles\936nncv4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 10:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-26 10:52:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-26 18:52
ComboFix2.txt 2009-12-26 04:03

Pre-Run: 99,880,632,320 bytes free
Post-Run: 99,845,115,904 bytes free

- - End Of File - - 0BE5F1E4521AB054B75179697C329E55


Malwarebytes' Anti-Malware 1.42
Database version: 3435
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

12/26/2009 11:15:55 AM
mbam-log-2009-12-26 (11-15-55).txt

Scan type: Quick Scan
Objects scanned: 130885
Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Evilbleep.scr (Backdoor.Bot) -> Quarantined and deleted successfully.


BitDefender QuickScan Beta 32-bit v0.9.8.4
------------------------------------------

Scan date: Sat Dec 26 11:25:11 2009
Machine ID: 283DE6FA



No infection found.
---------------------


Processes
---------

<verified> AVG Scanning Core Module - Server Part 616 C:\Program Files\AVG\AVG8\avgcsrvx.exe
<verified> AVG E-Mail Scanner 2012 C:\Program Files\AVG\AVG8\avgemc.exe
<verified> AVG Network scanner Service 128 C:\Program Files\AVG\AVG8\avgnsx.exe
<verified> AVG Resident Shield Service 2044 C:\Program Files\AVG\AVG8\avgrsx.exe
<verified> AVG Watchdog Service 1668 C:\Program Files\AVG\AVG8\avgwdsvc.exe
<verified> ArcSoft Connect Service 1656 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
<verified> Java™ Quick Starter Service 1700 C:\Program Files\Java\jre6\bin\jqs.exe
<verified> Firefox 972 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> Windows Explorer 1800 C:\WINDOWS\Explorer.EXE
<verified> Application Layer Gateway Service 1348 C:\WINDOWS\System32\alg.exe
<verified> ATI External Event Utility EXE Module 852 C:\WINDOWS\system32\Ati2evxx.exe
<verified> ATI External Event Utility EXE Module 1120 C:\WINDOWS\system32\Ati2evxx.exe
<verified> Client Server Runtime Process 612 C:\WINDOWS\system32\csrss.exe
<verified> LSA Shell (Export Version) 700 C:\WINDOWS\system32\lsass.exe
<verified> Services and Controller app 688 C:\WINDOWS\system32\services.exe
<verified> Windows NT Session Manager 556 C:\WINDOWS\System32\smss.exe
<verified> Spooler SubSystem App 1548 C:\WINDOWS\system32\spoolsv.exe
<verified> Generic Host Process for Win32 Services 872 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 936 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1028 C:\WINDOWS\System32\svchost.exe
<verified> Generic Host Process for Win32 Services 1060 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1196 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1236 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1620 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1744 C:\WINDOWS\system32\svchost.exe
<verified> Windows NT Logon Application 644 C:\WINDOWS\system32\winlogon.exe
<verified> Windows Security Center Notification App 1216 C:\WINDOWS\system32\wscntfy.exe


Network activity
----------------
Process avgnsx.exe (128) connected on port 80 (HTTP) - gy-in-f113.1e100.net
Process avgnsx.exe (128) connected on port 80 (HTTP) - a96-17-44-20.deploy.akamaitechnologies.com
Process avgnsx.exe (128) connected on port 80 (HTTP) - gy-in-f99.1e100.net
Process avgnsx.exe (128) connected on port 80 (HTTP) - yx-in-f102.1e100.net

Process svchost.exe (936) listens on ports: 135 (RPC)


Autoruns and critical files
---------------------------
<unsigned> QuickTime Task C:\Program Files\QuickTime\qttask.exe

<verified> Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe
<verified> ATI External Event Utility DLL Module C:\WINDOWS\system32\ati2evxx.dll
<verified> AVG Resident Shield Starter C:\WINDOWS\system32\avgrsstx.dll
<verified> Shell Browser UI Library C:\WINDOWS\system32\browseui.dll
<verified> Crypto API32 C:\WINDOWS\system32\crypt32.dll
<verified> Crypto Network Related API C:\WINDOWS\system32\cryptnet.dll
<verified> Offline Network Agent C:\WINDOWS\system32\cscdll.dll
<verified> Windows Logon UI C:\WINDOWS\system32\logonui.exe
<verified> Secondary Logon Service Notification DLL C:\WINDOWS\system32\sclgntfy.dll
<verified> Windows Shell Common Dll C:\WINDOWS\system32\shell32.dll
<verified> Systray shell service object C:\WINDOWS\system32\stobject.dll
<verified> Userinit Logon Application c:\windows\system32\userinit.exe
<verified> Web Site Monitor C:\WINDOWS\system32\webcheck.dll
<verified> Common DLL to receive Winlogon notifications C:\WINDOWS\system32\wlnotify.dll
<verified> Windows Portable Device Shell Service Object C:\WINDOWS\system32\WPDShServiceObj.dll


Browser plugins
---------------
<unsigned> Adobe Acrobat Plug-In Version 7.00 for Netscape C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> Java™ Quick Starter binary c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<unsigned> Adobe Shockwave for Director Netscape plug-in, ver C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> npunagi2 C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
<unsigned> InstallShield Update Service Setup Player Module C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<unsigned> InstallShield Update Service Setup Player C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<unsigned> InstallShield Update Service Web Agent C:\WINDOWS\Downloaded Program Files\isusweb.dll
<unsigned> unagiuninst.exe C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
<unsigned> Adobe Shockwave for Director Netscape plug-in, ver C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
<unsigned> BAE.dll c:\windows\system32\bae.dll

<verified> Adobe Acrobat IE Helper Version 7.0 for ActiveX c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
<verified> Safe Search for Internet Explorer c:\program files\avg\avg8\avgssie.dll
<verified> AVG Security Toolbar c:\program files\avg\avg8\toolbar\ietoolbar.dll
<verified> Java™ Platform SE binary c:\program files\java\jre6\bin\jp2ssv.dll
<verified> Windows Messenger C:\Program Files\Messenger\msmsgs.exe
<verified> 1.0.30109.0 c:\Program Files\Microsoft Silverlight\npctrl.1.0.30109.0.dll
<verified> NPRuntime Script Plug-in Library for Java™ Depl C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
<verified> Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> Windows Presentation Foundation (WPF) plug-in for c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
<verified> Network Diagnostic for Windows XP C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified> Internet Explorer C:\WINDOWS\system32\ieframe.dll
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> Microsoft Windows Sockets 2.0 Service Provider C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft Windows Rsvp 1.0 Service Provider C:\WINDOWS\system32\rsvpsp.dll
<verified> LDAP RnR Provider DLL C:\WINDOWS\system32\winrnr.dll


Missing files
-------------
File not found: C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
referenced in: HKLM\System\CurrentControlSet\Services\PrismXL\"ImagePath"

File not found: C:\WINDOWS\System32\appmgmts.dll
referenced in: HKLM\System\CurrentControlSet\Services\AppMgmt\Parameters\"ServiceDll"

File not found: C:\WINDOWS\System32\hidserv.dll
referenced in: HKLM\System\CurrentControlSet\Services\HidServ\Parameters\"ServiceDll"

File not found: C:\WINDOWS\system32\XDva098.sys
referenced in: HKLM\System\CurrentControlSet\Services\XDva098\"ImagePath"

File not found: C:\WINDOWS\system32\XDva189.sys
referenced in: HKLM\System\CurrentControlSet\Services\XDva189\"ImagePath"

File not found: C:\WINDOWS\system32\XDva195.sys
referenced in: HKLM\System\CurrentControlSet\Services\XDva195\"ImagePath"

File not found: C:\WINDOWS\system32\XDva208.sys
referenced in: HKLM\System\CurrentControlSet\Services\XDva208\"ImagePath"

File not found: C:\thcbytes\catchme.sys
referenced in: HKLM\System\CurrentControlSet\Services\catchme\"ImagePath"

File not found: system32\DRIVERS\lgusbsmodem.sys
referenced in: HKLM\System\CurrentControlSet\Services\lgusbsmodem\"ImagePath"


Scan
----

No file uploaded.

Scan finished - communication took 8 sec
Total traffic - 0.04 MB sent, 2.40 KB recvd
Scanned 882 files and modules - 130 seconds


Safe mode now appears to work normally, my computer now hibernates normally, google and yahoo search redirects seem to have stopped. Netstat -a still closes immediately after opening, though when I initially tested it, it stayed open for several seconds before closing. I'm not really familiar with that program, but I get a feeling it's not suppose to do that. When I open firefox I get a warning saying that ff stopped the page from redirecting. When I go to yahoo's login page, I get a warning saying ff stopped the page from automatically reloading. Process Explorer still shows several mutant type files running in many of the processes, I'm not sure if that's normal or not. My desktop also isn't the same as it used to be. I normally have an image center screen over an orange background and the text under my icons is white. The image was gone and the icon text turned black. Now the image takes up the whole background, the icon text is still black but with an orange background only behind the text.

Oh and in my C:\ folder I've noticed a few unfamiliar items, mainly a folder named Qoobox and something called BOOT.bak as well as something called cmldr. I also have a Rundll32.txt and Yserver.txt. I think that's everything.

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 26 December 2009 - 04:38 PM

Well done. :(

When we are done with this computer let me give your other computer a look at also. One of the infections was a network virus. I would ask that you disconnect the other computer from the network now until we get this one clean. After this computer is clean then physically disconnect it so we can survey the other computer. We don't want them reinfecting each other!!!! Agreed?

==========

Safe mode now appears to work normally, my computer now hibernates normally, google and yahoo search redirects seem to have stopped.

Great!

Netstat -a still closes immediately after opening, though when I initially tested it, it stayed open for several seconds before closing. I'm not really familiar with that program, but I get a feeling it's not suppose to do that.


Let's look into that

When I open firefox I get a warning saying that ff stopped the page from redirecting.

Not good.

When I go to yahoo's login page, I get a warning saying ff stopped the page from automatically reloading. Process Explorer still shows several mutant type files running in many of the processes, I'm not sure if that's normal or not.

Like what?

My desktop also isn't the same as it used to be. I normally have an image center screen over an orange background and the text under my icons is white. The image was gone and the icon text turned black. Now the image takes up the whole background, the icon text is still black but with an orange background only behind the text.

Upload a screenshot please

Oh and in my C:\ folder I've noticed a few unfamiliar items, mainly a folder named Qoobox and something called BOOT.bak as well as something called cmldr. I also have a Rundll32.txt and Yserver.txt. I think that's everything.

My tools. :(

==========

* Go to start > Run copy/paste the contents of the code box excluding "code" in the run box and click OK.

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt
A command window opens. Wait until a log.txt file opens.

* Please copy/paste the log file in your reply.

==========

Update and re-run MBAM. Post a log

==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Choose "None"
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.
==========

With your next post please provide:

* Answer to questions
* Internet connection log
* MBAM log
* Gmer log
* OTL log

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 27 December 2009 - 02:02 PM

Had to work late last night so I just got around to this but I finally got it done. I open Process Explorer, clicked on Explorer.exe and took a screenshot of the mutant handles in question but it wouldn't upload, it kept saying the file was too big for the available space ( it's only 4k ). I couldn't simply copy and paste either, so I had to manually type them in here for you.

Type: Name:
Mutant \BaseNamedObjects\ExplorerIsShellMutex
Mutant \BaseNamedObjects\ShimCacheMutex
Mutant \BaseNamedObjects\ZonesCounterMutex
Mutant \BaseNamedObjects\ZoneAttributeCacheCounterMutex
Mutant \BaseNamedObjects\ZoneAttributeCacheCounterMutex
Mutant \BaseNamedObjects\ZonesCacheCounterMutex
Mutant \BaseNamedObjects\ZonesLockedCacheCounterMutex
Mutant \BaseNamedObjects\c:!documents and settings!sephiroth!local settings!temporary internet files!content.ie5!
Mutant \BaseNamedObjects\_MSFTHISTORY!_
Mutant \BaseNamedObjects\c:!documents and settings!sephiroth!cookies!
Mutant \BaseNamedObjects\c:!documents and settings!sephiroth!local settings!history!history.ie5!
Mutant \BaseNamedObjects\WininetStartupMutex
Mutant \BaseNamedObjects\WininetConnectionMutex
Mutant \BaseNamedObjects\WininetProxyRegistryMutex
Mutant \BaseNamedObjects\RasPbFile
Mutant \BaseNamedObjects\_SHuassist.mtx
Mutant \BaseNamedObjects\MidiMapper_Configure
Mutant \BaseNamedObjects\MidiMapper_modLongMessage_RefCnt
Mutant \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-179983998-1733515309-3983988648-1007
Mutant \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-179983998-1733515309-3983988648-1007
Mutant \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-179983998-1733515309-3983988648-1007
Mutant \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-179983998-1733515309-3983988648-1007
Mutant \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-179983998-1733515309-3983988648-1007
Mutant \BaseNamedObjects\c:!documents and settings!sephiroth!local settings!history!history.ie5!mshist012009122720091228!
Mutant \BaseNamedObjects\_!SHMSFTHISTORY!_

That's all of the ones found in Explorer.exe. I'm not sure if they are suppose to be there or not, but the term "mutant" aroused my suspicion so I thought I'd ask.

Unfortunately I can't get it to let me upload my desktop screenshot either. I made it smaller but it still won't let me upload and the file size should be well within the amount of space I have left. Anyway, I guess I'll post the logs now.


Windows IP Configuration



Host Name . . . . . . . . . . . . : May_Chi

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Linksys Wireless-G PCI Adapter

Physical Address. . . . . . . . . : 00-16-B6-58-9F-20

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.10

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 74.84.119.150

97.64.180.153

Lease Obtained. . . . . . . . . . : Saturday, December 26, 2009 2:08:46 PM

Lease Expires . . . . . . . . . . : Saturday, December 26, 2009 3:08:46 PM



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-19-21-5D-5E-CA

Server: sprdc-dns-ns1.mcomdc.com
Address: 74.84.119.150

Name: google.com
Addresses: 209.85.225.103, 209.85.225.106, 209.85.225.105, 209.85.225.104
209.85.225.147, 209.85.225.99



Pinging google.com [74.125.157.103] with 32 bytes of data:



Reply from 74.125.157.103: bytes=32 time=100ms TTL=52

Reply from 74.125.157.103: bytes=32 time=87ms TTL=52



Ping statistics for 74.125.157.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 87ms, Maximum = 100ms, Average = 93ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 16 b6 58 9f 20 ...... Linksys Wireless-G PCI Adapter - Packet Scheduler Miniport
0x3 ...00 19 21 5d 5e ca ...... Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.10 192.168.0.10 25
192.168.0.10 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.0.255 255.255.255.255 192.168.0.10 192.168.0.10 25
224.0.0.0 240.0.0.0 192.168.0.10 192.168.0.10 25
255.255.255.255 255.255.255.255 192.168.0.10 3 1
255.255.255.255 255.255.255.255 192.168.0.10 192.168.0.10 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None


Malwarebytes' Anti-Malware 1.42
Database version: 3439
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

12/27/2009 8:42:45 AM
mbam-log-2009-12-27 (08-42-45).txt

Scan type: Quick Scan
Objects scanned: 130932
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-27 09:34:04
Windows 5.1.2600 Service Pack 2
Running: v57071b1.exe; Driver: C:\DOCUME~1\SEPHIR~1\LOCALS~1\Temp\pwtdypob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF680F000, 0x1B85E6, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


OTL logfile created on: 12/27/2009 9:52:07 AM - Run 2
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Sephiroth\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

383.00 Mb Total Physical Memory | 133.00 Mb Available Physical Memory | 35.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2048 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.34 Gb Total Space | 93.17 Gb Free Space | 86.80% Space Free | Partition Type: NTFS
Drive D: | 4.44 Gb Total Space | 2.59 Gb Free Space | 58.26% Space Free | Partition Type: FAT32
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAY_CHI
Current User Name: Sephiroth
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/05/06 16:37:54 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "WMPNetworkSvc"
MsConfig - Services: "IDriverT"
MsConfig - Services: "ATI Smart"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk - C:\PROGRA~1\BigFix\bigfix.exe - File not found
MsConfig - StartUpReg: Alcmtr - hkey= - key= - C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: ArcSoft Connection Service - hkey= - key= - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
MsConfig - StartUpReg: ATICustomerCare - hkey= - key= - C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
MsConfig - StartUpReg: ATIPTA - hkey= - key= - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
MsConfig - StartUpReg: AVG8_TRAY - hkey= - key= - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: EPSON Stylus NX400 Series - hkey= - key= - File not found
MsConfig - StartUpReg: ISUSPM Startup - hkey= - key= - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
MsConfig - StartUpReg: ISUSScheduler - hkey= - key= - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: Power2GoExpress - hkey= - key= - File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: Recguard - hkey= - key= - C:\WINDOWS\SMINST\Recguard.exe ()
MsConfig - StartUpReg: Reminder - hkey= - key= - C:\WINDOWS\creator\Remind_XP.exe (SoftThinks)
MsConfig - StartUpReg: RemoteControl - hkey= - key= - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
MsConfig - StartUpReg: RTHDCPL - hkey= - key= - C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: SkyTel - hkey= - key= - C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: StartCCC - hkey= - key= - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: updateMgr - hkey= - key= - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 1

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {1a3e09be-1e45-494b-9174-d7385b45bbf5} - Reg Error: Value error.
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1325db73-d9f1-48f8-8895-6d814ec58889} - Security Update for Windows XP (KB913433)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 11.0.3
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 11.0.3
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.clmp3enc - C:\Program Files\CyberLink\Power2Go\CLMP3Enc.ACM (CyberLink Corp.)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (53483750268338176)

========== Custom Scans ==========


< %ALLUSERSPROFILE%\Application Data\*. >
[2006/10/26 20:03:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/08/28 15:06:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2008/06/15 16:18:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL Downloads
[2007/06/24 18:27:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL OCP
[2008/08/23 07:38:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2008/06/16 18:02:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/09/06 17:33:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ArcSoft
[2009/01/29 20:12:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ATI
[2009/07/18 11:41:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/12/04 08:03:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg8
[2006/12/25 16:44:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2008/09/19 11:03:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2008/09/09 20:31:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2006/12/28 13:56:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2008/11/17 19:05:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Line 6
[2008/03/30 21:11:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/03/27 09:58:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2007/02/13 07:56:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee.com
[2008/03/27 13:25:35 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2007/12/03 17:54:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
[2006/10/26 20:03:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2008/08/12 10:28:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Outspark
[2007/12/08 09:35:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2006/06/30 18:56:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Prism Deploy
[2006/10/26 20:05:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2007/02/05 19:40:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2008/03/27 09:54:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
[2008/06/10 21:53:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2008/03/25 15:03:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/03/17 07:31:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trymedia
[2009/12/26 08:15:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/12/25 16:08:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2007/09/08 10:45:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2007/01/08 05:42:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2008/09/19 22:42:02 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{19E3ECD3-BDEB-4ACA-8EE2-B67A915773A3}

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2008/06/23 10:56:20 | 02,374,637 | ---- | M] (DigiTech ) -- C:\Documents and Settings\All Users\Application Data\{19E3ECD3-BDEB-4ACA-8EE2-B67A915773A3}\rp500driverinstaller.exe
[2008/06/15 16:18:41 | 01,144,808 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
[2007/06/24 18:21:40 | 01,272,304 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\AIMinst.exe
[2007/06/24 18:25:23 | 00,481,432 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\AIMLang.exe
[2007/06/24 18:22:18 | 00,141,944 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\alsetup.exe
[2007/06/24 18:22:23 | 00,120,368 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\aoldlmgr.exe
[2007/06/24 18:22:35 | 00,228,912 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\migrator.exe
[2007/06/24 18:25:04 | 05,312,840 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\ocpinst.exe
[2007/06/24 18:22:11 | 00,035,888 | ---- | M] (AOL LLC.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\postproc.exe
[2007/06/24 18:22:14 | 00,169,520 | ---- | M] (AOL LLC.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe
[2007/06/24 18:25:10 | 00,357,776 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\tbsetup.exe
[2007/06/24 18:25:16 | 00,376,568 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\unagi3.exe
[2007/06/24 18:26:10 | 03,858,056 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\Vwpt.exe
[2008/02/08 21:29:10 | 01,178,096 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\AIMinst.exe
[2008/02/08 21:29:49 | 00,560,784 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\AIMLang.exe
[2008/02/08 21:29:21 | 00,141,944 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\alsetup.exe
[2008/02/08 21:30:00 | 00,631,624 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ampx.exe
[2008/02/08 21:29:18 | 00,164,912 | ---- | M] (AOL LLC.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\inst.exe
[2008/02/08 21:29:53 | 00,055,200 | ---- | M] (AOL LLC.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\instopts.exe
[2008/02/08 21:28:58 | 00,228,912 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\migrator.exe
[2008/02/08 21:29:25 | 00,579,248 | ---- | M] (AOL LLC.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\muinst.exe
[2008/02/08 21:29:41 | 05,358,864 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ocpinst.exe
[2008/02/08 21:29:56 | 00,035,888 | ---- | M] (AOL LLC.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\postproc.exe
[2008/02/08 21:29:47 | 00,312,880 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\setup.exe
[2008/02/08 21:29:43 | 00,357,776 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\tbsetup.exe
[2008/02/08 21:29:14 | 01,082,064 | ---- | M] (AOL) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\toolbar.exe
[2008/02/08 21:29:51 | 00,409,640 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\vwpt.exe
[2009/11/25 08:55:52 | 02,029,336 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users\Application Data\avg8\update\backup\avgtray.exe
[2009/11/25 08:55:54 | 03,514,648 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users\Application Data\avg8\update\backup\avgui.exe
[2007/01/10 20:02:00 | 00,113,664 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
[2007/12/16 20:00:00 | 00,143,872 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
[2007/02/10 10:45:49 | 00,000,161 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\WildTangent\Gateway Game Console\Downloads\Installers\SetupGamesClient.exe_filedata
[2007/02/10 10:45:51 | 00,327,675 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\WildTangent\Gateway Game Console\Downloads\Installers\SetupGamesClient.exe_cache

< %APPDATA%\*. >
[2008/04/01 15:29:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Adobe
[2007/04/22 18:38:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\AdobeUM
[2009/08/28 15:06:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Aim
[2007/01/04 15:05:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Anvil Studio
[2008/05/27 19:42:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Apple Computer
[2009/09/06 17:33:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Arcsoft
[2009/01/29 20:12:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\ATI
[2008/03/22 13:07:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Aveyond II
[2009/06/17 16:23:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\AVGTOOLBAR
[2009/08/28 15:07:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\BitZipper
[2009/08/28 15:22:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Creative
[2006/12/25 16:44:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\CyberLink
[2006/12/28 23:21:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Google
[2006/12/29 23:48:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Help
[2006/05/06 16:42:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Identities
[2008/09/15 12:30:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\InstallShield
[2008/09/15 12:45:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Leadertech
[2007/12/02 19:02:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Macromedia
[2008/03/30 21:11:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Malwarebytes
[2009/12/24 13:06:07 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Sephiroth\Application Data\Microsoft
[2008/11/25 20:27:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Mozilla
[2008/02/23 21:49:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\MySpace
[2007/11/01 15:52:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Opera
[2007/12/02 19:02:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\PlayFirst
[2009/12/26 11:27:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\QuickScan
[2006/10/26 20:12:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\SampleView
[2009/08/28 15:19:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Sony
[2006/12/27 16:37:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Sun
[2008/05/15 14:20:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Talkback
[2007/09/02 21:17:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\Template
[2006/12/25 16:08:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\WildTangent
[2006/10/26 20:06:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sephiroth\Application Data\You've Got Pictures Screensaver

< %APPDATA%\*.exe /s >
[2007/04/22 09:28:00 | 21,277,080 | ---- | M] ( ) -- C:\Documents and Settings\Sephiroth\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr709_en_US.exe
[2006/10/26 20:06:42 | 00,010,134 | R--- | M] () -- C:\Documents and Settings\Sephiroth\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
[2006/10/26 20:06:42 | 00,045,056 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\Sephiroth\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
[2006/10/26 20:06:42 | 00,045,056 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\Sephiroth\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
[2006/10/26 20:06:42 | 00,049,152 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\Sephiroth\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
[2006/12/28 13:56:51 | 00,010,134 | R--- | M] () -- C:\Documents and Settings\Sephiroth\Application Data\Microsoft\Installer\{6F45C51F-A0E8-4547-83C8-CCDD4B0E4877}\ARPPRODUCTICON.exe
[2006/12/28 13:56:51 | 00,065,536 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\Sephiroth\Application Data\Microsoft\Installer\{6F45C51F-A0E8-4547-83C8-CCDD4B0E4877}\RPG_Maker_XP.exe_6F45C51FA0E8454783C8CCDD4B0E4877.exe
[2008/02/23 21:48:14 | 06,428,624 | ---- | M] (MySpace Inc.) -- C:\Documents and Settings\Sephiroth\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.754.0-static.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2004/08/04 05:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ERDNT\cache\AGP440.SYS
[2004/08/04 05:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\dllcache\agp440.sys
[2004/08/04 05:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2009/12/23 23:21:36 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2009/12/23 23:21:36 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2009/12/23 23:21:36 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 11:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 11:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2009/02/06 10:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 10:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 11:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 11:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 11:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 11:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3AB8D21A
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A11F741D
< End of report >

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 27 December 2009 - 03:14 PM

Hello,

Actually looking very good. :(

This familiar?
http://www.ip-adress.com/map/Map_of_Fisher...226eee2e36ec369

==========

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

==========

* Click Start > Run and type chkdsk /f and the click OK.
o Note the space between the k and the /

* Allow the scan to run and when completed, reboot the system. It may not run until you reboot!

==========

* Click Start > Run and type sfc /scannow and the click OK.
o Note the space between the c and the /
* You may need your Windows XP CD so have it ready.
o If you have Service Pack 2 (SP2) or SP3 installed, you will need the SP2 or SP3 version of the version of the CD.

This can be done with a borrowed CD, if you don't have one.

* Allow the scan to run and when completed, reboot the system.

==========

With your next post please provide:

* Answer to question
* Did sfc prompt you for the install disc?
* How is the computer running?

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 27 December 2009 - 04:17 PM

When I try to run chkdsk /f a DOS box opens up with a message:

The type of the file system is NTFS. Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts?(Y/N)

Is this normal? Should I enter "yes" and then restart to let it run and restart it again when it's finished?

Oh, and while I'm at it, no, the location at that link doesn't look familiar. My ISP IS Mediacom, but unless their main office is in Illinois I'm not familiar with that location, I live in California.

Also, I don't have a Windows disk. I'm checking with all my friends, but I don't think any of them have one either. If that is indeed the case, what can I do if I need the disk?

Edited by Averus, 27 December 2009 - 06:39 PM.


#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 27 December 2009 - 09:59 PM

Hello,

When I try to run chkdsk /f a DOS box opens up with a message:
The type of the file system is NTFS. Cannot lock current drive.
Chkdsk cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts?(Y/N)
Is this normal? Should I enter "yes" and then restart to let it run and restart it again when it's finished?

Normal! Choose yes and reboot.

Oh, and while I'm at it, no, the location at that link doesn't look familiar. My ISP IS Mediacom, but unless their main office is in Illinois I'm not familiar with that location, I live in California.

I will fix it. See below.

Also, I don't have a Windows disk. I'm checking with all my friends, but I don't think any of them have one either. If that is indeed the case, what can I do if I need the disk?

You can go ahead and run sfc. It might not require the install disc. If it does prompt you for the install disc you have many options. Just choose cancel and I will guide you. If you can borrow a disc that would be opportune but not an absolute necessity. You only need the disc. Not the product id.

==========

Do this also.........

Reset TCP/IP Properties

First:

* Go to Start -> Control Panel -> Double click on Network Connections.
* Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.

* Select the General tab.
* Double click on Internet Protocol (TCP/IP).

Under General tab:

- Select "Obtain an IP address automatically".
- Select "Obtain DNS server address automatically".

* Click OK twice to save the settings.
* Reboot if you had to change any setting.

Next:

* Go to start > Run copy/paste the contents of the code box excluding "code" in the run box and click OK.

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt
A command window opens. Wait until a log.txt file opens.

* Please copy/paste the log file in your reply.


Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 28 December 2009 - 01:04 AM

The sfc /scannow worked just fine, it didn't ask for a disk. A little window appeared saying it was checking to see if protected files were still intact and it had a little progress bar. When the bar filled up the window closed.

My computer's performance doesn't seem to have changed any since you last asked me. All of the obvious issues are gone, but netstat -a still doesn't stay open, when I open Firefox it still tries to redirect me ( though it never actually does redirect me ). Nothing I would normally even notice if weren't for the infections I've found thus far. I didn't even know about the netstat -a command until I happened across it in a file on this site a few days ago. Anyway, I followed all of your instructions, the internet settings you wanted me to change to were already set that way. Here is the log you requested:


Windows IP Configuration



Host Name . . . . . . . . . . . . : May_Chi

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Linksys Wireless-G PCI Adapter

Physical Address. . . . . . . . . : 00-16-B6-58-9F-20

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.10

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 74.84.119.150

97.64.180.153

Lease Obtained. . . . . . . . . . : Sunday, December 27, 2009 9:47:40 PM

Lease Expires . . . . . . . . . . : Sunday, December 27, 2009 10:47:40 PM



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-19-21-5D-5E-CA

Server: sprdc-dns-ns1.mcomdc.com
Address: 74.84.119.150

Name: google.com
Addresses: 209.85.225.105, 209.85.225.104, 209.85.225.106, 209.85.225.147
209.85.225.103, 209.85.225.99



Pinging google.com [209.85.225.104] with 32 bytes of data:



Reply from 209.85.225.104: bytes=32 time=100ms TTL=48

Reply from 209.85.225.104: bytes=32 time=91ms TTL=48



Ping statistics for 209.85.225.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 91ms, Maximum = 100ms, Average = 95ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 16 b6 58 9f 20 ...... Linksys Wireless-G PCI Adapter - Packet Scheduler Miniport
0x20003 ...00 19 21 5d 5e ca ...... Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.10 192.168.0.10 25
192.168.0.10 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.0.255 255.255.255.255 192.168.0.10 192.168.0.10 25
224.0.0.0 240.0.0.0 192.168.0.10 192.168.0.10 25
255.255.255.255 255.255.255.255 192.168.0.10 20003 1
255.255.255.255 255.255.255.255 192.168.0.10 192.168.0.10 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users