Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected patched ws_32 security tool etc! help please!


  • This topic is locked This topic is locked
49 replies to this topic

#1 AlTyke

AlTyke

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 30 December 2009 - 09:17 AM

First of all, Hello! and thank you in advance for any help you can give me.
AVG pops up all the time saying the following:-
Object name C:WINDOWS\system32\ws2_32.dll
Detection name Virus found Win32/Patchced
object type file
SDK type Core
result Object is white listed critical file should not be removed.
I get redirects in firefox and IE in task manager strange things happen, I get multiple versions of all kinds of procceses that run my cpu at 100%. I get error messages and systems closing all the time, most of which Ive never heard of, and yesterday it rebooted itself, only to open with the whole puter locked up and a 'security tool' thing asking me to go online to buy a cure!. I managed to eventualy get some control back, downloaded malwarebytes which found 55 problems, it can fix them but at least 3 come back after rebots and even as I type they will be mounting up again.

Heres the DDS.txt report


DDS (Ver_09-12-01.01) - FAT32x86
Run by AL at 13:47:40.43 on 30/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1535.708 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Lower Case Switcher\LowerCaseSW.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wexe.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\AL\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?rls=ig
mDefault_Page_URL = hxxp://www.google.com/
mDefault_Search_URL = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\msonhl32.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
TB: {ACB1E670-3217-45C4-A021-6B829A8A27CB} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Tweak-XP]
uRun: [STManager] "c:\program files\speedtouch\dr speedtouch\drst.exe" -b
uRun: [LowerCaseSwitcher] "c:\program files\lower case switcher\LowerCaseSW.exe"
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [adobemedia.exe] c:\windows\system32\adobemedia.exe
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [LogitechVideoRepair] "c:\program files\logitech\video\ISStart.exe"
mRun: [LogitechVideoTray] "c:\program files\logitech\video\LogiTray.exe"
mRun: [RegistryMechanic]
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [mssadv.exe]
dRun: [Spyware Doctor]
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\al\startm~1\programs\startup\gadwin~1.lnk - c:\program files\gadwin systems\printscreen\PrintScreen.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\CSLSP.DLL
Trusted Zone: microsoft.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196516656031
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202962071734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {97977458-30B6-48E9-8A5E-79FD8D794F94} = 212.50.160.100 213.249.130.100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\windows\system32\PR12.DLL
SSODL: E404Helper - {9164f608-219b-4d9b-9a9d-3b0d699041a2} - e404d.dll
SEH: McAfee Internet Security Library: {20d8bda1-1958-11d6-b00f-00b0d0c6b6a5} - c:\program files\mcafee\mcafee internet security\GDSHEXT.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\al\applic~1\mozilla\firefox\profiles\7v097ced.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
FF - component: c:\documents and settings\al\application data\mozilla\firefox\profiles\7v097ced.default\extensions\{7e7165e2-0767-448c-852f-5fa8714f2c37}\components\PlainOldFavorites.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2004-1-26 9344]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-26 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-12-26 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-26 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-13 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-13 285392]
R2 GdFsHook;McAfee Internet Security Filter;c:\windows\system32\drivers\GdFshk.sys [2002-8-5 25984]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S0 ati3vyxx;ati3vyxx;c:\windows\system32\drivers\ati3vyxx.sys --> c:\windows\system32\drivers\ati3vyxx.sys [?]
S1 aas6ff5;aas6ff5;c:\windows\system32\drivers\aas6ff5.sys --> c:\windows\system32\drivers\aas6ff5.sys [?]
S1 asq4ad7;asq4ad7;c:\windows\system32\drivers\asq4ad7.sys --> c:\windows\system32\drivers\asq4ad7.sys [?]
S1 inmc2ab;inmc2ab;c:\windows\system32\drivers\inmc2ab.sys --> c:\windows\system32\drivers\inmc2ab.sys [?]
S1 jbaa837;jbaa837;c:\windows\system32\drivers\jbaa837.sys --> c:\windows\system32\drivers\jbaa837.sys [?]
S1 med430d;med430d;c:\windows\system32\drivers\med430d.sys --> c:\windows\system32\drivers\med430d.sys [?]
S1 mmk546d;mmk546d;c:\windows\system32\drivers\mmk546d.sys --> c:\windows\system32\drivers\mmk546d.sys [?]
S1 nigf441;nigf441;c:\windows\system32\drivers\nigf441.sys --> c:\windows\system32\drivers\nigf441.sys [?]
S1 onl29c6;onl29c6;c:\windows\system32\drivers\onl29c6.sys --> c:\windows\system32\drivers\onl29c6.sys [?]
S1 qgf9a40;qgf9a40;c:\windows\system32\drivers\qgf9a40.sys --> c:\windows\system32\drivers\qgf9a40.sys [?]
S1 rdb8650;rdb8650;c:\windows\system32\drivers\rdb8650.sys --> c:\windows\system32\drivers\rdb8650.sys [?]
S1 shg8fc9;shg8fc9;c:\windows\system32\drivers\shg8fc9.sys --> c:\windows\system32\drivers\shg8fc9.sys [?]
S1 tqo1c1d;tqo1c1d;c:\windows\system32\drivers\tqo1c1d.sys --> c:\windows\system32\drivers\tqo1c1d.sys [?]
S2 Avg7UpdSvccisvc;AVG7 Update Service Avg7UpdSvccisvc; [x]
S2 General Network Service;General Network Service; [x]
S2 vwservice;vwservice; [x]
S3 GuardDogEXE;McAfee Internet Security;c:\program files\mcafee\mcafee internet security\GuardDog.exe [2002-8-5 106544]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2004-6-20 10880]
S3 SMALUSB;Digital Camera Driver;c:\windows\system32\drivers\smalidt.sys [2004-2-3 9216]
S3 VIASens;Vinyl Sensaura WDM 3D Audio Driver;c:\windows\system32\drivers\viasens.sys [2003-11-7 391680]
S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2004-1-26 389504]

=============== Created Last 30 ================

2067-02-24 15:21:18 79947 ----a-w- c:\windows\fw20.vxd
2009-12-30 13:30:26 54016 ----a-w- c:\windows\system32\drivers\liqi.sys
2009-12-30 13:18:33 13312 ---ha-w- c:\windows\system32\adobemedia.exe
2009-12-30 03:45:16 54016 ----a-w- c:\windows\system32\drivers\bonstk.sys
2009-12-29 22:02:45 0 d-----w- c:\docume~1\al\applic~1\Malwarebytes
2009-12-29 22:02:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-29 22:02:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-29 22:02:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-29 22:02:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-29 00:46:01 24576 ----a-w- c:\windows\system32\PR12.DLL
2009-12-28 01:40:52 0 d-----w- C:\spoolerlogs
2009-12-26 19:16:27 0 ---ha-w- c:\windows\system32\wupd.dat
2009-12-26 19:16:25 24576 ----a-w- c:\windows\system32\PR11.DLL
2009-12-26 19:16:24 13312 ---ha-w- c:\windows\system32\wexe.exe
2009-12-25 14:12:24 6429 ----a-w- c:\windows\system32\WORK.DAT
2009-12-25 14:12:19 24576 ----a-w- c:\windows\system32\PR10.DLL
2009-12-20 02:43:11 0 d-----w- C:\dvdbuilder
2009-12-12 02:34:16 0 d-----w- c:\docume~1\al\applic~1\LockHunter
2009-12-12 02:19:40 0 d-----w- c:\program files\LockHunter

==================== Find3M ====================

2009-11-13 13:58:14 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-13 13:58:14 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-13 13:57:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2008-11-16 22:59:34 7168 --sha-w- c:\program files\Thumbs.db
2000-04-19 22:00:02 6995 ----a-w- c:\windows\inf\RAMDISK.SYS
2007-11-17 19:59:18 144 --sha-w- c:\windows\system32\977081089.dat

============= FINISH: 13:50:46.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:18 PM

Posted 09 January 2010 - 11:11 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 AlTyke

AlTyke
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 09 January 2010 - 12:46 PM

First off, thanks for helping. here's the reports

OTL logfile created on: 09/01/2010 17:27:58 - Run 1
OTL by OldTimer - Version 3.1.22.0 Folder = C:\Documents and Settings\AL\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 41.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.67 Gb Total Space | 5.51 Gb Free Space | 7.19% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TYKE-8O6HTSR6QR
Current User Name: AL
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/09 17:27:24 | 00,543,232 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AL\Desktop\OTL.exe
PRC - [2010/01/06 06:04:02 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/05 06:41:52 | 02,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/01/05 06:41:48 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/01/05 06:41:48 | 00,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/01/05 06:41:40 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/01/05 06:41:32 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/13 13:57:42 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/13 13:57:32 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/12/09 11:08:40 | 00,495,616 | ---- | M] (Gadwin Systems, Inc) -- C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
PRC - [2008/02/27 17:56:54 | 03,072,184 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe
PRC - [2007/01/30 12:02:00 | 00,303,104 | ---- | M] (FUJIFILM Corporation) -- C:\Program Files\FinePixViewer\QuickDCF2.exe
PRC - [2005/12/10 03:06:00 | 00,131,139 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2005/12/04 02:23:50 | 00,712,416 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\sdhelp.exe
PRC - [2005/04/08 17:18:44 | 01,179,648 | ---- | M] (IVT Corporation) -- C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
PRC - [2005/04/06 16:03:28 | 00,110,592 | ---- | M] () -- C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
PRC - [2004/08/04 08:56:58 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2004/08/04 08:56:50 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2004/07/31 16:38:22 | 00,617,984 | ---- | M] (SprigSoft) -- C:\Program Files\Lower Case Switcher\LowerCaseSW.exe
PRC - [2004/06/01 11:03:18 | 00,217,088 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Video\LogiTray.exe
PRC - [2004/06/01 10:46:52 | 00,192,512 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Video\FxSvr2.exe
PRC - [2003/10/16 13:25:32 | 00,118,784 | ---- | M] () -- C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
PRC - [2003/07/11 20:45:02 | 00,241,664 | ---- | M] (Nikon Corporation) -- C:\Program Files\Nikon\NkView6\NkvMon.exe
PRC - [2002/07/17 02:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe


========== Modules (SafeList) ==========

MOD - [2010/01/09 17:27:24 | 00,543,232 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AL\Desktop\OTL.exe
MOD - [2004/08/04 08:57:00 | 01,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/07/31 16:38:22 | 00,036,864 | ---- | M] (SprigSoft) -- C:\Program Files\Lower Case Switcher\LCase.dll
MOD - [2001/08/23 12:00:00 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\serwvdrv.dll
MOD - [2001/08/23 12:00:00 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\umdmxfrm.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (vwservice)
SRV - File not found [Auto | Stopped] -- -- (General Network Service)
SRV - File not found [Auto | Stopped] -- -- (Avg7UpdSvccisvc)
SRV - [2010/01/05 06:41:40 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/11/13 13:57:32 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2008/02/27 17:56:54 | 03,072,184 | ---- | M] (Kontiki Inc.) [Auto | Running] -- C:\Program Files\Kontiki\KService.exe -- (KService)
SRV - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2005/12/10 03:06:00 | 00,131,139 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2005/12/04 02:23:50 | 00,712,416 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\sdhelp.exe -- (SDhelper)
SRV - [2005/04/06 16:03:28 | 00,110,592 | ---- | M] () [Auto | Running] -- C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe -- (BlueSoleil Hid Service)
SRV - [2003/11/20 15:42:40 | 00,106,544 | ---- | M] (Network Associates, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE -- (GuardDogEXE)
SRV - [2002/07/17 02:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2)


========== Driver Services (SafeList) ==========

DRV - [2010/01/05 06:41:48 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/11/13 13:58:14 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/11/13 13:58:14 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2008/06/11 01:07:16 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/01/14 11:06:32 | 00,021,632 | ---- | M] (ManyCam LLC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ManyCam.sys -- (ManyCam)
DRV - [2007/12/02 20:41:44 | 00,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2007/11/27 03:58:12 | 00,140,288 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\catchme.exe -- (catchme)
DRV - [2005/12/10 03:06:00 | 03,536,768 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/04/07 19:50:32 | 00,011,860 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VBTEnum.sys -- (BTHidEnum)
DRV - [2005/04/07 19:48:56 | 00,028,271 | ---- | M] (IVT Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\BTHidMgr.sys -- (BTHidMgr)
DRV - [2005/04/06 11:48:44 | 00,023,000 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)
DRV - [2005/03/25 17:18:48 | 00,082,148 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VcommMgr.sys -- (VcommMgr)
DRV - [2005/02/01 18:00:24 | 00,020,096 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\blueletaudio.sys -- (BlueletAudio)
DRV - [2004/10/19 13:37:38 | 00,061,312 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VComm.sys -- (VComm)
DRV - [2004/09/21 18:15:34 | 00,010,804 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BtNetDrv.sys -- (BT)
DRV - [2004/08/04 07:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/08/04 07:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/05/27 16:47:16 | 00,019,968 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2004/05/21 20:16:14 | 00,471,232 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvcm.sys -- (QCMerced)
DRV - [2003/12/08 11:53:48 | 00,053,600 | ---- | M] (THOMSON) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcan5wn.sys -- (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)
DRV - [2003/12/08 11:53:46 | 00,070,688 | ---- | M] (THOMSON) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcaudsl.sys -- (alcaudsl)
DRV - [2003/12/01 02:54:20 | 00,043,136 | R--- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2003/11/20 15:42:44 | 00,025,984 | ---- | M] (Network Associates, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\GdFshk.sys -- (GdFsHook)
DRV - [2003/11/07 07:07:52 | 00,391,680 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\viasens.sys -- (VIASens)
DRV - [2003/05/26 05:57:50 | 00,166,912 | R--- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Psddr)
DRV - [2003/05/22 08:44:44 | 00,670,203 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Intels51.sys -- (Intels51) Intel®
DRV - [2003/04/15 22:50:40 | 00,009,216 | ---- | M] (SMaL Camera Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smalidt.sys -- (SMALUSB)
DRV - [2003/03/24 04:19:00 | 00,088,960 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viaudio.sys -- (VIAudio) VIA AC'97 Audio Controller (WDM)
DRV - [2003/02/14 15:23:54 | 00,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/02/12 11:16:10 | 00,389,504 | ---- | M] (ahead software) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\bsudf.sys -- (BsUDF)
DRV - [2002/12/27 04:41:00 | 00,026,880 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2002/10/08 10:03:16 | 00,007,582 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\incdrm.sys -- (incdrm)
DRV - [2002/07/19 08:10:20 | 00,006,656 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cinemsup.sys -- (Cinemsup)
DRV - [2002/07/05 10:13:00 | 00,040,448 | R--- | M] (VIA Technologies, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fetnd5b.sys -- (FETNDIS)
DRV - [2002/06/05 23:07:00 | 00,009,344 | ---- | M] (B.H.A Co.,Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\bsstor.sys -- (BsStor)
DRV - [2002/05/15 06:29:18 | 00,006,016 | R--- | M] (VIA Technologies, Inc. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\ntsim.sys -- (NTSIM)
DRV - [2001/11/13 09:25:00 | 00,077,888 | R--- | M] (SCM Microsystems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\upatc.sys -- (UPATC)
DRV - [2001/10/18 12:00:00 | 00,006,144 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaidexp.sys -- (ViaIde)
DRV - [2001/08/23 12:00:00 | 00,027,440 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2001/08/23 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/23 12:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)
DRV - [2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:53:26 | 00,010,880 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\scsiscan.sys -- (scsiscan)
DRV - [1999/09/10 12:06:00 | 00,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI32)
DRV - [1997/03/04 10:38:52 | 00,018,437 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\SMPLSCSI.INF -- (SMPLSCSI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.chat-avenue.com/adultchat.html [binary data]
IE - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/webhp?rls=ig
IE - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003\S-1-5-21-1123561945-1659004503-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Answers.com"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.701
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {00BDD586-51FB-4b06-9C23-AF2FB7609BF3}:3.5
FF - prefs.js..extensions.enabledItems: {A6A0B3F6-6D2D-4c55-96C1-7481BEA2EBF8}:2.1.73
FF - prefs.js..extensions.enabledItems: {A4732521-77D9-447E-A557-B279AC923F06}:0.6.6
FF - prefs.js..extensions.enabledItems: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}:0.4.2
FF - prefs.js..extensions.enabledItems: morningCoffee@shaneliesegang:1.33
FF - prefs.js..extensions.enabledItems: {66E978CD-981F-47DF-AC42-E3CF417C1467}:0.4.1
FF - prefs.js..extensions.enabledItems: {7E7165E2-0767-448c-852F-5FA8714F2C37}:1.0.3
FF - prefs.js..extensions.enabledItems: redvsblue@oppermann.ch:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/11/13 13:57:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2008/11/05 02:40:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2008/11/05 02:40:48 | 00,000,000 | ---D | M]

[2008/11/05 02:41:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\AL\Application Data\Mozilla\Extensions
[2008/11/05 02:41:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\AL\Application Data\Mozilla\Firefox\Profiles\7v097ced.default\extensions
[2009/07/01 14:33:32 | 00,000,000 | ---D | M] (Basics) -- C:\Documents and Settings\AL\Application Data\Mozilla\Firefox\Profiles\7v097ced.default\extensions\{00BDD586-51FB-4b06-9C23-AF2FB7609BF3}
[2010/01/08 01:49:02 | 00,000,000 | ---D | M] (Image Zoom) -- C:\Documents and Settings\AL\Application Data\Mozilla\Firefox\Profiles\7v097ced.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
[2009/06/28 18:10:06 | 00,000,000 | ---D | M] (New Tab Homepage) -- C:\Documents and Settings\AL\Application Data\Mozilla\Firefox\Profiles\7v097ced.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
[2009/07/01 14:33:34 | 00,000,000 | ---D | M] (PlainOldFavorites) -- C:\Documents and Settings\AL\Application Data\Mozilla\Firefox\Profiles\7v097ced.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
[2009/06/15 14:43:00 | 00,000,000 | ---D | M] (Image Toolbar) -- C:\Documents and Settings\AL\Application Data\Mozilla\Firefox\Profiles\7v097ced.default\extensions\{A4732521-77D9-447E-A557-B279AC923F06}
[2009/07/17 14:48:00 | 00,000,000 | ---D | M] (Date Picker/Calendar) -- C:\Documents and Settings\AL\Application Data\Mozilla\Firefox\Profiles\7v097ced.default\extensions\{A6A0B3F6-6D2D-4c55-96C1-7481BEA2EBF8}
[2010/01/08 01:49:02 | 00,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\AL\Application Data\Mozilla\Firefox\Profiles\7v097ced.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/02/23 05:11:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\AL\Application Data\Mozilla\Firefox\Profiles\7v097ced.default\extensions\morningCoffee@shaneliesegang
[2008/12/11 06:05:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\AL\Application Data\Mozilla\Firefox\Profiles\7v097ced.default\extensions\redvsblue@oppermann.ch
[2008/11/05 02:40:48 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/02/27 17:57:38 | 00,106,496 | ---- | M] (British Broadcasting Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npBBCPlugin.dll
[2010/01/06 06:04:08 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/01/06 06:04:08 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/01/06 06:04:08 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/01/06 06:04:08 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (372634 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 12869 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (PCTools Browser Monitor) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll (PC Tools)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe (Logitech Inc.)
O4 - HKLM..\Run: [mssadv.exe] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RegistryMechanic] File not found
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE (FUJI PHOTO FILM CO., LTD.)
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe (THOMSON Telecom Belgium)
O4 - HKU\.DEFAULT..\Run: [Spyware Doctor] File not found
O4 - HKU\S-1-5-18..\Run: [Spyware Doctor] File not found
O4 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O4 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003..\Run: [LogitechSoftwareUpdate] C:\Program Files\Logitech\Video\ManifestEngine.exe (Logitech Inc.)
O4 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003..\Run: [LowerCaseSwitcher] C:\Program Files\Lower Case Switcher\LowerCaseSW.exe (SprigSoft)
O4 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003..\Run: [STManager] C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe ()
O4 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003..\Run: [Tweak-XP] File not found
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe (Nikon Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe (FUJIFILM Corporation)
O4 - Startup: C:\Documents and Settings\AL\Start Menu\Programs\Startup\GADWIN (2).lnk = C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 157
O7 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoUpdate = 1
O7 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll (PC Tools)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\CSLSP.DLL (Networks Associates Technologies, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\CSLSP.DLL (Networks Associates Technologies, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\CSLSP.DLL (Networks Associates Technologies, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\CSLSP.DLL (Networks Associates Technologies, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\CSLSP.DLL (Networks Associates Technologies, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\CSLSP.DLL (Networks Associates Technologies, Inc.)
O15 - HKLM\..Trusted Domains: 60 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003\..Trusted Domains: microsoft.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-1123561945-1659004503-1801674531-1003\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/fhg.CAB (Reg Error: Key error.)
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/i263_32.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1196516656031 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1202962071734 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\PR12.DLL) - C:\WINDOWS\system32\PR12.DLL ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\msonhl32.exe) - C:\WINDOWS\System32\msonhl32.exe File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\WRNotifier: DllName - WRLogonNTF.dll - File not found
O21 - SSODL: E404Helper - {9164f608-219b-4d9b-9a9d-3b0d699041a2} - File not found
O28 - HKLM ShellExecuteHooks: {20d8bda1-1958-11d6-b00f-00b0d0c6b6a5} - C:\Program Files\McAfee\McAfee Internet Security\gdshext.dll (Network Associates, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/01/26 19:28:10 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk /r \??\F:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/09 17:27:21 | 00,543,232 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\AL\Desktop\OTL.exe
[2010/01/09 14:16:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/01/08 22:57:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AL\Desktop\CLEAN copy of ws_32dll
[2010/01/05 06:41:46 | 00,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/12/29 22:02:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AL\Application Data\Malwarebytes
[2009/12/29 22:02:36 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/29 22:02:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/29 22:02:32 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/29 22:02:32 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/28 01:40:52 | 00,000,000 | ---D | C] -- C:\spoolerlogs
[2009/12/20 02:43:11 | 00,000,000 | ---D | C] -- C:\dvdbuilder
[2009/12/20 02:40:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AL\My Documents\My Videos
[2009/12/12 02:34:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AL\Application Data\LockHunter
[2009/12/12 02:19:40 | 00,000,000 | ---D | C] -- C:\Program Files\LockHunter
[2007/04/21 21:14:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2004/01/30 02:02:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\PGP
[2004/01/26 19:31:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004/01/26 19:31:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2004/01/26 19:12:10 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2004/01/26 19:12:10 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/09 17:27:24 | 00,543,232 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AL\Desktop\OTL.exe
[2010/01/09 13:28:16 | 00,043,573 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/09 13:27:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/09 13:27:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/09 13:27:10 | 25,952,256 | ---- | M] () -- C:\Documents and Settings\AL\ntuser.dat
[2010/01/09 13:27:02 | 00,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2010/01/09 13:26:58 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\AL\ntuser.ini
[2010/01/09 01:06:50 | 00,049,152 | ---- | M] () -- C:\Documents and Settings\AL\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/08 13:57:38 | 00,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/08 02:07:28 | 00,000,307 | ---- | M] () -- C:\WINDOWS\jpegcrop.INI
[2010/01/05 06:41:48 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/01/05 06:41:48 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/01/02 17:11:26 | 00,001,225 | ---- | M] () -- C:\Documents and Settings\AL\Desktop\shortcut to TEMP folder where bad things hang out lol.lnk
[2010/01/02 02:14:52 | 00,008,421 | ---- | M] () -- C:\Documents and Settings\AL\Desktop\New Rich Text Document.rtf
[2009/12/31 14:20:26 | 00,000,211 | -HS- | M] () -- C:\BoOT.INi
[2009/12/30 21:07:08 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\wupd.dat
[2009/12/30 18:54:24 | 00,001,522 | ---- | M] () -- C:\Documents and Settings\AL\Desktop\Services (2).lnk
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/29 22:02:42 | 00,000,610 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/29 00:46:04 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\PR12.DLL
[2009/12/29 00:46:04 | 00,006,429 | ---- | M] () -- C:\WINDOWS\System32\WORK.DAT
[2009/12/28 06:21:14 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\PR11.DLL
[2009/12/15 19:33:32 | 00,000,945 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/12/12 02:19:44 | 00,000,576 | ---- | M] () -- C:\Documents and Settings\AL\Desktop\LockHunter (2).lnk
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2067/02/24 15:21:18 | 00,079,947 | ---- | C] () -- C:\WINDOWS\fw20.vxd
[2010/01/09 00:50:28 | 00,001,593 | ---- | C] () -- C:\Documents and Settings\AL\Desktop\BlueSoleil (2).lnk
[2010/01/02 17:09:21 | 00,001,225 | ---- | C] () -- C:\Documents and Settings\AL\Desktop\shortcut to TEMP folder where bad things hang out lol.lnk
[2010/01/01 20:38:08 | 00,008,421 | ---- | C] () -- C:\Documents and Settings\AL\Desktop\New Rich Text Document.rtf
[2009/12/30 18:54:44 | 00,001,522 | ---- | C] () -- C:\Documents and Settings\AL\Desktop\Services (2).lnk
[2009/12/29 22:02:41 | 00,000,610 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/29 00:46:01 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\PR12.DLL
[2009/12/26 19:16:27 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\wupd.dat
[2009/12/26 19:16:25 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\PR11.DLL
[2009/12/25 14:12:24 | 00,006,429 | ---- | C] () -- C:\WINDOWS\System32\WORK.DAT
[2009/12/12 02:21:15 | 00,000,576 | ---- | C] () -- C:\Documents and Settings\AL\Desktop\LockHunter (2).lnk
[2009/09/11 02:26:28 | 00,007,680 | -HS- | C] () -- C:\Documents and Settings\AL\Application Data\Thumbs.db
[2009/07/08 22:26:10 | 00,013,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\BTNetFilter.sys
[2009/07/08 22:26:10 | 00,011,860 | ---- | C] () -- C:\WINDOWS\System32\drivers\VBTEnum.sys
[2008/09/16 00:14:24 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/09/16 00:12:02 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/09/16 00:12:02 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/09/16 00:11:10 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/08/24 05:03:10 | 00,000,945 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/11/29 07:05:46 | 00,001,368 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/09/30 01:29:50 | 00,000,992 | ---- | C] () -- C:\WINDOWS\posteriza.INI
[2006/08/24 15:24:01 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVUSBSta.sys
[2006/08/24 15:24:01 | 00,005,993 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2006/08/24 15:23:59 | 00,471,232 | ---- | C] () -- C:\WINDOWS\System32\drivers\lvcm.sys
[2006/08/24 15:23:35 | 00,000,248 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2006/07/18 14:54:29 | 00,023,552 | ---- | C] () -- C:\WINDOWS\System32\jesterss.dll
[2006/03/27 21:10:36 | 00,395,776 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2006/03/27 21:10:36 | 00,262,144 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2006/03/27 21:10:36 | 00,112,640 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2006/03/27 21:10:35 | 02,255,360 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2006/03/24 21:45:51 | 00,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2006/03/21 23:01:44 | 00,166,912 | ---- | C] () -- C:\WINDOWS\System32\Lame_enc.dll
[2006/02/03 22:03:14 | 00,000,004 | ---- | C] () -- C:\WINDOWS\win32t4.dll
[2005/12/10 03:06:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/12/10 03:06:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/12/10 03:06:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/12/10 03:06:00 | 00,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/12/10 03:06:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/12/10 03:06:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/12/10 03:06:00 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/12/03 03:40:58 | 00,007,168 | -HS- | C] () -- C:\Program Files\Thumbs.db
[2005/11/29 15:04:58 | 01,208,320 | ---- | C] () -- C:\WINDOWS\System32\cygxml2-2.dll
[2005/11/29 15:04:58 | 00,980,992 | ---- | C] () -- C:\WINDOWS\System32\cygiconv-2.dll
[2005/11/29 15:04:58 | 00,062,464 | ---- | C] () -- C:\WINDOWS\System32\cygz.dll
[2005/04/28 01:27:37 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2005/01/01 02:41:00 | 00,000,758 | ---- | C] () -- C:\WINDOWS\ZoneLib-DisplayNames.ini
[2005/01/01 02:40:59 | 00,002,265 | ---- | C] () -- C:\WINDOWS\SymmTime.ini
[2005/01/01 02:40:56 | 00,002,320 | ---- | C] () -- C:\WINDOWS\Default_SymmTime.ini
[2004/12/27 21:32:10 | 00,000,004 | ---- | C] () -- C:\WINDOWS\System32\micr0st.dll
[2004/12/20 11:08:28 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/20 11:03:26 | 00,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2004/11/05 00:38:19 | 00,005,606 | ---- | C] () -- C:\WINDOWS\System32\stci.dll
[2004/11/01 21:12:15 | 00,000,144 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2004/10/26 22:39:05 | 03,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/07/03 17:03:15 | 00,000,021 | ---- | C] () -- C:\WINDOWS\PMK_setup.ini
[2004/06/15 05:21:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2004/06/15 05:20:45 | 00,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2004/06/15 05:20:45 | 00,122,880 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2004/06/15 05:20:44 | 00,338,944 | ---- | C] () -- C:\WINDOWS\lffpx7.dll
[2004/06/15 05:20:44 | 00,122,880 | ---- | C] () -- C:\WINDOWS\lfkodak.dll
[2004/03/24 21:07:01 | 00,000,091 | ---- | C] () -- C:\WINDOWS\PhotoJam3.ini
[2004/03/21 22:20:43 | 00,000,000 | ---- | C] () -- C:\WINDOWS\P2kRotate.ini
[2004/02/28 15:15:14 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/02/19 19:31:19 | 00,000,843 | ---- | C] () -- C:\WINDOWS\Iagb4.ini
[2004/02/19 19:15:32 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2004/02/16 21:56:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\HTagEdit2.INI
[2004/02/16 03:18:27 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/02/03 23:07:41 | 00,000,307 | ---- | C] () -- C:\WINDOWS\jpegcrop.INI
[2004/02/03 21:39:49 | 00,000,021 | ---- | C] () -- C:\WINDOWS\PI_setup.ini
[2004/01/26 22:39:15 | 00,002,042 | ---- | C] () -- C:\WINDOWS\CDPlayer.ini
[2004/01/26 22:22:57 | 00,000,488 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/01/26 21:55:16 | 00,049,152 | ---- | C] () -- C:\Documents and Settings\AL\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/01/26 20:04:56 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2004/01/26 19:44:17 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2004/01/26 19:39:02 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2004/01/26 19:39:02 | 00,002,733 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2002/12/14 04:05:20 | 00,000,309 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2001/08/23 12:00:00 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2000/11/24 17:05:06 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\CPUINFO2.DLL
[1999/09/20 10:05:32 | 00,013,387 | ---- | C] () -- C:\WINDOWS\System32\CinemSup.sys
[1999/01/27 13:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1999/01/22 18:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Files - Unicode (All) ==========
[2009/05/30 01:20:30 | 00,020,237 | ---- | M] ()(C:\Documents and Settings\AL\Desktop\?.rtf) -- C:\Documents and Settings\AL\Desktop\�.rtf
[2008/10/14 14:31:54 | 00,020,237 | ---- | C] ()(C:\Documents and Settings\AL\Desktop\?.rtf) -- C:\Documents and Settings\AL\Desktop\�.rtf
< End of report >
Now the other one..

OTL Extras logfile created on: 09/01/2010 17:27:58 - Run 1
OTL by OldTimer - Version 3.1.22.0 Folder = C:\Documents and Settings\AL\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 41.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.67 Gb Total Space | 5.51 Gb Free Space | 7.19% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TYKE-8O6HTSR6QR
Current User Name: AL
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJIFILM Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = 80:TCP:*:Enabled:Promo
"53:UDP" = 53:UDP:*:Enabled:Promo
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\SpeedTouch\Dr SpeedTouch\DRST.EXE" = C:\Program Files\SpeedTouch\Dr SpeedTouch\DRST.EXE:*:Enabled:Dr SpeedTouch -- ()
"C:\Program Files\BitLord\BitLord.exe" = C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord -- (www.BitLord.com)
"C:\Program Files\Kontiki\KService.exe" = C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- (Kontiki Inc.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify AB)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Java\jre1.6.0_02\bin\javaw.exe" = C:\Program Files\Java\jre1.6.0_02\bin\javaw.exe:*:Disabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil -- (IVT Corporation)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\WINDOWS\TEMP\_ex-08.exe" = C:\WINDOWS\TEMP\_ex-08.exe:*:Enabled:Promo -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0496D9E9-224B-4AFA-8F37-23B98D52F1EB}" = Logitech QuickCam
"{07295ABF-1245-415A-BE06-863271753443}" = ShowBiz
"{17A7779A-D23F-11D3-8753-0050BABE1202}" = Microtek ScanWizard
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1CABB679-3958-44AA-BFFF-4E68A2684255}" = ArcSoft Panorama Maker 3.0
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.5.4
"{26792CA7-D87A-4DBE-896B-C2F66B344511}" = Sonic CinePlayer
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F340FE0-E93E-4A53-B5E4-19ED2648FCAE}" = PIMS & File Manager
"{43DCF766-6838-4F9A-8C91-D92DA586DFA8}" = Microsoft Windows Journal Viewer
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{4BCE366F-A0E0-4869-A6E2-A77CD82C8FFD}" = TubeTilla Free
"{4C90BCDC-6B17-475E-B03B-2C7AF046141B}" = WIndows 98se Mass Driver
"{5490882C-6961-11D5-BAE5-00E0188E010B}" = FUJIFILM USB Driver
"{569FEA14-88A3-4EF1-89D0-78939AB21286}" = Oregon Scientific DS6628 Photo Album
"{5E835305-63BB-4E55-BBB7-EEBBE67774DB}" = MyDVD
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6935CD1F-A401-4E50-A0E1-B8ACD8235F9B}" = Fast Folder Rename v1.5
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6EECB283-E65F-40EF-86D3-D51BF02A8D43}" = Microsoft Office Converter Pack
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7BA1FB62-A363-4D24-8870-45131F0D0137}" = EPSON PRINT Image Framer Tool2.0
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A793FC6-6DF5-11DD-BB6A-00018021113F}" = EPSON PhotoQuicker3.4
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D5D99B8-DFA2-4018-ADE9-A6B83E655C65}" =
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}" = Google Earth
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD 4
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}" = Nikon View 6
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.7
"{AFD9E698-03C2-4E88-80A6-1496562D4304}" = Google SketchUp 7.1
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B44529FF-501E-47CD-A06D-223C161BE058}" = FinePixViewer Resource
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}" = BlueSoleil
"{BA3BC81F-0035-4D62-8AB4-6F83D7C1F480}" = Tweak-XP Pro
"{CB0888EE-96D8-4713-84DC-36462C33AEB4}" = Bazooka Scanner
"{CE33741B-7899-4938-A3C0-E1CBC116F6A3}" = SymmTime
"{CE6D39E2-D4CB-4C49-ABD9-8724B095D1EF}" = Dr SpeedTouch
"{D3958340-EDFD-4206-9AE0-3FFDF652B47B}" = ArcSoft PhotoImpression
"{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}" = SpeedTouch USB Software
"{D466F3D9-510C-4729-B7D4-2E70490E4CDF}" = BBC iPlayer Download Manager
"{DCB2928E-61F6-11D6-B259-00C04FF4B435}" = McAfee Internet Security
"{E3B3AB03-8ABC-46CF-8CA9-DB5581E1F368}" = FinePix Studio
"{E8FB4BF9-4C95-4F39-B26D-33C31A2CEE09}" = PIF DESIGNER2.0
"{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}" = ScanToWeb
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Adobe Acrobat 4.0" = Adobe Acrobat 4.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Ashampoo Movie Shrink & Burn" = Ashampoo Movie Shrink & Burn
"Audacity_is1" = Audacity 1.2.6
"AVG9Uninstall" = AVG Free 9.0
"AviSplit Classic (Freeware)_is1" = AviSplit Classic Version 1.32
"BadCopy Pro" = BadCopy Pro
"BBC iPlayer Download Manager" = BBC iPlayer Download Manager
"BitLord" = BitLord 1.1
"CleanUp!" = CleanUp!
"ColorCastFX for Digital Cameras_is1" = ColorCastFX for Digital Cameras
"Cucusoft MPEG to DVD Burner_is1" = Cucusoft MPEG to DVD Burner 3.21
"Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro_is1" = Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
"dBpowerAMP Music Converter" = dBpowerAMP Music Converter
"dBpowerAMP WMA V8 Codec" = dBpowerAMP WMA V8 Codec
"DelinvFile_is1" = DelinvFile - 3.01
"Digital Camera Enhancer 1.3_is1" = Digital Camera Enhancer 1.3
"DirectVobSub" = DirectVobSub (remove only)
"DivX Content Uploader" = DivX Content Uploader
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDBuilder_is1" = DVDBuilder 2.7
"Easy DVD Rip" = Easy DVD Rip
"EPC DeInstall" = Electronic Parts Catalogue
"EPC DeInstall HIST" = Electronic Parts Catalogue Oldest Range CD
"EPSON Printer and Utilities" = EPSON Printer Software
"ERUNT_is1" = ERUNT 1.1j
"EscapeClose" = EscapeClose
"ESP 830U Guide" = ESP 830U Guide
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"EZ Vinyl Converter by MixMeister_is1" = EZ Vinyl Converter 2.0.0 by MixMeister
"FairStars Recorder_is1" = FairStars Recorder 2.56
"Filzip 3.0.0.0_is1" = Filzip 3.0
"FLVPlayer" = FLV Player 1.3.2
"foobar2000" = foobar2000 v0.9.5.2
"Free YouTube Download_is1" = Free YouTube Download 2.3
"Free YouTube to Mp3 Converter_is1" = Free YouTube to Mp3 Converter version 3.1
"FreshDevices - FreshUI_is1" = FreshUI
"Gadwin PrintScreen" = Gadwin PrintScreen
"GreatFamily" = GreatFamily 2.2.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InCD!UninstallKey" = Ahead InCD
"Interactive Atlas of Great Britain: Fourth Edition" = Interactive Atlas of Great Britain: Fourth Edition
"IrfanView" = IrfanView (remove only)
"Jarte_is1" = Jarte
"JDiskReport 1.2.3" = JGoodies JDiskReport 1.2.3
"LimeWire" = LimeWire 4.16.6
"LockHunter_is1" = LockHunter version 1.0 beta 3, 32 bit edition
"Logitech Print Service" = Logitech Print Service
"Lower Case Switcher" = Lower Case Switcher
"LP Recorder" = LP Recorder
"LP Ripper" = LP Ripper
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"ManyCam" = ManyCam 2.2 (remove only)
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MRW!UninstallKey" = Ahead InCD EasyWrite Reader
"Nero - Burning Rom!UninstallKey" = Ahead Nero - Burning Rom
"NeroVision!UninstallKey" = Ahead NeroVision Express
"NetMeter_is1" = NetMeter 0.9.9.9 (beta)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NTREGOPT_is1" = NTREGOPT 1.1j
"NVIDIA Drivers" = NVIDIA Drivers
"P4M266" = ProSavageDDR and Utilities
"PaintStar_is1" = PaintStar 2.70
"PhotoJam 3" = PhotoJam 3
"Picture Window 2.5" = Picture Window 2.5
"PolderbitSRecorder" = PolderbitS Sound Recorder and Editor
"QcDrv" = Logitech® Camera Driver
"QuicktimeAlt_is1" = QuickTime Alternative 1.68
"Ramdisk" = Ramdisk
"RealPlayer 6.0" = RealPlayer
"Registry Mechanic_is1" = Registry Mechanic 5.2
"S3Display" = S3Display
"S3Gamma2" = S3Gamma2
"S3Info2" = S3Info2
"S3Overlay" = S3Overlay
"SeaTools Enterprise" = SeaTools Enterprise
"SecondLife" = SecondLife (remove only)
"Shakira Screensaver" = Shakira Screensaver
"Shareaza_is1" = Shareaza version 2.2.0.0
"Shuangs Audio Editor_is1" = Shuangs Audio Editor 2.1
"Spell Checker For OE 2.1" = Spell Checker For OE 2.1
"Spotify" = Spotify
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.5.2.20
"Spyware Doctor_is1" = Spyware Doctor 3.2
"ST5UNST #1" = project dogwaffle
"Tray Commander Lite" = Tray Commander Lite 1.2
"Tux Paint_is1" = Tux Paint 0.9.21
"Tweak UI 2.10" = Tweak UI
"Uninstall_is1" = Uninstall 1.0.0.1
"VIA Audio Driver Setup Program" = VIA Audio Driver Setup Program
"ViceVersa FREE_is1" = ViceVersa Free 1.0.4
"Video Slice" = River Past Video Slice
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinLiveSuite_Wave3" = Windows Live Essentials
"x2VCD" = Super DVD Ripper (remove only)
"XnView_is1" = XnView 1.66
"XviD & MP3 Codec Pack_is1" = XviD & MP3 Codec Pack (remove only)
"XviD_is1" = XviD MPEG-4 Video Codec

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1123561945-1659004503-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 17/05/2009 17:39:56 | Computer Name = TYKE-8O6HTSR6QR | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 10.0.0.3646, faulting module
wininet.dll, version 7.0.5730.13, fault address 0x0005ef88.

Error - 17/05/2009 17:40:53 | Computer Name = TYKE-8O6HTSR6QR | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 10.0.0.3646, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 22/05/2009 01:34:00 | Computer Name = TYKE-8O6HTSR6QR | Source = Application Hang | ID = 1002
Description = Hanging application taskmgr.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 24/05/2009 18:16:55 | Computer Name = TYKE-8O6HTSR6QR | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 24/05/2009 21:49:15 | Computer Name = TYKE-8O6HTSR6QR | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 24/05/2009 21:49:15 | Computer Name = TYKE-8O6HTSR6QR | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 25/05/2009 19:00:54 | Computer Name = TYKE-8O6HTSR6QR | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 28/05/2009 19:19:54 | Computer Name = TYKE-8O6HTSR6QR | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 31/05/2009 21:42:38 | Computer Name = TYKE-8O6HTSR6QR | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 31/05/2009 21:42:38 | Computer Name = TYKE-8O6HTSR6QR | Source = WindowsLiveMessenger | ID = 15728647
Description =

[ System Events ]
Error - 09/01/2010 09:29:23 | Computer Name = TYKE-8O6HTSR6QR | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {CD89D352-5A13-49F8-9EB5-7E6D1FB0CD57}.
The
error: "%2" Happened while starting this command: blank -Embedding

Error - 09/01/2010 09:30:27 | Computer Name = TYKE-8O6HTSR6QR | Source = Service Control Manager | ID = 7000
Description = The General Network Service service failed to start due to the following
error: %%3

Error - 09/01/2010 09:30:27 | Computer Name = TYKE-8O6HTSR6QR | Source = Service Control Manager | ID = 7000
Description = The ONSIO service failed to start due to the following error: %%2

Error - 09/01/2010 09:30:27 | Computer Name = TYKE-8O6HTSR6QR | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%10045

Error - 09/01/2010 09:30:27 | Computer Name = TYKE-8O6HTSR6QR | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SMPLSCSI

Error - 09/01/2010 09:58:39 | Computer Name = TYKE-8O6HTSR6QR | Source = Service Control Manager | ID = 7034
Description = The IMAPI CD-Burning COM Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 09/01/2010 10:29:59 | Computer Name = TYKE-8O6HTSR6QR | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 09/01/2010 10:29:59 | Computer Name = TYKE-8O6HTSR6QR | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 09/01/2010 12:52:49 | Computer Name = TYKE-8O6HTSR6QR | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 09/01/2010 12:52:49 | Computer Name = TYKE-8O6HTSR6QR | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.


< End of report >

hope ya can help me, Imgetting redirects all the time in firefox, IE wont load at all, system crashes occasionaly, I keep losing things like sound, taskbar items and other odd things, but on each reboot things are fixed but new problems develop. I keep running malwarebytes before each reboot which seems to be keeping things under control, so far.

Al
ps, wasnt sure if you wanted the logs posting here or attaching, but where it said 'post here' there was no link, so I put them here, hope thats ok

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:18 PM

Posted 09 January 2010 - 01:14 PM

Hi,

I prefer the logs being posted immediately in the reply, just like you did. :( So that's fine. :(

Your log shows a couple of malicious entries, before attacking those, I would like to see the log of your last malwarebytes scan, as well as the resutl of a rootkitscan with gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 AlTyke

AlTyke
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 09 January 2010 - 02:23 PM

I downloaded the GMER scanner, disabled avg and cloed all running progs. Half way through the scan it crashed, I took a screenshot, then tried again, this time while again scanning services, my moniter went black, there was still hard drive activity, but eventualy I had to restart the computer. the reboot was much slower than normal, but it got there eventualy.
I did a malwarebytes scan for now, which I will post now.

Malwarebytes' Anti-Malware 1.43
Database version: 3508
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

09/01/2010 19:15:58
mbam-log-2010-01-09 (19-15-54).txt

Scan type: Quick Scan
Objects scanned: 113167
Time elapsed: 6 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:18 PM

Posted 09 January 2010 - 04:34 PM

Hi,

could you please try running gmer in safe mode?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 AlTyke

AlTyke
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 09 January 2010 - 04:45 PM

Hi Myrti
I have to go out soon and a reboot takes about 15 mins these days!
in the meantime though I have a log from a few days ago regarding rootkits, I'll post that for now and try the gmer later
Thanks again

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/30 13:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: ethmh.sys
Image Path: ethmh.sys
Address: 0xF75F7000 Size: 54016 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9E5D4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\SYSTEM32\MSONHL32.EXE
Status: Invisible to the Windows API!

Path: c:\documents and settings\all users\application data\avg9\log\avgrs.log.4
Status: Allocation size mismatch (API: 1081344, Raw: 1048576)

==EOF==

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:18 PM

Posted 09 January 2010 - 04:48 PM

Hi,,

if you haven't started to reboot yet, then please try this alternative tool:

Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 AlTyke

AlTyke
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 09 January 2010 - 04:56 PM

ok, here it is..

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x896FC070]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x896fc070
NDIS: VIA VT6102 Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> 0x89283220
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0996055B
malicious code @ sector 0x0996055E !
PE file found in sector at 0x09960574 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

hope it helps :(

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:18 PM

Posted 09 January 2010 - 05:09 PM

Hi,

that is definitely showing an infection.

Please run the following command:
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -f >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
Please also run ComboFix:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

ComboFix will reboot your PC, so if you are short on time, it might be better to run it later, when you have more free time. However I hope that mbr and ComboFix will be able to fix the infection and remove the slowness.

regards mytri

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 AlTyke

AlTyke
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 09 January 2010 - 06:09 PM

ok, I ran combofix ( was fascinating!) and heres the log, I will post the mbr log straight after it as well
thanks

ComboFix 10-01-04.01 - AL 09/01/2010 22:38:04.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1535.1109 [GMT 0:00]
Running from: c:\documents and settings\AL\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db
c:\windows\system32\977081089.dat
c:\windows\system32\eventmgr.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
c:\windows\system32\WORK.DAT
c:\windows\unins000.dat
c:\windows\unins000.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GENERAL_NETWORK_SERVICE
-------\Legacy_VWSERVICE
-------\Service_General Network Service
-------\Service_vwservice


((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))
.

2010-01-09 21:50 . 2010-01-09 21:49 77312 ----a-w- C:\mbr.exe
2010-01-06 05:26 . 2010-01-06 05:26 -------- d-----w- c:\documents and settings\HelpAssistant
2010-01-05 06:41 . 2010-01-05 06:41 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-29 22:02 . 2009-12-29 22:02 -------- d-----w- c:\documents and settings\AL\Application Data\Malwarebytes
2009-12-29 22:02 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-29 22:02 . 2009-12-29 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-29 22:02 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-29 22:02 . 2009-12-29 22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-29 00:46 . 2009-12-29 00:46 24576 ----a-w- c:\windows\system32\PR12.DLL
2009-12-28 01:40 . 2009-12-28 01:40 -------- d-----w- C:\spoolerlogs
2009-12-26 19:16 . 2009-12-30 21:07 0 ---ha-w- c:\windows\system32\wupd.dat
2009-12-26 19:16 . 2009-12-28 06:21 24576 ----a-w- c:\windows\system32\PR11.DLL
2009-12-20 02:43 . 2009-12-20 02:43 -------- d-----w- C:\dvdbuilder
2009-12-12 02:34 . 2009-12-12 02:34 -------- d-----w- c:\documents and settings\AL\Application Data\LockHunter
2009-12-12 02:19 . 2009-12-12 02:19 -------- d-----w- c:\program files\LockHunter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-09 22:47 . 2009-07-08 22:30 12 ----a-w- c:\windows\bthservsdp.dat
2010-01-05 06:41 . 2006-12-26 02:57 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-13 13:58 . 2008-06-26 07:04 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-13 13:58 . 2008-06-26 07:04 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-13 13:57 . 2009-11-13 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2008-11-16 22:59 . 2005-12-03 03:40 7168 --sha-w- c:\program files\Thumbs.db
.

------- Sigcheck -------

[-] 2004-08-04 . 1745B00FC1141404B28F4B94F69A8871 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
[-] 2004-08-04 . 1745B00FC1141404B28F4B94F69A8871 . 359040 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2002-08-29 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STManager"="c:\program files\SpeedTouch\Dr SpeedTouch\drst.exe" [2003-10-16 118784]
"LowerCaseSwitcher"="c:\program files\Lower Case Switcher\LowerCaseSW.exe" [2004-07-31 617984]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-06-01 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-06-01 217088]
"nwiz"="nwiz.exe" [2005-12-10 1519616]
"NvMediaCenter"="NvMCTray.dll" [2005-12-10 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-05 2033432]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]

c:\documents and settings\AL\Start Menu\Programs\Startup\
GADWIN (2).lnk - c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe [2008-12-9 495616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2006-4-1 241664]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-12-4 303104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{20d8bda1-1958-11d6-b00f-00b0d0c6b6a5}"= "c:\program files\McAfee\McAfee Internet Security\GDSHEXT.DLL" [2003-11-20 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-05 06:41 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\F:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3vyxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"TransTask"=
"TransparentIcons"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=c:\program files\Java\jre1.6.0_02\bin\jusched.exe
"EmsaBandwidthMonitor"=
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"CTFMON"=c:\windows\Temp\_ex-08.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\DRST.EXE"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [26/01/2004 19:59 9344]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/06/2008 07:04 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26/06/2008 07:04 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [13/11/2009 13:57 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [05/01/2010 06:41 285392]
R2 GdFsHook;McAfee Internet Security Filter;c:\windows\system32\drivers\GdFshk.sys [05/08/2002 05:00 25984]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/01/2008 11:06 21632]
S0 ati3vyxx;ati3vyxx;c:\windows\system32\Drivers\ati3vyxx.sys --> c:\windows\system32\Drivers\ati3vyxx.sys [?]
S1 aas6ff5;aas6ff5;c:\windows\system32\drivers\aas6ff5.sys --> c:\windows\system32\drivers\aas6ff5.sys [?]
S1 asq4ad7;asq4ad7;c:\windows\system32\drivers\asq4ad7.sys --> c:\windows\system32\drivers\asq4ad7.sys [?]
S1 inmc2ab;inmc2ab;c:\windows\system32\drivers\inmc2ab.sys --> c:\windows\system32\drivers\inmc2ab.sys [?]
S1 jbaa837;jbaa837;c:\windows\system32\drivers\jbaa837.sys --> c:\windows\system32\drivers\jbaa837.sys [?]
S1 med430d;med430d;c:\windows\system32\drivers\med430d.sys --> c:\windows\system32\drivers\med430d.sys [?]
S1 mmk546d;mmk546d;c:\windows\system32\drivers\mmk546d.sys --> c:\windows\system32\drivers\mmk546d.sys [?]
S1 nigf441;nigf441;c:\windows\system32\drivers\nigf441.sys --> c:\windows\system32\drivers\nigf441.sys [?]
S1 onl29c6;onl29c6;c:\windows\system32\drivers\onl29c6.sys --> c:\windows\system32\drivers\onl29c6.sys [?]
S1 qgf9a40;qgf9a40;c:\windows\system32\drivers\qgf9a40.sys --> c:\windows\system32\drivers\qgf9a40.sys [?]
S1 rdb8650;rdb8650;c:\windows\system32\drivers\rdb8650.sys --> c:\windows\system32\drivers\rdb8650.sys [?]
S1 shg8fc9;shg8fc9;c:\windows\system32\drivers\shg8fc9.sys --> c:\windows\system32\drivers\shg8fc9.sys [?]
S1 tqo1c1d;tqo1c1d;c:\windows\system32\drivers\tqo1c1d.sys --> c:\windows\system32\drivers\tqo1c1d.sys [?]
S2 Avg7UpdSvccisvc;AVG7 Update Service Avg7UpdSvccisvc; [x]
S3 GuardDogEXE;McAfee Internet Security;c:\program files\McAfee\McAfee Internet Security\GuardDog.exe [05/08/2002 05:00 106544]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [20/06/2004 04:17 10880]
S3 SMALUSB;Digital Camera Driver;c:\windows\system32\drivers\smalidt.sys [03/02/2004 22:12 9216]
S3 VIASens;Vinyl Sensaura WDM 3D Audio Driver;c:\windows\system32\drivers\viasens.sys [07/11/2003 07:07 391680]
S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [26/01/2004 19:59 389504]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?rls=ig
mStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\System32\CSLSP.DLL
Trusted Zone: microsoft.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\AL\Application Data\Mozilla\Firefox\Profiles\7v097ced.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
FF - component: c:\documents and settings\AL\Application Data\Mozilla\Firefox\Profiles\7v097ced.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Tweak-XP - (no file)
HKLM-Run-RegistryMechanic - (no file)
HKLM-Run-mssadv.exe - (no file)
HKU-Default-Run-Spyware Doctor - (no file)
SSODL-E404Helper-{9164f608-219b-4d9b-9a9d-3b0d699041a2} - e404d.dll
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-EPC DeInstall - C:\DeIsL2.isu
AddRemove-EPC DeInstall HIST - C:\DeIsL3.isu
AddRemove-XviD & MP3 Codec Pack_is1 - c:\windows\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-09 22:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\program files\McAfee\McAfee Internet Security\GDNP.DLL

- - - - - - - > 'lsass.exe'(856)
c:\windows\System32\CSLSP.DLL

- - - - - - - > 'explorer.exe'(3848)
c:\program files\Lower Case Switcher\LCase.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Spyware Doctor\sdhelp.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\RunDLL32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2010-01-09 23:02:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-09 23:02

Pre-Run: 5,790,367,744 bytes free
Post-Run: 5,710,217,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - EDE25EEDB8B2A290C2383FC6D2F0A9C7


And here's the mbr log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x896fc070
NDIS: VIA VT6102 Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> 0x89283220
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0996055B
malicious code @ sector 0x0996055E !
PE file found in sector at 0x09960574 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

Al

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:18 PM

Posted 09 January 2010 - 06:53 PM

Hi,

ComboFix took out quite some nasties! One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


Did you run the command mbr -f or did you run mbr -t?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 AlTyke

AlTyke
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 09 January 2010 - 09:08 PM

Hi,
I used the -t the first time, and the -f the second time.
I have changed the passwords, though I rarely do any serious banking on this machine.
I would like to avoid formatting if at all possible though?
again thanks for your help! I have had no problems since the fix and a couple of scans have come up as clean.
I think the machine needs some old stuff clearing out though, I'll await your advice

Al

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:18 PM

Posted 09 January 2010 - 09:31 PM

Hi,

could you please run fixmbr -f once more, it seems not to have worked:
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -f >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 AlTyke

AlTyke
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 09 January 2010 - 09:45 PM

ok heres the log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0996055B
malicious code @ sector 0x0996055E !
PE file found in sector at 0x09960574 !

Al




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users