Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My browser is being hijacked? Unknown virus


  • This topic is locked This topic is locked
13 replies to this topic

#1 SalA

SalA

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 31 December 2009 - 01:44 AM

Starting today when ever I search something in google then click a link it redirects me to some site about health or money making scams. And sometimes the link tries to download a virus and avg stops it. The logs are below but I am running windows 7 and Rootrepeal for some reason gives me an error every time is us it but heres the other logs.


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 12/29/2009 11:30:27 AM
System Uptime: 12/30/2009 10:28:23 PM (3 hours ago)

Motherboard: Hewlett-Packard | | 09E0h
Processor: Intel® Pentium® 4 CPU 3.20GHz | XU1 PROCESSOR | 3200/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 14.798 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 250 GiB total, 236.501 GiB free.
K: is FIXED (NTFS) - 216 GiB total, 203.591 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&33ADA874&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&33ADA874&0
Service: i8042prt

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Standard PS/2 Keyboard
Device ID: ACPI\PNP0303\4&33ADA874&0
Manufacturer: (Standard keyboards)
Name: Standard PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&33ADA874&0
Service: i8042prt

==== System Restore Points ===================

RP12: 12/29/2009 9:36:34 PM - Windows Update
RP13: 12/29/2009 9:45:17 PM - Installed AVG 9.0
RP15: 12/29/2009 9:50:20 PM - Avg8 Update
RP16: 12/30/2009 1:05:37 PM - Windows Update

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
AVG 9.0
HijackThis 2.0.2
Intel® Graphics Media Accelerator Driver
Internet TV for Windows Media Center
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.6)
NETGEAR WG111v2 wireless USB 2.0 adapter

==== Event Viewer Messages From Past Week ========

12/30/2009 9:53:45 PM, Error: Microsoft-Windows-SharedAccess_NAT [34001] - The ICS_IPV6 failed to configure IPv6 stack.
12/30/2009 10:29:32 PM, Error: Microsoft-Windows-SharedAccess_NAT [31004] - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
12/29/2009 9:41:43 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgfwfd
12/29/2009 6:08:27 PM, Error: Microsoft-Windows-SharedAccess_NAT [30013] - The DHCP allocator has disabled itself on IP address 169.254.56.103, since the IP address is outside the 192.168.137.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.
12/29/2009 5:25:49 PM, Error: Service Control Manager [7030] - The SCM_Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

==== End Of File ===========================

DDS (Ver_09-12-01.01) - NTFSx86
Run by Sal at 1:31:01.66 on Thu 12/31/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2040.983 [GMT -5:00]


============== Running Processes ===============

K:\Windows\system32\wininit.exe
K:\Program Files\AVG\AVG9\avgchsvx.exe
K:\Program Files\AVG\AVG9\avgrsx.exe
K:\Windows\system32\lsm.exe
K:\Program Files\AVG\AVG9\avgcsrvx.exe
K:\Windows\system32\svchost.exe -k DcomLaunch
K:\Windows\system32\svchost.exe -k RPCSS
K:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
K:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
K:\Windows\system32\svchost.exe -k netsvcs
K:\Windows\system32\svchost.exe -k LocalService
K:\Windows\system32\svchost.exe -k NetworkService
K:\Windows\System32\spoolsv.exe
K:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
K:\Windows\system32\taskhost.exe
K:\Windows\system32\Dwm.exe
K:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
K:\Program Files\AVG\AVG9\avgwdsvc.exe
K:\Program Files\AVG\AVG9\avgfws9.exe
K:\Windows\System32\WinService.exe
K:\Program Files\AVG\AVG9\avgam.exe
K:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
K:\Program Files\AVG\AVG9\avgnsx.exe
K:\Program Files\AVG\AVG9\avgemc.exe
K:\Program Files\AVG\AVG9\avgcsrvx.exe
K:\Program Files\AVG\AVG9\avgcsrvx.exe
K:\Windows\System32\alg.exe
K:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
K:\Windows\System32\igfxtray.exe
K:\Windows\System32\igfxpers.exe
K:\Program Files\AVG\AVG9\avgtray.exe
K:\Program Files\Windows Sidebar\sidebar.exe
K:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
K:\Windows\system32\conhost.exe
K:\Windows\system32\SearchIndexer.exe
K:\Program Files\Windows Media Player\wmpnetwk.exe
K:\Windows\System32\svchost.exe -k LocalServicePeerNet
K:\Windows\explorer.exe
K:\Windows\system32\svchost.exe -k SDRSVC
K:\Users\Sal\Downloads\windows-kb890830-v3.2.exe
e:\a30b29b555c43678386d718d\mrtstub.exe
K:\Windows\system32\MRT.exe
K:\Program Files\Mozilla Firefox\firefox.exe
K:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
K:\Windows\system32\SearchProtocolHost.exe
K:\Windows\system32\SearchFilterHost.exe
K:\Users\Sal\Downloads\dds.scr
K:\Windows\system32\conhost.exe
K:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - k:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - k:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - k:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - k:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [Sidebar] k:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [IgfxTray] k:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] k:\windows\system32\hkcmd.exe
mRun: [Persistence] k:\windows\system32\igfxpers.exe
mRun: [AVG9_TRAY] k:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "k:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: k:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - k:\program files\netgear\wg111v2\WG111v2.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - k:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - k:\users\sal\appdata\roaming\mozilla\firefox\profiles\4axyfwcm.default\
FF - component: k:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: k:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: k:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: k:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: k:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

---- FIREFOX POLICIES ----
k:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrw7x;AVG9IDSErHr;k:\windows\system32\drivers\AVGIDSwx.sys [2009-12-29 25608]
R0 AvgRkx86;avgrkx86.sys;k:\windows\system32\drivers\avgrkx86.sys [2009-12-29 161800]
R0 SCMNdisP;General NDIS Protocol Driver;k:\windows\system32\drivers\SCMNdisP.sys [2009-12-29 21728]
R1 Avgfwfd;AVG network filter service;k:\windows\system32\drivers\avgfwd6x.sys [2009-12-29 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;k:\windows\system32\drivers\avgldx86.sys [2009-12-29 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;k:\windows\system32\drivers\avgmfx86.sys [2009-12-29 28424]
R1 AvgTdiX;AVG Network Redirector;k:\windows\system32\drivers\avgtdix.sys [2009-12-29 360584]
R2 avg9emc;AVG E-mail Scanner;k:\program files\avg\avg9\avgemc.exe [2009-12-29 906520]
R2 avg9wd;AVG WatchDog;k:\program files\avg\avg9\avgwdsvc.exe [2009-12-29 285392]
R2 avgfws9;AVG Firewall;k:\program files\avg\avg9\avgfws9.exe [2009-12-29 2303680]
R2 AVGIDSAgent;AVG9IDSAgent;k:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-12-29 5832712]
R2 SCM_Service;SCM_Service;k:\windows\system32\WinService.exe [2009-12-29 180224]
R3 AVGIDSDriverw7x;AVG9IDSDriver;k:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSDriver.sys [2009-12-29 122376]
R3 AVGIDSFilterw7x;AVG9IDSFilter;k:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSFilter.sys [2009-12-29 30216]
R3 AVGIDSShimw7x;AVG9IDSShim;k:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSShim.sys [2009-12-29 21208]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;k:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 MBAMSwissArmy;MBAMSwissArmy;k:\windows\system32\drivers\mbamswissarmy.sys [2009-12-30 38224]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;k:\windows\system32\drivers\wg111v2.sys [2009-12-29 288768]

=============== Created Last 30 ================

2009-12-31 04:56:48 0 d-----w- K:\VundoFix Backups
2009-12-31 03:15:22 0 d-----w- k:\users\sal\appdata\roaming\Malwarebytes
2009-12-31 03:15:16 38224 ----a-w- k:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 03:15:13 19160 ----a-w- k:\windows\system32\drivers\mbam.sys
2009-12-31 03:15:13 0 d-----w- k:\programdata\Malwarebytes
2009-12-31 03:15:13 0 d-----w- k:\program files\Malwarebytes' Anti-Malware
2009-12-30 18:40:10 155648 ----a-w- k:\windows\system32\igfxres.dll
2009-12-30 18:08:00 257024 ----a-w- k:\windows\system32\msv1_0.dll
2009-12-30 18:07:17 2048 ----a-w- k:\windows\system32\tzres.dll
2009-12-30 02:46:06 25608 ----a-w- k:\windows\system32\drivers\AVGIDSwx.sys
2009-12-30 02:46:06 12464 ----a-w- k:\windows\system32\avgrsstx.dll
2009-12-30 02:46:05 161800 ----a-w- k:\windows\system32\drivers\avgrkx86.sys
2009-12-30 02:46:04 360584 ----a-w- k:\windows\system32\drivers\avgtdix.sys
2009-12-30 02:45:57 333192 ----a-w- k:\windows\system32\drivers\avgldx86.sys
2009-12-30 02:45:55 0 d-----w- k:\windows\system32\drivers\Avg
2009-12-30 02:45:53 0 d-----w- k:\programdata\AVG Security Toolbar
2009-12-30 02:45:32 0 d-----w- k:\program files\AVG
2009-12-30 02:45:31 0 d-----w- k:\programdata\avg9
2009-12-30 02:41:50 0 d-----w- K:\Intel
2009-12-30 02:37:05 0 d-----w- k:\windows\system32\x64
2009-12-29 22:25:15 290816 ----a-w- k:\windows\system32\SCMLib.dll
2009-12-29 22:25:15 288768 ----a-w- k:\windows\system32\drivers\wg111v2.sys
2009-12-29 22:25:15 21728 ----a-w- k:\windows\system32\drivers\SCMNdisP.sys
2009-12-29 22:25:15 180224 ----a-w- k:\windows\system32\WinService.exe
2009-12-29 22:25:14 0 d-----w- k:\program files\NETGEAR
2009-12-29 19:19:57 0 d-----w- k:\windows\Panther
2009-12-29 17:24:46 24856 ----a-w- k:\windows\system32\drivers\avgfwd6x.sys
2009-12-29 17:23:59 0 d-sh--w- k:\windows\Installer
2009-12-29 16:59:23 195456 ------w- k:\windows\system32\MpSigStub.exe
2009-12-29 16:39:17 3 ----a-w- k:\windows\7Loader.TAG
2009-12-29 16:37:44 713888 ----a-w- k:\windows\system32\PerfStringBackup.INI
2009-12-29 16:34:43 0 d-----w- k:\windows\system32\wbem\Performance
2009-12-28 19:45:47 0 d--h--w- K:\$AVG
2009-12-28 19:30:22 0 d-sh--w- K:\Recovery

==================== Find3M ====================

2009-12-30 21:05:40 21584 ----a-w- k:\windows\system32\drivers\atapi.sys
2009-07-14 04:56:42 31548 ----a-w- k:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- k:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- k:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- k:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- k:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- k:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- k:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- k:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- k:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- k:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- k:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 1:33:16.22 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:05 AM

Posted 31 December 2009 - 12:58 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 SalA

SalA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 31 December 2009 - 03:54 PM

Logs:

OTL logfile created on: 12/31/2009 3:37:42 PM - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = K:\Users\Sal\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = K: | %SystemRoot% = K:\Windows | %ProgramFiles% = K:\Program Files
Drive C: | 37.26 Gb Total Space | 14.80 Gb Free Space | 39.73% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 250.08 Gb Total Space | 236.54 Gb Free Space | 94.58% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 215.68 Gb Total Space | 205.72 Gb Free Space | 95.38% Space Free | Partition Type: NTFS

Computer Name: SAL-PC
Current User Name: Sal
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/31 15:35:48 | 00,513,536 | ---- | M] (OldTimer Tools) -- K:\Users\Sal\Desktop\OTL.exe
PRC - [2009/12/29 21:50:15 | 02,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/12/29 21:45:48 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/12/29 21:45:47 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/12/29 21:45:47 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/12/29 21:45:47 | 00,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/12/29 21:45:44 | 02,303,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Program Files\AVG\AVG9\avgfws9.exe
PRC - [2009/12/29 21:45:44 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2009/12/29 21:45:44 | 00,827,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Program Files\AVG\AVG9\avgam.exe
PRC - [2009/12/29 21:45:44 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/12/29 21:45:42 | 00,592,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2009/12/29 21:45:40 | 05,832,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2009/12/02 09:17:44 | 00,908,248 | ---- | M] (Mozilla Corporation) -- K:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/08/03 00:35:50 | 02,613,248 | ---- | M] (Microsoft Corporation) -- K:\Windows\explorer.exe
PRC - [2009/07/13 20:14:42 | 00,049,152 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\taskhost.exe
PRC - [2009/07/13 20:14:29 | 03,179,520 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\sppsvc.exe
PRC - [2009/07/13 20:14:15 | 00,271,360 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\conhost.exe
PRC - [2007/09/13 16:35:08 | 01,261,568 | ---- | M] () -- K:\Program Files\NETGEAR\WG111v2\WG111v2.exe
PRC - [2007/07/17 15:48:16 | 00,180,224 | ---- | M] () -- K:\Windows\System32\WinService.exe
PRC - [2006/10/06 20:13:28 | 00,114,688 | ---- | M] (Intel Corporation) -- K:\Windows\System32\hkcmd.exe
PRC - [2006/10/06 20:11:10 | 00,098,304 | ---- | M] (Intel Corporation) -- K:\Windows\System32\igfxtray.exe
PRC - [2006/10/06 20:10:06 | 00,094,208 | ---- | M] (Intel Corporation) -- K:\Windows\System32\igfxpers.exe


========== Modules (SafeList) ==========

MOD - [2009/12/31 15:35:48 | 00,513,536 | ---- | M] (OldTimer Tools) -- K:\Users\Sal\Desktop\OTL.exe
MOD - [2009/12/29 21:46:06 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\avgrsstx.dll
MOD - [2009/07/13 20:16:15 | 00,099,840 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\sspicli.dll
MOD - [2009/07/13 20:16:13 | 00,092,160 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\sechost.dll
MOD - [2009/07/13 20:16:13 | 00,050,688 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\samcli.dll
MOD - [2009/07/13 20:16:12 | 00,031,744 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\profapi.dll
MOD - [2009/07/13 20:16:03 | 00,022,016 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\netutils.dll
MOD - [2009/07/13 20:15:35 | 00,288,256 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 20:15:13 | 00,067,072 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 20:15:11 | 00,064,512 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\devobj.dll
MOD - [2009/07/13 20:15:07 | 00,036,864 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 20:15:02 | 00,145,920 | ---- | M] (Microsoft Corporation) -- K:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 20:03:50 | 01,680,896 | ---- | M] (Microsoft Corporation) -- K:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/29 21:45:44 | 02,303,680 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- K:\Program Files\AVG\AVG9\avgfws9.exe -- (avgfws9)
SRV - [2009/12/29 21:45:44 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- K:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/12/29 21:45:44 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- K:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/12/29 21:45:40 | 05,832,712 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- K:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2009/07/13 20:16:21 | 00,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- K:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 20:16:17 | 00,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- K:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 20:16:17 | 00,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- K:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 20:16:16 | 00,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- K:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 20:16:15 | 00,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- K:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 20:16:13 | 00,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- K:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 20:16:13 | 00,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- K:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 01,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- K:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 20:16:12 | 00,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- K:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 20:16:12 | 00,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- K:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 20:16:12 | 00,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- K:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 20:16:12 | 00,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- K:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 20:15:41 | 00,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- K:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 20:15:36 | 00,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- K:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 20:15:21 | 00,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- K:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 20:15:11 | 00,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- K:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 20:15:10 | 00,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- K:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 20:14:59 | 00,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- K:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 20:14:58 | 00,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- K:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 20:14:53 | 00,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- K:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 20:14:29 | 03,179,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- K:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2007/07/17 15:48:16 | 00,180,224 | ---- | M] () [Auto | Running] -- K:\Windows\System32\WinService.exe -- (SCM_Service)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3953335833-2417556955-434272650-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-3953335833-2417556955-434272650-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3953335833-2417556955-434272650-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F1 EB 25 15 A5 88 CA 01 [binary data]
IE - HKU\S-1-5-21-3953335833-2417556955-434272650-1000\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - K:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-3953335833-2417556955-434272650-1000\S-1-5-21-3953335833-2417556955-434272650-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: cfxHelper@Triton:0.9.9.5
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005
FF - prefs.js..extensions.enabledItems: {241aae70-0022-11de-87af-0800200c9a66}:3.5.2.08.11.09
FF - prefs.js..extensions.enabledItems: cfxe@Triton:3.2.5

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: K:\Program Files\AVG\AVG9\Firefox [2009/12/29 21:45:32 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: K:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2009/12/29 21:45:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: K:\Program Files\Mozilla Firefox\components [2009/12/29 11:39:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: K:\Program Files\Mozilla Firefox\plugins [2009/12/29 11:39:01 | 00,000,000 | ---D | M]

[2009/12/29 11:43:45 | 00,000,000 | ---D | M] -- K:\Users\Sal\AppData\Roaming\Mozilla\Extensions
[2009/12/30 12:04:51 | 00,000,000 | ---D | M] -- K:\Users\Sal\AppData\Roaming\Mozilla\Firefox\Profiles\4axyfwcm.default\extensions
[2009/12/29 11:52:51 | 00,000,000 | ---D | M] (Blue Fox) -- K:\Users\Sal\AppData\Roaming\Mozilla\Firefox\Profiles\4axyfwcm.default\extensions\{241aae70-0022-11de-87af-0800200c9a66}
[2009/12/29 11:51:15 | 00,000,000 | ---D | M] -- K:\Users\Sal\AppData\Roaming\Mozilla\Firefox\Profiles\4axyfwcm.default\extensions\cfxe@Triton
[2009/12/29 11:51:29 | 00,000,000 | ---D | M] -- K:\Users\Sal\AppData\Roaming\Mozilla\Firefox\Profiles\4axyfwcm.default\extensions\cfxHelper@Triton
[2009/12/29 11:39:01 | 00,000,000 | ---D | M] -- K:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (824 bytes) - K:\Windows\System32\drivers\etc\hosts
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - K:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - K:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - K:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] K:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [HotKeysCmds] K:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] K:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] K:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Persistence] K:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] K:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] K:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - K:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (avgrsstx.dll) - K:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - K:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - K:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - K:\Windows\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - K:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/28 13:26:19 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 16:42:20 | 00,000,024 | ---- | M] () - K:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - K:\Windows\System32\ias [2009/07/13 21:37:08 | 00,000,000 | ---D | M]
NetSvcs: Irmon - K:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - K:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - K:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - K:\Windows\System32\bdesvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/31 15:35:45 | 00,513,536 | ---- | C] (OldTimer Tools) -- K:\Users\Sal\Desktop\OTL.exe
[2009/12/30 23:56:48 | 00,000,000 | ---D | C] -- K:\VundoFix Backups
[2009/12/30 22:15:22 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Roaming\Malwarebytes
[2009/12/30 22:15:16 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- K:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/30 22:15:13 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- K:\Windows\System32\drivers\mbam.sys
[2009/12/30 22:15:13 | 00,000,000 | ---D | C] -- K:\Program Files\Malwarebytes' Anti-Malware
[2009/12/30 22:15:13 | 00,000,000 | ---D | C] -- K:\ProgramData\Malwarebytes
[2009/12/30 20:46:44 | 00,000,000 | R--D | C] -- K:\Users\Sal\Documents\Scanned Documents
[2009/12/30 20:46:44 | 00,000,000 | ---D | C] -- K:\Users\Sal\Documents\Fax
[2009/12/30 17:32:43 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Local\Microsoft Games
[2009/12/29 21:49:39 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Local\AVG Security Toolbar
[2009/12/29 21:46:06 | 00,025,608 | ---- | C] (AVG Technologies ) -- K:\Windows\System32\drivers\AVGIDSwx.sys
[2009/12/29 21:46:06 | 00,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\avgrsstx.dll
[2009/12/29 21:46:05 | 00,161,800 | ---- | C] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\drivers\avgrkx86.sys
[2009/12/29 21:46:04 | 00,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\drivers\avgtdix.sys
[2009/12/29 21:45:57 | 00,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\drivers\avgldx86.sys
[2009/12/29 21:45:56 | 00,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\drivers\avgmfx86.sys
[2009/12/29 21:45:55 | 00,000,000 | ---D | C] -- K:\Windows\System32\drivers\Avg
[2009/12/29 21:45:53 | 00,000,000 | ---D | C] -- K:\ProgramData\AVG Security Toolbar
[2009/12/29 21:45:32 | 00,000,000 | ---D | C] -- K:\Program Files\AVG
[2009/12/29 21:45:31 | 00,000,000 | ---D | C] -- K:\ProgramData\avg9
[2009/12/29 21:41:50 | 00,000,000 | ---D | C] -- K:\Intel
[2009/12/29 21:37:05 | 00,000,000 | ---D | C] -- K:\Windows\System32\x64
[2009/12/29 17:25:15 | 00,290,816 | ---- | C] (SerComm Corporation) -- K:\Windows\System32\SCMLib.dll
[2009/12/29 17:25:15 | 00,288,768 | ---- | C] (NETGEAR Inc.) -- K:\Windows\System32\drivers\wg111v2.sys
[2009/12/29 17:25:15 | 00,021,728 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- K:\Windows\System32\drivers\SCMNdisP.sys
[2009/12/29 17:25:14 | 00,000,000 | -H-D | C] -- K:\Program Files\InstallShield Installation Information
[2009/12/29 17:25:14 | 00,000,000 | ---D | C] -- K:\Program Files\NETGEAR
[2009/12/29 17:25:01 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Roaming\InstallShield
[2009/12/29 16:46:34 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Local\Diagnostics
[2009/12/29 14:23:51 | 00,000,000 | ---D | C] -- K:\Windows\SoftwareDistribution
[2009/12/29 14:21:46 | 00,000,000 | ---D | C] -- K:\Windows\Prefetch
[2009/12/29 14:19:57 | 00,000,000 | ---D | C] -- K:\Windows\Panther
[2009/12/29 12:24:46 | 00,024,856 | ---- | C] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\drivers\avgfwd6x.sys
[2009/12/29 12:23:59 | 00,000,000 | -HSD | C] -- K:\Windows\Installer
[2009/12/29 11:48:06 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Roaming\Macromedia
[2009/12/29 11:48:06 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Roaming\Adobe
[2009/12/29 11:48:04 | 00,000,000 | ---D | C] -- K:\Windows\System32\Macromed
[2009/12/29 11:45:16 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Local\ElevatedDiagnostics
[2009/12/29 11:43:39 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Roaming\Mozilla
[2009/12/29 11:43:39 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Local\Mozilla
[2009/12/29 11:39:00 | 00,000,000 | ---D | C] -- K:\Program Files\Mozilla Firefox
[2009/12/29 11:30:53 | 00,000,000 | R--D | C] -- K:\Users\Sal\Searches
[2009/12/29 11:30:44 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Roaming\Identities
[2009/12/29 11:30:42 | 00,000,000 | R--D | C] -- K:\Users\Sal\Contacts
[2009/12/29 11:30:34 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Local\VirtualStore
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\AppData\Local\Temporary Internet Files
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\Templates
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\Start Menu
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\SendTo
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\Recent
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\PrintHood
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\NetHood
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\Documents\My Videos
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\Documents\My Pictures
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\Documents\My Music
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\My Documents
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\Local Settings
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\AppData\Local\History
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\Cookies
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\Application Data
[2009/12/29 11:30:33 | 00,000,000 | -HSD | C] -- K:\Users\Sal\AppData\Local\Application Data
[2009/12/29 11:30:32 | 00,000,000 | --SD | C] -- K:\Users\Sal\AppData\Roaming\Microsoft
[2009/12/29 11:30:32 | 00,000,000 | R--D | C] -- K:\Users\Sal\Videos
[2009/12/29 11:30:32 | 00,000,000 | R--D | C] -- K:\Users\Sal\Saved Games
[2009/12/29 11:30:32 | 00,000,000 | R--D | C] -- K:\Users\Sal\Pictures
[2009/12/29 11:30:32 | 00,000,000 | R--D | C] -- K:\Users\Sal\Music
[2009/12/29 11:30:32 | 00,000,000 | R--D | C] -- K:\Users\Sal\Links
[2009/12/29 11:30:32 | 00,000,000 | R--D | C] -- K:\Users\Sal\Favorites
[2009/12/29 11:30:32 | 00,000,000 | R--D | C] -- K:\Users\Sal\Downloads
[2009/12/29 11:30:32 | 00,000,000 | R--D | C] -- K:\Users\Sal\Documents
[2009/12/29 11:30:32 | 00,000,000 | R--D | C] -- K:\Users\Sal\Desktop
[2009/12/29 11:30:32 | 00,000,000 | -H-D | C] -- K:\Users\Sal\AppData
[2009/12/29 11:30:32 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Local\Temp
[2009/12/29 11:30:32 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Local\Microsoft
[2009/12/29 11:30:32 | 00,000,000 | ---D | C] -- K:\Users\Sal\AppData\Roaming\Media Center Programs
[2009/12/28 18:19:53 | 00,000,000 | -HSD | C] -- K:\RECYCLER
[2009/12/28 17:23:24 | 00,000,000 | -HSD | C] -- K:\System Volume Information
[2009/12/28 14:45:47 | 00,000,000 | -H-D | C] -- K:\$AVG
[2009/12/28 14:30:22 | 00,000,000 | -HSD | C] -- K:\Recovery

========== Files - Modified Within 14 Days ==========

[2009/12/31 15:35:48 | 00,513,536 | ---- | M] (OldTimer Tools) -- K:\Users\Sal\Desktop\OTL.exe
[2009/12/31 15:34:40 | 00,000,435 | ---- | M] () -- K:\Windows\System32\drivers\etc\hosts.ics
[2009/12/31 15:34:07 | 00,000,006 | -H-- | M] () -- K:\Windows\tasks\SA.DAT
[2009/12/31 15:33:58 | 00,067,584 | --S- | M] () -- K:\Windows\bootstat.dat
[2009/12/31 15:33:50 | 16,039,32160 | -HS- | M] () -- K:\hiberfil.sys
[2009/12/31 01:53:25 | 01,048,576 | -HS- | M] () -- K:\Users\Sal\NTUSER.DAT
[2009/12/31 01:53:20 | 02,602,972 | -H-- | M] () -- K:\Users\Sal\AppData\Local\IconCache.db
[2009/12/31 01:03:42 | 00,000,017 | ---- | M] () -- K:\Users\Sal\AppData\Local\resmon.resmoncfg
[2009/12/30 22:36:27 | 00,014,016 | -H-- | M] () -- K:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2009/12/30 22:36:27 | 00,014,016 | -H-- | M] () -- K:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2009/12/30 22:35:40 | 00,713,888 | ---- | M] () -- K:\Windows\System32\PerfStringBackup.INI
[2009/12/30 22:35:40 | 00,615,122 | ---- | M] () -- K:\Windows\System32\perfh009.dat
[2009/12/30 22:35:40 | 00,103,496 | ---- | M] () -- K:\Windows\System32\perfc009.dat
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- K:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- K:\Windows\System32\drivers\mbam.sys
[2009/12/30 13:33:08 | 00,266,808 | ---- | M] () -- K:\Windows\System32\FNTCACHE.DAT
[2009/12/30 11:57:59 | 47,219,801 | ---- | M] () -- K:\Windows\System32\drivers\Avg\incavi.avm
[2009/12/29 21:50:10 | 00,553,541 | ---- | M] () -- K:\Windows\System32\drivers\Avg\iavifw.avm
[2009/12/29 21:49:45 | 00,128,231 | ---- | M] () -- K:\Windows\System32\drivers\Avg\microavi.avg
[2009/12/29 21:46:06 | 00,025,608 | ---- | M] (AVG Technologies ) -- K:\Windows\System32\drivers\AVGIDSwx.sys
[2009/12/29 21:46:06 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\avgrsstx.dll
[2009/12/29 21:46:05 | 00,161,800 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\drivers\avgrkx86.sys
[2009/12/29 21:46:04 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\drivers\avgtdix.sys
[2009/12/29 21:45:57 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\drivers\avgldx86.sys
[2009/12/29 21:45:56 | 06,061,540 | ---- | M] () -- K:\Windows\System32\drivers\Avg\avi7.avg
[2009/12/29 21:45:56 | 00,492,629 | ---- | M] () -- K:\Windows\System32\drivers\Avg\miniavi.avg
[2009/12/29 21:45:56 | 00,113,461 | ---- | M] () -- K:\Windows\System32\drivers\Avg\iavichjw.avm
[2009/12/29 21:45:56 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\drivers\avgmfx86.sys
[2009/12/29 21:45:32 | 00,024,856 | ---- | M] (AVG Technologies CZ, s.r.o.) -- K:\Windows\System32\drivers\avgfwd6x.sys
[2009/12/29 20:25:08 | 00,000,000 | -H-- | M] () -- K:\Users\Sal\Documents\Default.rdp
[2009/12/29 18:34:47 | 00,000,362 | RHS- | M] () -- K:\ProgramData\ntuser.pol
[2009/12/29 17:25:15 | 00,000,866 | ---- | M] () -- K:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk
[2009/12/29 14:24:37 | 00,042,045 | ---- | M] () -- K:\Windows\System32\license.rtf
[2009/12/29 11:39:19 | 00,524,288 | -HS- | M] () -- K:\Users\Sal\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2009/12/29 11:39:19 | 00,524,288 | -HS- | M] () -- K:\Users\Sal\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2009/12/29 11:39:19 | 00,065,536 | -HS- | M] () -- K:\Users\Sal\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2009/12/29 11:39:17 | 00,000,003 | ---- | M] () -- K:\Windows\7Loader.TAG
[2009/12/29 11:39:03 | 00,001,885 | ---- | M] () -- K:\Users\Public\Desktop\Mozilla Firefox.lnk
[2009/12/29 11:37:38 | 00,057,560 | ---- | M] () -- K:\Users\Sal\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/12/29 11:30:33 | 00,000,020 | -HS- | M] () -- K:\Users\Sal\ntuser.ini

========== Files Created - No Company Name ==========

[2009/12/31 01:03:42 | 00,000,017 | ---- | C] () -- K:\Users\Sal\AppData\Local\resmon.resmoncfg
[2009/12/29 21:45:56 | 47,219,801 | ---- | C] () -- K:\Windows\System32\drivers\Avg\incavi.avm
[2009/12/29 21:45:56 | 00,553,541 | ---- | C] () -- K:\Windows\System32\drivers\Avg\iavifw.avm
[2009/12/29 21:45:56 | 00,492,629 | ---- | C] () -- K:\Windows\System32\drivers\Avg\miniavi.avg
[2009/12/29 21:45:56 | 00,128,231 | ---- | C] () -- K:\Windows\System32\drivers\Avg\microavi.avg
[2009/12/29 21:45:56 | 00,113,461 | ---- | C] () -- K:\Windows\System32\drivers\Avg\iavichjw.avm
[2009/12/29 21:45:55 | 06,061,540 | ---- | C] () -- K:\Windows\System32\drivers\Avg\avi7.avg
[2009/12/29 20:25:08 | 00,000,000 | -H-- | C] () -- K:\Users\Sal\Documents\Default.rdp
[2009/12/29 18:34:46 | 00,000,362 | RHS- | C] () -- K:\ProgramData\ntuser.pol
[2009/12/29 17:25:15 | 00,180,224 | ---- | C] () -- K:\Windows\System32\WinService.exe
[2009/12/29 17:25:15 | 00,000,866 | ---- | C] () -- K:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk
[2009/12/29 11:39:17 | 00,000,003 | ---- | C] () -- K:\Windows\7Loader.TAG
[2009/12/29 11:39:03 | 00,001,885 | ---- | C] () -- K:\Users\Public\Desktop\Mozilla Firefox.lnk
[2009/12/29 11:30:33 | 00,524,288 | -HS- | C] () -- K:\Users\Sal\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2009/12/29 11:30:33 | 00,524,288 | -HS- | C] () -- K:\Users\Sal\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2009/12/29 11:30:33 | 00,065,536 | -HS- | C] () -- K:\Users\Sal\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2009/12/29 11:30:33 | 00,000,020 | -HS- | C] () -- K:\Users\Sal\ntuser.ini
[2009/12/29 11:30:32 | 01,048,576 | -HS- | C] () -- K:\Users\Sal\NTUSER.DAT
[2009/12/28 17:23:24 | 16,039,32160 | -HS- | C] () -- K:\hiberfil.sys
[2009/07/13 18:51:43 | 00,073,728 | ---- | C] () -- K:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 00,064,000 | ---- | C] () -- K:\Windows\System32\BWContextHandler.dll
[2006/10/06 23:19:12 | 00,200,704 | ---- | C] () -- K:\Windows\System32\igfxCoIn_v4704.dll

========== LOP Check ==========

[2009/07/13 23:53:46 | 00,003,650 | ---- | M] () -- K:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/07/13 20:26:15 | 00,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- K:\Windows\System32\drivers\AGP440.sys
[2009/07/13 20:26:15 | 00,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- K:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/13 20:26:15 | 00,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- K:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/12/30 16:05:40 | 00,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- K:\Windows\System32\drivers\atapi.sys
[2009/07/13 20:26:15 | 00,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- K:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/13 20:26:15 | 00,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- K:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 20:15:06 | 00,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- K:\Windows\System32\cngaudit.dll
[2009/07/13 20:15:06 | 00,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- K:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/13 20:20:36 | 00,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- K:\Windows\System32\drivers\iaStorV.sys
[2009/07/13 20:20:36 | 00,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- K:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 20:20:36 | 00,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- K:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 20:16:02 | 00,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- K:\Windows\System32\netlogon.dll
[2009/07/13 20:16:02 | 00,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- K:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/13 20:20:44 | 00,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- K:\Windows\System32\drivers\nvstor.sys
[2009/07/13 20:20:44 | 00,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- K:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 20:20:44 | 00,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- K:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/13 20:16:13 | 00,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- K:\Windows\System32\scecli.dll
[2009/07/13 20:16:13 | 00,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- K:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/13 20:14:57 | 00,070,144 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- K:\Windows\System32\atl.dll
[2009/07/13 20:15:19 | 00,271,360 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- K:\Windows\System32\es.dll
[2009/07/13 20:15:28 | 10,973,696 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- K:\Windows\System32\ieframe.dll
[2009/07/13 20:15:36 | 00,226,816 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- K:\Windows\System32\LocationApi.dll

< End of report >

OTL Extras logfile created on: 12/31/2009 3:37:42 PM - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = K:\Users\Sal\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = K: | %SystemRoot% = K:\Windows | %ProgramFiles% = K:\Program Files
Drive C: | 37.26 Gb Total Space | 14.80 Gb Free Space | 39.73% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 250.08 Gb Total Space | 236.54 Gb Free Space | 94.58% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 215.68 Gb Total Space | 205.72 Gb Free Space | 95.38% Space Free | Partition Type: NTFS

Computer Name: SAL-PC
Current User Name: Sal
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1
.cpl [@ = cplfile] -- K:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- K:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- K:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3953335833-2417556955-434272650-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- K:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SystemRoot%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "K:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "K:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "K:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "K:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "K:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "K:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
"DefaultOutboundAction" = 0
"DefaultInboundAction" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{4102037D-E8E0-48E0-B203-E521D194FB71}" = NETGEAR WG111v2 wireless USB 2.0 adapter
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{9D318C86-AF4C-409F-A6AC-7183FF4CF424}" = Internet TV for Windows Media Center
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG9Uninstall" = AVG 9.0
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/29/2009 12:36:56 PM | Computer Name = Sal-PC | Source = Microsoft-Windows-CAPI2 | ID = 4110
Description = Failed to add certificate to Third-Party Root Certification Authorities
store with error: A certificate chain could not be built to a trusted root authority.


Error - 12/29/2009 12:36:56 PM | Computer Name = Sal-PC | Source = Microsoft-Windows-CAPI2 | ID = 4110
Description = Failed to add certificate to Third-Party Root Certification Authorities
store with error: A certificate chain could not be built to a trusted root authority.


Error - 12/29/2009 12:36:56 PM | Computer Name = Sal-PC | Source = Microsoft-Windows-CAPI2 | ID = 4110
Description = Failed to add certificate to Third-Party Root Certification Authorities
store with error: A certificate chain could not be built to a trusted root authority.


Error - 12/29/2009 12:36:56 PM | Computer Name = Sal-PC | Source = Microsoft-Windows-CAPI2 | ID = 4110
Description = Failed to add certificate to Third-Party Root Certification Authorities
store with error: A certificate chain could not be built to a trusted root authority.


Error - 12/29/2009 6:07:57 PM | Computer Name = Sal-PC | Source = VSS | ID = 8194
Description =

Error - 12/29/2009 10:49:01 PM | Computer Name = Sal-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A certificate chain could not be built to a trusted root authority.
.

Error - 12/29/2009 10:50:19 PM | Computer Name = Sal-PC | Source = VSS | ID = 8194
Description =

Error - 12/30/2009 4:43:52 PM | Computer Name = Sal-PC | Source = .NET Runtime Optimization Service | ID = 1101
Description =

Error - 12/31/2009 2:38:26 AM | Computer Name = Sal-PC | Source = Application Error | ID = 1000
Description = Faulting application name: mcupdate.EXE, version: 6.1.7600.16385,
time stamp: 0x4a5bccd6 Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x0001136c Faulting process id:
0x156c Faulting application start time: 0x01ca89e3db228f15 Faulting application path:
K:\Windows\ehome\mcupdate.EXE Faulting module path: unknown Report Id: 195700f9-f5d7-11de-9470-000ffe27a413

Error - 12/31/2009 4:41:24 PM | Computer Name = Sal-PC | Source = VSS | ID = 8194
Description =

[ System Events ]
Error - 12/30/2009 3:39:25 PM | Computer Name = Sal-PC | Source = ipnathlp | ID = 34001
Description =

Error - 12/30/2009 3:51:32 PM | Computer Name = Sal-PC | Source = ipnathlp | ID = 34001
Description =

Error - 12/30/2009 4:39:21 PM | Computer Name = Sal-PC | Source = ipnathlp | ID = 34001
Description =

Error - 12/30/2009 10:39:27 PM | Computer Name = Sal-PC | Source = ipnathlp | ID = 31004
Description =

Error - 12/30/2009 10:39:27 PM | Computer Name = Sal-PC | Source = ipnathlp | ID = 31004
Description =

Error - 12/30/2009 10:39:38 PM | Computer Name = Sal-PC | Source = ipnathlp | ID = 34001
Description =

Error - 12/30/2009 10:41:38 PM | Computer Name = Sal-PC | Source = ipnathlp | ID = 34001
Description =

Error - 12/30/2009 10:53:45 PM | Computer Name = Sal-PC | Source = ipnathlp | ID = 34001
Description =

Error - 12/30/2009 11:29:32 PM | Computer Name = Sal-PC | Source = ipnathlp | ID = 31004
Description =

Error - 12/31/2009 4:33:39 PM | Computer Name = Sal-PC | Source = volsnap | ID = 393245
Description = The shadow copies of volume K: were aborted during detection.


< End of report >

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-31 15:52:56
Windows 6.1.7600
Running: q1ksbr9w.exe; Driver: K:\Users\Sal\AppData\Local\Temp\uwldypow.sys


---- System - GMER 1.0.15 ----

SSDT \??\K:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwOpenProcess [0x8FF55620]
SSDT \??\K:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateProcess [0x8FF556D0]
SSDT \??\K:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateThread [0x8FF55770]
SSDT \??\K:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwWriteVirtualMemory [0x8FF55810]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82822AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82822104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828223F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8280B2D8
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828221DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82822958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828226F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82822F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828231A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 828748E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 828943B2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntoskrnl.exe!KeRemoveQueueEx + 165F 8289B8EC 4 Bytes [20, 56, F5, 8F]
.text ntoskrnl.exe!KeRemoveQueueEx + 192F 8289BBBC 8 Bytes [D0, 56, F5, 8F, 70, 57, F5, ...]
.text ntoskrnl.exe!KeRemoveQueueEx + 19A3 8289BC30 4 Bytes [10, 58, F5, 8F]
.text peauth.sys AA090C9D 28 Bytes [04, 32, C2, 8D, 5A, B6, C9, ...]
.text peauth.sys AA090CC1 28 Bytes [04, 32, C2, 8D, 5A, B6, C9, ...]

---- User code sections - GMER 1.0.15 ----

.text K:\Windows\system32\svchost.exe[680] ole32.dll!CoCreateInstance 756757FC 5 Bytes JMP 0095000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys

Device \Driver\ACPI_HAL \Device\00000052 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

Attached Files



#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:05 AM

Posted 31 December 2009 - 10:42 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 SalA

SalA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 01 January 2010 - 01:52 PM

When combo fix starts it "This a a beta version. Its only for compatibility. Do not use on a live machine." What should I do?

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:05 AM

Posted 01 January 2010 - 03:27 PM

We need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 SalA

SalA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 01 January 2010 - 03:40 PM

I ran it and i found an infected driver. I rebooted and i couldn't find the log on my c drive. Because its not my primary. That were xp pro is on. I have it dual booted. My main drive for 7 is k

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:05 AM

Posted 02 January 2010 - 09:24 AM

How are your searches working now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 SalA

SalA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 02 January 2010 - 12:47 PM

The first few when my computer starts are normal then all the others take me to random websites and sometimes they take me to these fake search engines and input what my search was.

#10 SalA

SalA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 02 January 2010 - 12:55 PM

The first few when my computer starts are normal then all the others take me to random websites and sometimes they take me to these fake search engines and input what my search was.


I ran that scan again and it still found that infected driver. I restarted,scanned still found,and no log showed up.

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:05 AM

Posted 02 January 2010 - 03:56 PM

Please disable your antivirus program.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    K:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys | K:\Windows\System32\drivers\atapi.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt). Please copy and paste this log into your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 SalA

SalA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 03 January 2010 - 12:34 PM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at K:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "K:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys|K:\Windows\System32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


I tried around google and no problems so far.

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:05 AM

Posted 04 January 2010 - 08:54 AM

Looks good. As long as everything is still behaving properly here are some last steps for you.

Now we'll remove OTL and some of the other tools we've used.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:05 AM

Posted 24 January 2010 - 03:45 AM

Now that your malware problem appears to be resolved, this topic will be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this topic in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users