Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many issues all of a sudden. Total freeze up


  • This topic is locked This topic is locked
12 replies to this topic

#1 marc_e

marc_e

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 10 January 2010 - 11:22 AM

I ran a hijack this to start. Could not even get on the internet until I started computer in safe mode or actually in last known good configuration mode. Safe mode would not allow me to go on internet. Malwarebytes would not open. I tried to unisntall and reinstall the program and it did not work. I ran an Avast antivirus scan while in safe mode and it froze before completion. I ran a registry program that I use called Eusing registry and it would not work to completion. On the Malwarebytes run I got a message that said something was attached to Malwarebytes and thus it would not run. I seem to be OK in the current mode but I want to make sure because not everything is back to normal.

Logfile of HijackThis v1.99.1
Scan saved at 9:08:05 AM, on 1/10/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kyocera\FileUtility\nsCatCom.exe
C:\Program Files\Common Files\MOO\WinFlx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: SeoQuake - {9C590067-8A6A-4db6-B052-069283790B04} - C:\Program Files\SeoQuake\seoquake.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4AB16005-E995-4A60-89DE-8B8A3E6EB5B0} (TrivialPursuit Control) - http://www.worldwinner.com/games/v56/trivi...vialpursuit.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper (diskeeper) - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SFUSVC - KYOCERA MITA CORPORATION - C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
O23 - Service: Winflex Service (WinFlxCSV) - Mutual of Omaha - C:\Program Files\Common Files\MOO\WinFlx.exe



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:55 AM

Posted 16 January 2010 - 12:09 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 marc_e

marc_e
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 17 January 2010 - 08:50 PM

I have been able to get avast and the eusing registry cleanup to run since my original post, but I still don't trust that everything is gone. While I was running OTL avast popped up and said that it had found the following trojan virus-

C:\\WINDOWS\System32\H8SRT ampflevtvc.dll

That H8SRT prefix has been showing up frequently on my virus scans recently.
wacko.gifI did not delete this since I thought it might have something to do with the OTL scan. I did quarantine it.

Still can't run Malwarebytes I get error code 720 (0,0), whatever that means.

I had an audio virus thing going on last Wednesday and I kept getting notes that Internet explorer had to close and due to an error when I did not even have it open. I primarily run Mozilla. I tried to copy and paste the history from Wednesday which showed literallly hundreds aof sites that I never went to, but I was not able to do that. I am hoping that I got rid of that though.



OTL Extras logfile created on: 1/17/2010 6:02:24 PM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 181.00 Mb Available Physical Memory | 35.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 51.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.51 Gb Total Space | 59.06 Gb Free Space | 40.87% Space Free | Partition Type: NTFS
Drive D: | 4.53 Gb Total Space | 0.78 Gb Free Space | 17.34% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARCS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Real\RealOne Player\realplay.exe" = C:\Program Files\Real\RealOne Player\realplay.exe:*:Enabled:RealPlayer -- File not found
"C:\Fiserv Life Portraits\FipWebServer.exe" = C:\Fiserv Life Portraits\FipWebServer.exe:*:Enabled:FipWebServer -- (FIPSCO)
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\WINDOWS\system32\LEXPPS.EXE" = C:\WINDOWS\system32\LEXPPS.EXE:*:Disabled:LEXPPS.EXE -- (Lexmark International, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Orbitdownloader\orbitdm.exe" = C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{068D970F-203E-45AF-AFFB-5D0F5BDCF80A}_is1" = eXtreme Gammon 1.04
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08EDDA07-A748-4E45-9A07-A8F78874E1D6}" = Winflex Service Update
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1D532B73-1812-483C-8720-E3E24B582015}" = POINT
"{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB}" = iPod for Windows 2006-03-23
"{2555F283-A782-4F9F-829F-268A9B0F9CC1}" = POINT
"{2A267BC6-F77F-4DD4-825F-7AEB1F68B4B1}" = HpSdpAppCoreApp
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{3248F0A8-6813-11D6-A77B-00B0D0150070}" = J2SE Runtime Environment 5.0 Update 7
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{357F75A5-CADA-42E3-8B16-3F3EDD431141}" = Point
"{35E90FA5-2CB4-4039-A8BB-BE1B9DB94E21}" = HP Memories Disc
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{47D4AF7B-EDE6-4ADB-8D2F-0BDA25C7321F}" = HP Digital Imaging Album Printing 1.0
"{48BD24F5-13DE-493A-A7CE-28A85113FF0C}" = HP Deskjet printer preloaded drivers
"{4F5FC172-F0E7-4EA5-902F-8D005DF9F000}" = HP Photo and Imaging 1.2 - Photosmart Cameras
"{5C088418-0D63-4698-B2D0-7A3A171EE339}" = POINT
"{5CD4F991-BA3E-4EC4-A7A1-EFB61F4D7291}" = Setup
"{621C02EA-AAFF-4026-A903-165D59529A16}" = Driver Detective
"{684FD900-B874-4A02-90E1-E65305D72B6B}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{68E1BAC6-F79F-43C4-AF03-A89F53F748D3}" = Microsoft XML Parser
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6BC75E82-8B33-479E-8DB0-F8D9844C14D8}" = Fidelis Launcher
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{76C24F39-B161-498F-BD8B-C64789812D13}_is1" = ConvertXtoDVD 3.0.0.1
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C05EEDD-E565-4E2B-ADE4-0C784C17311C}" = Crystal Reports for .NET Framework 2.0 (x86)
"{81C1E328-2747-4C69-A30F-EE5D9F8F0007}" = Daddy Keword Tool
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8DB78AA6-C01F-44AF-ACC1-3F42E2A8C344}" = AIG Library Component Installer
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{913D0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard for Students and Teachers
"{97097F2D-CFBF-4DC9-A8AF-1C8EAC322275}" = Vocal Remover
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD Player
"{9C590067-8A6A-4db6-B052-069283790B04}" = SeoQuake
"{9E88DAA4-1352-4272-BA3A-897668408400}" = HP Photosmart printers preloaded drivers
"{A2C82F57-F312-4525-A19C-40E228E09939}" = Setup
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB938897-211A-4999-9749-236D2E8E464A}" = NETGEAR WPN311 Wireless Adapter
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.7
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AC79924F-BCB9-43E2-8AAF-45BBC76F0E4C}_is1" = GammonSite 5.52
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{b1d8cae1-62e8-4259-8b57-1755629f71ec}" = Diskeeper 2007 Pro Premier
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{B4C88CF0-B617-4658-8F84-C4E847FBC9F7}" = Microsoft Managed DirectX (1126)
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C27E6CEF-F515-400F-823F-9141D56C0A2F}" = PrintMe Driver for Windows
"{C544F99D-39EF-4E6D-95BE-4E41C1D8C4CB}" = Dr Watson for Microsoft Windows OneCare Live v1.0.0971.10
"{c8bb4912-12d9-42ae-b571-e580d8cd1b5b}" = TuneUp Utilities 2007
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D6C35F0E-D09D-4177-BAEE-4D412D749A96}" = Point
"{D9952F01-1EBB-494B-AD8C-36BCA14B0FC4}" = POINT
"{E3CD4EA8-68BB-46E8-9E79-20A417A82C53}" = Microsoft Office Live Meeting 2007
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{F05E2B98-DA04-4FFA-8D08-DA218E6A2B47}" = Point
"{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}" = Microsoft WSE 2.0 SP3 Runtime
"{F751F153-0D23-4ED5-85D5-BAE46893D1F9}" = Point
"{FCC4D2E1-4586-11D6-9EBC-0050DA64BD57}" = ANTEX Quotes
"{FCE14E89-E472-4501-A87F-784CB7128AAB}" = POINT
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast!" = avast! Antivirus
"AVS Audio Converter 5.1_is1" = AVS Audio Converter version 5.1
"AVS Update Manager_is1" = AVS Update Manager 1.0
"BCWipe" = BCWipe 3.0
"CCleaner" = CCleaner (remove only)
"CentraClient" = Centra Client
"Chesapeake Life Illustration v4.6" = Chesapeake Life Illustration v4.6
"Cucusoft Ultimate DVD + Video Converter Suite_is1" = Cucusoft Ultimate DVD + Video Converter Suite 7.21.7.15
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Doremi FLV to MP3 Converter" = Doremi FLV to MP3 Converter 1.0
"EB88B6218325D2AB47CFFBF7170236B60A6198FF" = Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0)
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"FLA Software" = FLA Software
"Free FLV to MP3 Converter_is1" = Free FLV to MP3 Converter
"Freez FLV to MP3 Converter v1.5_is1" = Freez FLV to MP3 Converter
"GammonEmpire" = GammonEmpire
"GoogleVideoPlayer" = Google Video Player
"GPM 2009 Insurance Desk" = GPM 2009 Insurance Desk
"GPM Benefits Coordination (Federal & Military)" = GPM Benefits Coordination (Federal & Military)
"Graboid Video" = Graboid Video 1.5
"GSpot" = GSpot Codec Information Appliance
"GTLPlans Quote Calculator_is1" = GTLPlansQuoteCalculator 1.0.0.3
"HijackThis" = HijackThis 1.99.1
"hp instant support" = HP Instant Support
"HPTOOLKIT" = toolkit
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"InstallShield_{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB}" = iPod for Windows 2006-03-23
"InstallShield_{621C02EA-AAFF-4026-A903-165D59529A16}" = Driver Detective
"InstallShield_{AB938897-211A-4999-9749-236D2E8E464A}" = NETGEAR WPN311 Wireless Adapter
"InstallShield_{C27E6CEF-F515-400F-823F-9141D56C0A2F}" = PrintMe Driver for Windows
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"MailWasher Free_is1" = MailWasher Free 6.5.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"Mozilla ActiveX Control v1.7.12" = Mozilla ActiveX Control v1.7.12
"Mozilla Firefox (3.0.17)" = Mozilla Firefox (3.0.17)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nonosweeper_is1" = Nonosweeper v1.33
"novaPDF Professional Desktop 5_is1" = novaPDF Professional Desktop 5.0
"NVIDIA Drivers" = NVIDIA Drivers
"OMUS Life Holdings" = OMUS Life Holdings
"Orbit_is1" = Orbit Downloader
"Our GamePlan is to invest in you." = Our GamePlan is to invest in you.
"Pdf995" = Pdf995
"Play65" = Play65
"Quick Qualifier 5.45" = Quick Qualifier 5.45
"RealArcade 1.2" = RealArcade
"S3Gamma2" = S3Gamma2
"S3Info2" = S3Info2
"S3Overlay" = S3Overlay
"Security Task Manager" = Security Task Manager 1.5d
"SegPlayPC" = SegPlayPC
"Shockwave" = Shockwave
"spybot - search & destroy_is1" = Spybot - Search & Destroy 1.4
"SwiftView" = SwiftView Viewer
"Term Quotation System" = Term Quotation System
"tmgAppId_is1" = TrueMoneyGames 3.7.1
"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
"TVUPlayer" = TVUPlayer 2.4.1.0
"VLC media player" = VideoLAN VLC media player 0.8.6d
"Vocal Remover" = Vocal Remover
"WebPost" = Microsoft Web Publishing Wizard 1.52
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinGTK-2_is1" = GTK+ 2.10.6-1 runtime environment
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA
"f88669a9bea24632" = UHC-iEnroll
"GoToMeeting" = GoToMeeting 4.0.0.320
"MLQTSource" = MediaLooks QuickTime Source 1.7.0.6 (DirectShow Filter)
"NetworkStreaming Client" = NetworkStreaming Client
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 8/20/2008 10:11:37 AM | Computer Name = MARCS | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EHI187OZ\IP_001_DOJ_Youth_Addiction[1].swf
failed, 0000A413.

Error - 9/1/2008 2:53:25 PM | Computer Name = MARCS | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
\\Conference\shareddocs\New Folder\Spybot Ver 1.4\spybotsd14.exe failed, 00000005.


Error - 9/3/2008 11:40:45 PM | Computer Name = MARCS | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://download1.coupons.com/7/19/7125/638...uponprinter.exe
failed, 0000001E.

Error - 12/14/2008 5:55:01 PM | Computer Name = MARCS | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.denvergov.org/ScriptResource.ax...526097557098058
failed, 0000A413.

Error - 1/5/2010 10:41:07 PM | Computer Name = MARCS | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestOpenList Error 1753.

Error - 1/5/2010 10:41:07 PM | Computer Name = MARCS | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::LoadFiles()
chestOpenList() failed: 2147422219.

Error - 1/5/2010 10:41:17 PM | Computer Name = MARCS | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::OnCreate()
!m_strErrorWnd.IsEmpty().

Error - 1/13/2010 11:41:11 AM | Computer Name = MARCS | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestOpenList Error 1753.

Error - 1/13/2010 11:41:11 AM | Computer Name = MARCS | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::LoadFiles()
chestOpenList() failed: 2147422219.

Error - 1/13/2010 11:41:41 AM | Computer Name = MARCS | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::OnCreate()
!m_strErrorWnd.IsEmpty().

[ Application Events ]
Error - 1/13/2010 3:48:19 AM | Computer Name = MARCS | Source = Application Error | ID = 1001
Description = Fault bucket 1365436591.

Error - 1/13/2010 4:40:27 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module shlwapi.dll, version 6.0.2900.3395, fault address 0x0002c4a1.

Error - 1/13/2010 5:27:35 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module user32.dll, version 5.1.2600.3099, fault address 0x0001df68.

Error - 1/13/2010 5:39:34 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x00002233.

Error - 1/13/2010 7:06:06 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x00002d09.

Error - 1/13/2010 7:21:59 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x000702dd.

Error - 1/13/2010 8:00:43 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module shlwapi.dll, version 6.0.2900.3395, fault address 0x0002c4a1.

Error - 1/13/2010 8:44:33 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module user32.dll, version 5.1.2600.3099, fault address 0x0001df68.

Error - 1/13/2010 8:49:23 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x00002ca7.

Error - 1/13/2010 11:31:50 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x000702da.

[ Application Events ]
Error - 1/13/2010 3:48:19 AM | Computer Name = MARCS | Source = Application Error | ID = 1001
Description = Fault bucket 1365436591.

Error - 1/13/2010 4:40:27 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module shlwapi.dll, version 6.0.2900.3395, fault address 0x0002c4a1.

Error - 1/13/2010 5:27:35 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module user32.dll, version 5.1.2600.3099, fault address 0x0001df68.

Error - 1/13/2010 5:39:34 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x00002233.

Error - 1/13/2010 7:06:06 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x00002d09.

Error - 1/13/2010 7:21:59 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x000702dd.

Error - 1/13/2010 8:00:43 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module shlwapi.dll, version 6.0.2900.3395, fault address 0x0002c4a1.

Error - 1/13/2010 8:44:33 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module user32.dll, version 5.1.2600.3099, fault address 0x0001df68.

Error - 1/13/2010 8:49:23 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x00002ca7.

Error - 1/13/2010 11:31:50 AM | Computer Name = MARCS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x000702da.

[ System Events ]
Error - 1/13/2010 1:00:32 PM | Computer Name = MARCS | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 1/13/2010 1:01:25 PM | Computer Name = MARCS | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service iPod Service
with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error - 1/13/2010 1:01:25 PM | Computer Name = MARCS | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the iPod Service service
to connect.

Error - 1/13/2010 1:01:25 PM | Computer Name = MARCS | Source = Service Control Manager | ID = 7000
Description = The iPod Service service failed to start due to the following error:
%%1053

Error - 1/14/2010 12:59:49 PM | Computer Name = MARCS | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.3 for the Network Card with network
address 000C6E79C024 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 1/14/2010 10:35:12 PM | Computer Name = MARCS | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 1/15/2010 1:17:04 AM | Computer Name = MARCS | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 1/15/2010 3:06:28 AM | Computer Name = MARCS | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 1/15/2010 12:59:51 PM | Computer Name = MARCS | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 000C6E79C024 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 1/16/2010 12:59:54 AM | Computer Name = MARCS | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 000C6E79C024 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >





OTL logfile created on: 1/17/2010 6:02:24 PM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 181.00 Mb Available Physical Memory | 35.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 51.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.51 Gb Total Space | 59.06 Gb Free Space | 40.87% Space Free | Partition Type: NTFS
Drive D: | 4.53 Gb Total Space | 0.78 Gb Free Space | 17.34% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARCS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/17 17:47:30 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/01/13 00:27:58 | 00,323,392 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
PRC - [2010/01/10 19:07:36 | 00,176,128 | ---- | M] (LogicEmpire) -- C:\Program Files\Play65\bin\Play65.exe
PRC - [2009/11/24 16:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 16:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 16:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 16:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 16:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/12 16:33:04 | 10,358,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/11/10 23:08:18 | 00,417,792 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2007/10/17 08:27:46 | 00,032,768 | ---- | M] (Mutual of Omaha) -- C:\Program Files\Common Files\MOO\WinFlx.exe
PRC - [2007/06/13 03:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/12/19 15:53:42 | 00,461,320 | ---- | M] (TuneUp Software GmbH) -- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
PRC - [2006/12/19 15:53:30 | 00,394,760 | ---- | M] (TuneUp Software GmbH) -- C:\Program Files\TuneUp Utilities 2007\RegistryCleaner.exe
PRC - [2006/12/04 10:57:38 | 00,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
PRC - [2006/10/04 11:49:02 | 00,892,928 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2005/08/10 07:01:01 | 00,069,632 | ---- | M] () -- C:\Program Files\Softex\OmniPass\OPXPApp.exe
PRC - [2005/04/01 15:16:00 | 00,127,043 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2004/10/28 14:03:32 | 00,327,680 | ---- | M] (KYOCERA MITA) -- C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
PRC - [2004/03/07 16:30:38 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE
PRC - [2004/03/07 16:30:24 | 00,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE
PRC - [2003/09/16 15:50:18 | 00,061,440 | ---- | M] (KYOCERA MITA CORPORATION) -- C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
PRC - [2003/02/21 04:07:06 | 00,068,704 | ---- | M] () -- C:\Program Files\Softex\OmniPass\omniServ.exe
PRC - [2002/06/22 07:27:42 | 00,069,632 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
PRC - [1998/05/07 16:04:38 | 00,052,736 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system\hpsysdrv.exe


========== Modules (SafeList) ==========

MOD - [2010/01/17 17:47:30 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2006/08/25 08:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 16:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 16:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 16:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 16:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/10/17 08:27:46 | 00,032,768 | ---- | M] (Mutual of Omaha) [Auto | Running] -- C:\Program Files\Common Files\MOO\WinFlx.exe -- (WinFlxCSV)
SRV - [2006/12/19 15:53:46 | 00,024,072 | ---- | M] (TuneUp Software GmbH) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (uxtuneup)
SRV - [2006/12/04 10:57:38 | 00,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2006/10/04 11:49:02 | 00,892,928 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (diskeeper)
SRV - [2005/04/01 15:16:00 | 00,127,043 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/03/07 16:30:24 | 00,311,296 | ---- | M] (Lexmark International, Inc.) [Auto | Running] -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS)
SRV - [2003/09/16 15:50:18 | 00,061,440 | ---- | M] (KYOCERA MITA CORPORATION) [Auto | Running] -- C:\Program Files\Kyocera\FileUtility\SFUSVC.exe -- (SFUSVC)
SRV - [2003/02/21 04:07:06 | 00,068,704 | ---- | M] () [Auto | Running] -- C:\Program Files\Softex\OmniPass\omniServ.exe -- (omniserv)


========== Driver Services (SafeList) ==========

DRV - [2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (mbamswissarmy)
DRV - [2009/11/24 16:50:59 | 00,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 16:50:12 | 00,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 16:50:00 | 00,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 16:49:07 | 00,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswtdi)
DRV - [2009/11/24 16:48:57 | 00,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 16:47:54 | 00,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/03/19 15:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/01/23 08:49:08 | 00,037,664 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2008/08/18 13:27:23 | 00,017,801 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2008/06/23 14:21:22 | 00,716,272 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/23 07:08:40 | 00,047,360 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)
DRV - [2007/05/07 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/07/05 04:33:24 | 00,472,000 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WPN311.sys -- (AR5211)
DRV - [2005/11/20 22:48:21 | 00,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\aspi32.sys -- (Aspi32)
DRV - [2005/04/01 15:16:00 | 03,454,656 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/11/15 03:15:18 | 00,088,080 | ---- | M] (Jetico, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\BCSwap.sys -- (BCSWAP)
DRV - [2004/10/07 18:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/10/01 10:24:02 | 02,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/03 22:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/03 21:29:52 | 00,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Psddr)
DRV - [2004/02/17 05:49:14 | 00,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/09/17 04:23:58 | 00,016,128 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\pcandis5.sys -- (PCANDIS5)
DRV - [2003/03/14 01:14:28 | 00,112,288 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel® Graphics Platform (SoftBIOS)
DRV - [2003/03/14 01:14:16 | 00,078,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel® Graphics Chipset (KCH)
DRV - [2003/03/14 01:13:04 | 00,090,395 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2003/03/07 22:13:22 | 00,624,369 | ---- | M] (LT) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2003/02/26 19:19:50 | 00,260,736 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2003/02/22 19:55:26 | 00,141,824 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2002/12/27 11:41:00 | 00,026,880 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2002/12/24 22:09:48 | 00,030,848 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2002/10/01 08:22:32 | 00,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/09/06 18:24:00 | 00,013,568 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2002/08/29 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/23 01:00:00 | 00,025,434 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139)
DRV - [2001/06/04 13:00:00 | 00,014,112 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {35379F86-8CCB-4724-AE33-4278DE266C70}:1.0.4
FF - prefs.js..extensions.enabledItems: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a}:1.27
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 7
FF - prefs.js..extensions.enabledItems: 2


FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/12 19:17:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/05 21:47:18 | 00,000,000 | ---D | M]

[2008/12/18 13:16:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/01/14 20:25:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x0v2gtua.default\extensions
[2008/12/18 13:41:33 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x0v2gtua.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
[2009/08/28 16:27:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x0v2gtua.default\extensions\firefox@tvunetworks.com
[2008/12/18 13:16:09 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/12/15 07:52:31 | 00,214,344 | ---- | M] (WebEx Communications Inc.) -- C:\Program Files\Mozilla Firefox\plugins\atcliun.dll
[2007/12/19 11:59:17 | 00,044,360 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
[2007/12/19 11:59:18 | 00,107,928 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
[2007/12/15 07:51:53 | 00,098,704 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\ieatgpc.dll
[2007/12/15 07:51:34 | 00,060,816 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
[2008/09/03 17:11:24 | 00,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
[2007/12/15 07:52:32 | 00,028,672 | ---- | M] (WebEx Communications Inc.) -- C:\Program Files\Mozilla Firefox\plugins\ptexmeet.dll

O1 HOSTS File: ([2008/08/07 16:52:31 | 00,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (SeoQuake) - {9C590067-8A6A-4db6-B052-069283790B04} - C:\Program Files\SeoQuake\SeoQuake.dll ()
O3 - HKLM\..\Toolbar: (hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [BCWipeTM Startup] C:\Program Files\Jetico\BCWipe\BCWipeTM.exe (Jetico, Inc.)
O4 - HKLM..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe ()
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [hpsysdrv] c:\WINDOWS\system\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKCU..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB (Reg Error: Key error.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.cab (Reg Error: Key error.)
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} http://forms.real.com/real/player/download...ne_Inst_Win.cab (Reg Error: Key error.)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll (Installation Support)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (Reg Error: Key error.)
O16 - DPF: {4AB16005-E995-4A60-89DE-8B8A3E6EB5B0} http://www.worldwinner.com/games/v56/trivi...vialpursuit.cab (TrivialPursuit Control)
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} http://www.facebook.com/controls/contactx.dll (ContactExtractor Class)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\OPXPGina: DllName - C:\Program Files\Softex\OmniPass\opxpgina.dll - C:\Program Files\Softex\OmniPass\OPXPGina.dll ()
O20 - Winlogon\Notify\WRNotifier: DllName - WRLogonNTF.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/04/09 22:19:17 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 07:07:38 | 00,000,000 | RHS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{2d3fb17e-c0d8-11da-a463-000c6e79c024}\Shell\AutoRun\command - "" = setupSNK.exe
O33 - MountPoints2\{655d6492-0b7c-11db-bc0f-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{655d6492-0b7c-11db-bc0f-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{655d6492-0b7c-11db-bc0f-806d6172696f}\Shell\AutoRun\command - "" = E:\Install.exe -- File not found
O33 - MountPoints2\{afe3d9a2-63f7-11dd-bcd4-000c6e79c024}\Shell - "" = AutoRun
O33 - MountPoints2\{afe3d9a2-63f7-11dd-bcd4-000c6e79c024}\Shell\autorun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (SsiEfr.e) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/17 17:47:26 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/13 09:58:05 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/01/13 08:47:25 | 10,038,728 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Desktop\windows-kb890830-v3.3.exe
[2010/01/12 23:40:19 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2010/01/12 23:19:32 | 00,000,000 | ---D | C] -- C:\Program Files\Segmation
[2010/01/12 22:48:54 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2010/01/10 09:01:22 | 05,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
[2010/01/09 17:56:29 | 00,107,368 | ---- | C] (GEAR Software Inc.) -- C:\WINDOWS\System32\GEARAspi.dll
[2010/01/09 17:56:29 | 00,023,400 | ---- | C] (GEAR Software Inc.) -- C:\WINDOWS\System32\drivers\GEARAspiWDM.sys
[2010/01/09 17:55:23 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/01/09 17:55:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/01/09 17:54:11 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2009/12/30 11:29:51 | 00,023,120 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/12/30 11:29:48 | 00,048,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/12/30 11:29:46 | 00,027,408 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/12/30 11:29:40 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/12/30 11:29:37 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/12/30 11:29:37 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/12/30 11:29:36 | 00,094,160 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/12/30 11:29:36 | 00,093,424 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/12/30 11:28:54 | 01,280,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/12/26 21:33:56 | 00,000,000 | ---D | C] -- C:\Program Files\Jetico
[2009/12/26 21:19:58 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/26 21:19:56 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/26 21:19:56 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/26 08:31:38 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/04/14 07:38:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/01/16 18:51:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/07/10 15:55:54 | 00,570,128 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\DAO350.DLL
[2008/07/10 15:55:54 | 00,561,179 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\dao360.dll
[2008/04/14 07:22:43 | 00,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\Implode.dll
[2007/12/04 21:55:33 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/10/23 07:08:40 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Owner\Application Data\pcouffin.sys
[2007/07/11 02:00:57 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/09/02 11:34:43 | 00,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[2005/11/07 13:00:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Webroot
[2005/07/03 10:24:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2005/07/03 10:24:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2005/04/25 06:28:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2004/09/08 10:54:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2003/04/09 22:22:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/17 17:48:03 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/17 17:47:30 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/17 17:43:27 | 00,002,483 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Word.lnk
[2010/01/15 18:51:08 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/15 17:15:00 | 00,000,390 | ---- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[2010/01/15 09:41:42 | 00,031,896 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\budget_sheet_accc.pdf
[2010/01/15 09:33:00 | 00,000,214 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Comcast.net News, Sports, Video, TV listings, Email and more!.url
[2010/01/15 00:05:06 | 00,148,992 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\budget_sheet_accc.xls
[2010/01/14 21:32:52 | 00,050,176 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Emrich Sales resume.doc
[2010/01/14 21:32:22 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Dear Jordan.doc
[2010/01/13 10:00:39 | 00,000,186 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT
[2010/01/13 10:00:28 | 00,021,961 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/13 09:59:56 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/13 09:59:47 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/13 09:58:37 | 11,010,048 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/01/13 09:58:37 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/01/13 08:47:33 | 10,038,728 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Desktop\windows-kb890830-v3.3.exe
[2010/01/13 00:28:19 | 00,000,160 | ---- | M] () -- C:\WINDOWS\System32\H8SRTbiesigdsxi.dat
[2010/01/12 23:58:47 | 00,000,928 | ---- | M] () -- C:\WINDOWS\System32\h8srtkrl32mainweq.dll
[2010/01/12 23:58:45 | 00,000,805 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/12 23:58:45 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2010/01/12 23:58:45 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/12 23:43:50 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2010/01/12 23:12:37 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/12 21:48:42 | 00,000,000 | ---- | M] () -- C:\videoplayback(2).mp3
[2010/01/12 18:46:55 | 00,000,000 | ---- | M] () -- C:\YouTube - Koop - Come to me (OFFICIAL VIDEO) HQ.mp3
[2010/01/11 12:20:30 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Sierra Leone.doc
[2010/01/11 10:14:10 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Best Contractor Cover letter.doc
[2010/01/10 22:56:44 | 00,041,984 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\tanyau's resume.doc
[2010/01/10 22:00:20 | 00,000,195 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\craigslist denver classifieds for jobs, apartments, personals, for sale, services, community, and events.url
[2010/01/10 09:01:22 | 05,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
[2010/01/10 08:56:00 | 00,000,846 | ---- | M] () -- C:\WINDOWS\System32\krl32mainweq.dll
[2010/01/09 23:33:16 | 00,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/01/09 22:38:08 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 09:24:18 | 00,659,968 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MicrosoftFixit50195.msi
[2010/01/04 18:21:46 | 00,000,131 | ---- | M] () -- C:\WINDOWS\System32\srcr.dat
[2010/01/04 12:13:17 | 00,092,380 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\47627618_3.7506504_merlette_friendo_1.swm
[2010/01/04 12:13:02 | 00,475,648 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\bg position 1.doc
[2010/01/04 11:13:47 | 00,000,478 | ---- | M] () -- C:\WINDOWS\winpoint.ini
[2009/12/30 11:29:52 | 00,001,720 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/12/30 11:29:37 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/27 11:37:03 | 00,026,624 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/26 22:56:34 | 00,000,000 | ---- | M] () -- C:\YouTube - Use Somebody - Kings of Leon.mp3
[2009/12/26 21:20:00 | 00,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\hi.lnk
[2009/12/26 21:15:39 | 00,000,287 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\nbinst.ini
[2009/12/26 20:14:27 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/26 19:34:24 | 01,677,302 | ---- | M] () -- C:\Emiliana Torrini - Today Has Been Okay.mp3
[2009/12/26 19:34:19 | 01,593,501 | ---- | M] () -- C:\Emiliana torrini Heartstopper.mp3
[2009/12/26 19:33:59 | 00,000,000 | ---- | M] () -- C:\Blitzen Trapper- Black River Killer.mp3
[2009/12/21 11:40:32 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Volunteers of America.doc
[2009/12/19 10:14:58 | 00,016,217 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\farrer trewhitt clone.jpg
[2009/12/18 20:23:06 | 00,000,240 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google.url
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/15 09:41:39 | 00,031,896 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\budget_sheet_accc.pdf
[2010/01/15 09:33:00 | 00,000,214 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Comcast.net News, Sports, Video, TV listings, Email and more!.url
[2010/01/14 21:32:21 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Dear Jordan.doc
[2010/01/12 23:58:47 | 00,000,928 | ---- | C] () -- C:\WINDOWS\System32\h8srtkrl32mainweq.dll
[2010/01/12 23:43:50 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2010/01/12 21:48:42 | 00,000,000 | ---- | C] () -- C:\videoplayback(2).mp3
[2010/01/12 18:46:33 | 00,000,000 | ---- | C] () -- C:\YouTube - Koop - Come to me (OFFICIAL VIDEO) HQ.mp3
[2010/01/11 12:06:33 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Sierra Leone.doc
[2010/01/11 10:14:10 | 00,025,600 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Best Contractor Cover letter.doc
[2010/01/09 23:33:16 | 00,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/01/09 17:56:31 | 00,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/06 09:24:17 | 00,659,968 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MicrosoftFixit50195.msi
[2010/01/04 12:13:16 | 00,092,380 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\47627618_3.7506504_merlette_friendo_1.swm
[2010/01/04 12:13:01 | 00,475,648 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\bg position 1.doc
[2009/12/30 11:29:52 | 00,001,720 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/12/30 11:28:54 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/12/26 22:56:34 | 00,000,000 | ---- | C] () -- C:\YouTube - Use Somebody - Kings of Leon.mp3
[2009/12/26 21:20:00 | 00,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\hi.lnk
[2009/12/26 21:15:35 | 00,000,287 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\nbinst.ini
[2009/12/26 20:37:20 | 00,000,846 | ---- | C] () -- C:\WINDOWS\System32\krl32mainweq.dll
[2009/12/26 20:36:18 | 00,000,131 | ---- | C] () -- C:\WINDOWS\System32\srcr.dat
[2009/12/26 20:36:13 | 00,000,160 | ---- | C] () -- C:\WINDOWS\System32\H8SRTbiesigdsxi.dat
[2009/12/26 20:36:11 | 00,023,040 | ---- | C] () -- C:\WINDOWS\System32\H8SRTampflevtvc.dll
[2009/12/26 20:35:57 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2009/12/26 19:33:26 | 00,000,000 | ---- | C] () -- C:\Blitzen Trapper- Black River Killer.mp3
[2009/12/26 19:33:06 | 01,677,302 | ---- | C] () -- C:\Emiliana Torrini - Today Has Been Okay.mp3
[2009/12/26 19:33:06 | 01,593,501 | ---- | C] () -- C:\Emiliana torrini Heartstopper.mp3
[2009/12/23 01:40:34 | 00,026,439 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Gomorrah.2008.DVDRip.XviD.AC3-iAPULA.cd2.English.srt
[2009/12/23 01:40:34 | 00,024,079 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Gomorrah.2008.DVDRip.XviD.AC3-iAPULA.cd3.English.srt
[2009/12/21 10:56:20 | 00,025,088 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Volunteers of America.doc
[2009/12/19 10:14:57 | 00,016,217 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\farrer trewhitt clone.jpg
[2009/10/30 18:24:19 | 00,561,152 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/10/30 18:24:19 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/10/30 18:24:19 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\DVDIFOFilter.dll
[2009/10/17 15:28:47 | 08,676,883 | ---- | C] () -- C:\WINDOWS\System32\mp3Media2.dll
[2009/04/20 22:27:03 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/04/20 22:26:59 | 00,348,160 | ---- | C] () -- C:\WINDOWS\System32\cdga.dll
[2009/04/08 20:48:42 | 00,010,875 | ---- | C] () -- C:\WINDOWS\ESOA.INI
[2009/04/08 20:48:42 | 00,003,679 | ---- | C] () -- C:\WINDOWS\GrAddrBk.ini
[2009/04/08 20:48:42 | 00,000,995 | ---- | C] () -- C:\WINDOWS\GRACE.INI
[2009/04/08 20:48:42 | 00,000,053 | ---- | C] () -- C:\WINDOWS\PRSRVDLL.INI
[2009/04/08 20:42:12 | 00,000,478 | ---- | C] () -- C:\WINDOWS\winpoint.ini
[2009/01/30 10:23:58 | 00,000,059 | ---- | C] () -- C:\WINDOWS\INSDESK.INI
[2008/11/26 07:28:55 | 00,000,070 | ---- | C] () -- C:\WINDOWS\L&EAPPS.INI
[2008/11/11 16:01:00 | 00,000,572 | ---- | C] () -- C:\Program Files\INSTALL.LOG
[2008/11/11 16:00:51 | 00,164,864 | ---- | C] () -- C:\Program Files\UNWISE.EXE
[2008/09/03 15:19:39 | 00,001,203 | ---- | C] () -- C:\Program Files\recovery.dat
[2008/09/03 15:19:39 | 00,000,064 | ---- | C] () -- C:\Program Files\recovery.dsk
[2008/08/29 21:07:46 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/08/07 14:14:05 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2008/08/04 14:21:18 | 00,000,058 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mchguid.ini
[2008/07/24 14:44:56 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wsql.ini
[2008/06/27 12:35:16 | 00,000,002 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\7zip_progress_CF2C60F8-1BD0-484E-AD51-67DB0A6892A9.txt
[2008/06/27 12:35:12 | 00,000,002 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\7zip_progress_8D1E56AF-F710-4F0F-AB7C-849410577A74.txt
[2008/06/23 14:21:21 | 00,716,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008/06/18 13:59:56 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/06/02 17:11:16 | 00,000,668 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\vso_ts_preview.xml
[2008/04/25 15:11:09 | 00,000,035 | ---- | C] () -- C:\WINDOWS\AGLCUser.ini
[2008/04/22 08:29:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2008/04/20 12:37:35 | 00,000,111 | ---- | C] () -- C:\WINDOWS\Ipg.ini
[2008/04/20 12:24:55 | 00,000,025 | ---- | C] () -- C:\WINDOWS\flexinet.ini
[2008/04/20 12:02:29 | 00,122,880 | ---- | C] () -- C:\WINDOWS\System32\moocommn32.dll
[2008/04/20 12:02:29 | 00,103,832 | ---- | C] () -- C:\WINDOWS\System32\MOOCOMMN.DLL
[2008/04/14 07:23:18 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WinFlex6EXT.ini
[2008/04/14 07:22:43 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\u25store.dll
[2008/04/14 07:22:43 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\u25total.dll
[2008/04/14 07:22:43 | 00,044,544 | ---- | C] () -- C:\WINDOWS\System32\u25dts.dll
[2008/04/14 07:22:42 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\u2frec.dll
[2008/04/14 07:22:42 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\u2lbar.dll
[2008/04/14 07:22:42 | 00,038,400 | ---- | C] () -- C:\WINDOWS\System32\u2ldts.dll
[2008/04/14 07:22:42 | 00,027,136 | ---- | C] () -- C:\WINDOWS\System32\u2lsamp1.dll
[2008/04/14 07:22:04 | 00,000,130 | ---- | C] () -- C:\WINDOWS\Utdsysap.ini
[2008/04/14 07:22:04 | 00,000,101 | ---- | C] () -- C:\WINDOWS\applink.ini
[2008/04/14 07:21:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\tmp.ini
[2008/04/14 07:15:44 | 00,002,315 | ---- | C] () -- C:\WINDOWS\AIGAGUtility.ini
[2008/04/14 07:13:39 | 00,000,462 | ---- | C] () -- C:\WINDOWS\AIGAGinstalllog.ini
[2008/04/14 07:12:55 | 00,000,343 | ---- | C] () -- C:\WINDOWS\AIG.ini
[2008/02/02 03:07:55 | 00,149,376 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2007/12/26 14:54:47 | 00,000,174 | ---- | C] () -- C:\WINDOWS\nscatch.ini
[2007/12/20 21:21:05 | 00,036,998 | ---- | C] () -- C:\WINDOWS\alaRedun.ini
[2007/10/23 07:09:36 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\pcouffin.log
[2007/10/23 07:08:40 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\pcouffin.cat
[2007/10/23 07:08:40 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\pcouffin.inf
[2007/05/08 08:38:22 | 00,000,196 | -H-- | C] () -- C:\WINDOWS\System32\tscct1.dll
[2007/01/26 12:12:51 | 00,000,058 | ---- | C] () -- C:\WINDOWS\sview.ini
[2007/01/23 15:15:22 | 00,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/05/02 13:36:47 | 00,000,360 | ---- | C] () -- C:\WINDOWS\alamode.ini
[2006/04/21 22:03:25 | 00,000,058 | ---- | C] () -- C:\WINDOWS\mchguid.ini
[2005/12/11 11:25:12 | 00,000,148 | ---- | C] () -- C:\WINDOWS\System32\acmeinc.ini
[2005/12/11 11:25:12 | 00,000,116 | ---- | C] () -- C:\WINDOWS\System32\vxdtgm.ini
[2005/11/12 00:14:22 | 00,002,861 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/11/07 12:57:19 | 00,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2005/11/07 12:57:19 | 00,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2005/08/31 04:49:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2005/07/30 12:27:15 | 00,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2005/07/30 12:27:03 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2005/07/30 12:27:01 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2005/07/05 06:54:16 | 00,240,640 | ---- | C] () -- C:\WINDOWS\System32\NMOCOD.DLL
[2005/07/03 10:22:03 | 00,000,560 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2005/07/02 19:07:56 | 00,001,292 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\FASTWiz.html
[2005/07/02 16:22:01 | 00,067,853 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\FASTWiz.log
[2005/04/01 15:16:00 | 00,540,672 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2004/12/29 14:50:27 | 00,000,081 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2004/12/29 14:50:01 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2004/12/29 14:44:59 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2004/12/29 14:44:59 | 00,050,364 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2004/11/02 10:40:44 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\ExpLoansFromGenesis.dll
[2004/08/31 15:39:21 | 00,071,749 | ---- | C] () -- C:\WINDOWS\HCExtOutput.dll
[2004/08/31 15:39:21 | 00,000,823 | ---- | C] () -- C:\WINDOWS\TSC.ini
[2004/08/31 15:37:40 | 00,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2004/07/08 10:09:51 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/04/14 10:40:53 | 00,000,515 | ---- | C] () -- C:\WINDOWS\NSSHAFT.INI
[2004/04/06 15:15:29 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/02/10 13:17:18 | 00,241,199 | ---- | C] () -- C:\WINDOWS\System32\fssiyp.dll
[2004/02/10 13:17:18 | 00,065,780 | ---- | C] () -- C:\WINDOWS\System32\ozzchrd.dll
[2003/11/18 07:18:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PNTINFO.INI
[2003/11/12 09:16:58 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\GNetParserX.dll
[2003/10/21 08:48:45 | 00,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2003/10/07 17:01:52 | 00,000,561 | ---- | C] () -- C:\WINDOWS\import.INI
[2003/09/23 12:44:06 | 00,000,028 | ---- | C] () -- C:\WINDOWS\Systems.ini
[2003/09/07 10:31:13 | 00,016,816 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2003/09/03 12:39:09 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\sbaparam.dll
[2003/09/03 12:39:09 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\sbautils.dll
[2003/09/03 12:39:08 | 00,184,320 | ---- | C] () -- C:\WINDOWS\System32\EmbeddedDX.dll
[2003/09/03 12:39:07 | 00,000,255 | ---- | C] () -- C:\WINDOWS\GrAdr16.ini
[2003/09/02 12:56:54 | 00,000,026 | ---- | C] () -- C:\WINDOWS\System32\natbox.ini
[2003/08/24 13:37:00 | 00,000,730 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/04/10 04:35:00 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/04/10 04:34:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\iAlmcoin.dll
[2003/04/10 04:21:36 | 00,002,162 | ---- | C] () -- C:\WINDOWS\System32\mshrml.ini
[2003/04/10 01:51:07 | 00,000,438 | ---- | C] () -- C:\WINDOWS\System32\1_ssetup.ini
[2003/04/10 01:51:07 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\sunistlog.ini
[2003/04/10 00:06:10 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2003/04/10 00:03:38 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2003/04/10 00:03:38 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2003/04/09 23:57:15 | 00,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2003/04/09 23:57:04 | 00,000,608 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/04/09 23:16:44 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/04/09 22:55:02 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/04/09 22:44:58 | 00,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2003/04/09 22:44:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2003/04/09 22:44:29 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2003/04/09 22:23:21 | 00,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/04/09 22:05:45 | 00,000,659 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2000/02/17 13:57:02 | 00,225,280 | ---- | C] () -- C:\WINDOWS\System32\gn32.dll
[1999/10/13 14:59:48 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\Gns2kzip.dll
[1999/07/23 10:46:48 | 00,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 07:53:20 | 00,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
[1617/11/22 05:59:51 | 00,003,120 | ---- | C] () -- C:\WINDOWS\TMN211G.ini
< End of report >


Thanks,
Marc


















#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:55 AM

Posted 17 January 2010 - 08:58 PM

Hi,

please run a scan for rootkits:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 marc_e

marc_e
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 18 January 2010 - 01:30 PM

I ran Gmer in normal mode and it froze up. I than ran it in safe mode. After it had not completed the scan in about two and one half hours, I went to bed. When I woke up my computer had frozen in safe mode with the message 'GMER has found systems modification caused by Rootkit Malware"

I had lost my log as well.

So I reran this morning for about twenty minutes and saved the partial run. It had about the same amount of information as was present last night before I went to bed. I only did the partial run because I needed to work a bit on the computer this morning. I am now leaving the house for several hours and will rerun gmer in safe mode. I wanted you to look at what I have so far, because it is my belief that this about covers it and I am afraid that I am going to be coming home to a frozen computer again.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-18 08:15:17
Windows 5.1.2600 Service Pack 2
Running: vx72kysd.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fxldypob.sys


---- System - GMER 1.0.15 ----

SSDT sprh.sys ZwCreateKey [0xF83820E0] <-- ROOTKIT !!!
SSDT sprh.sys ZwEnumerateKey [0xF839FCA2] <-- ROOTKIT !!!
SSDT sprh.sys ZwEnumerateValueKey [0xF83A0030] <-- ROOTKIT !!!
SSDT sprh.sys ZwOpenKey [0xF83820C0] <-- ROOTKIT !!!
SSDT sprh.sys ZwQueryKey [0xF83A0108] <-- ROOTKIT !!!
SSDT sprh.sys ZwQueryValueKey [0xF839FF88] <-- ROOTKIT !!!
SSDT sprh.sys ZwSetValueKey [0xF83A019A] <-- ROOTKIT !!!

INT 0x62 ? 82E8CBF8
INT 0x63 ? 82D93BF8
INT 0x73 ? 82D93BF8
INT 0x82 ? 82E8CBF8
INT 0x83 ? 82D93BF8
INT 0xB4 ? 82D93BF8

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ExUuidCreate + 106E 805E9E00 71 Bytes [00, 00, 00, 6A, 01, BE, 84, ...]
PAGE ntoskrnl.exe!ExUuidCreate + 10B6 805E9E48 5 Bytes [89, 48, 04, 89, 01] {MOV [EAX+0x4], ECX; MOV [ECX], EAX}
PAGE ntoskrnl.exe!ExUuidCreate + 10BC 805E9E4E 77 Bytes [05, EC, 8E, 69, 80, 83, 3D, ...]
PAGE ntoskrnl.exe!ExUuidCreate + 110A 805E9E9C 24 Bytes [A3, C8, BC, 55, 80, 89, 1D, ...]
PAGE ntoskrnl.exe!ExUuidCreate + 1123 805E9EB5 45 Bytes [88, 5D, FF, EB, AB, 90, 90, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwSetThreadExecutionState + 24 805EA25C 48 Bytes [73, 01, 00, 89, 55, FC, 64, ...]
PAGE ntoskrnl.exe!ZwSetThreadExecutionState + 55 805EA28D 17 Bytes [4D, FC, FF, 8B, 7D, D8, 81, ...]
PAGE ntoskrnl.exe!ZwSetThreadExecutionState + 67 805EA29F 36 Bytes [00, 80, 0B, F3, 83, 7D, E0, ...]
PAGE ntoskrnl.exe!ZwSetThreadExecutionState + 8C 805EA2C4 26 Bytes CALL 805B16DF \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetThreadExecutionState + A7 805EA2DF 216 Bytes CALL 804E2EBC \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoCheckFunctionAccess + 4 805EA3B8 19 Bytes [EC, 0F, B6, 45, 0C, 56, 33, ...]
PAGE ntoskrnl.exe!IoCheckFunctionAccess + 18 805EA3CC 74 Bytes [F6, 45, 08, 03, 74, 10, 8B, ...]
PAGE ntoskrnl.exe!LsaFreeReturnBuffer + 15 805EA418 1 Byte [08]
PAGE ntoskrnl.exe!LsaFreeReturnBuffer + 18 805EA41B 61 Bytes CALL 804E38FD \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!LsaFreeReturnBuffer + 56 805EA459 87 Bytes JMP 8058C97F \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!LsaFreeReturnBuffer + AE 805EA4B1 33 Bytes [8D, 51, 28, 8B, 0A, 3B, 71, ...]
PAGE ntoskrnl.exe!LsaFreeReturnBuffer + D0 805EA4D3 14 Bytes [EC, 83, EC, 20, A1, 74, 7D, ...] {IN AL, DX ; SUB ESP, 0x20; MOV EAX, [0x80567d74]; AND AL, 0xc; CMP AL, 0x8; PUSH EDI}
PAGE ...
PAGE ntoskrnl.exe!ZwSetTimerResolution + 42 805EA541 18 Bytes [78, 44, 83, 65, E4, 00, 6A, ...]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 55 805EA554 16 Bytes [81, C7, 48, 02, 00, 00, 80, ...]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 66 805EA565 88 Bytes [8B, 07, 8B, D0, 23, D1, F0, ...]
PAGE ntoskrnl.exe!ZwSetTimerResolution + BF 805EA5BE 52 Bytes [33, 83, 4D, FC, FF, 8B, 45, ...]
PAGE ntoskrnl.exe!ZwSetTimerResolution + F4 805EA5F3 13 Bytes [3B, F8, 0F, 82, D2, 6C, 02, ...]
PAGE ...
? sprh.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F810F62C 5 Bytes JMP 82D931D8
.text win32k.sys!EngMulDiv + 7E2 BF81FE00 3 Bytes [83, 05, 00]
.text win32k.sys!EngMulDiv + 7E6 BF81FE04 23 Bytes JMP BF81FD7D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMulDiv + 7FE BF81FE1C 5 Bytes [75, 04, 5D, C2, 04]
.text win32k.sys!EngMulDiv + 804 BF81FE22 9 Bytes [A1, 78, A8, 9A, BF, FF, 88, ...]
.text win32k.sys!EngMulDiv + 80F BF81FE2D 176 Bytes CALL BF802A94 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngSetLastError + 18 BF828A10 165 Bytes [08, 89, 48, 34, 5D, C2, 04, ...]
.text win32k.sys!EngSetLastError + BE BF828AB6 28 Bytes [8B, 4D, 08, 85, C9, 74, 23, ...]
.text win32k.sys!EngSetLastError + DB BF828AD3 56 Bytes CALL BF800B05 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngSetLastError + 115 BF828B0D 82 Bytes [3D, 8B, 15, 78, A8, 9A, BF, ...]
.text win32k.sys!EngSetLastError + 168 BF828B60 41 Bytes [75, BA, 5D, C2, 10, 00, 40, ...]
.text ...
.text win32k.sys!EngPaint + 51 BF830FE4 26 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text win32k.sys!EngPaint + 6C BF830FFF 76 Bytes [5E, 5D, C2, 04, 00, 53, E8, ...]
.text win32k.sys!EngPaint + BB BF83104E 9 Bytes [74, D7, 53, FF, 36, 8B, 9F, ...]
.text win32k.sys!EngPaint + C6 BF831059 49 Bytes [FF, 15, D0, C9, 98, BF, 3B, ...]
.text win32k.sys!EngPaint + F8 BF83108B 30 Bytes [FF, 55, 8B, EC, 56, E8, 45, ...]
.text ...
.text win32k.sys!EngLpkInstalled + 47 BF83266D 24 Bytes [0F, B6, 55, 10, 56, 8B, 30, ...]
.text win32k.sys!EngLpkInstalled + 60 BF832686 127 Bytes [45, 08, 89, 81, BC, 00, 00, ...]
.text win32k.sys!EngLpkInstalled + E0 BF832706 26 Bytes [F6, C6, 40, 74, 05, 0D, 00, ...]
.text win32k.sys!EngLpkInstalled + FB BF832721 40 Bytes [00, 00, 01, F6, C5, 01, 74, ...]
.text win32k.sys!EngLpkInstalled + 124 BF83274A 50 Bytes [52, 30, 56, 8B, F1, 83, E6, ...]
.text ...
.text win32k.sys!EngBitBlt BF833EC3 12 Bytes [8B, FF, 55, 8B, EC, 83, EC, ...] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; SUB ESP, 0x44; MOV ECX, [EBP+0xc]; PUSH EBX}
.text win32k.sys!EngBitBlt + D BF833ED0 76 Bytes [5D, 08, 56, 8B, F1, F7, DE, ...]
.text win32k.sys!EngBitBlt + 5A BF833F1D 51 Bytes [47, 38, B9, AA, CC, 00, 00, ...]
.text win32k.sys!EngBitBlt + 8F BF833F52 89 Bytes [6A, 00, 51, FF, 75, 14, FF, ...]
.text win32k.sys!EngBitBlt + E9 BF833FAC 41 Bytes [FF, 3D, 55, 55, 00, 00, 0F, ...]
.text ...
.text win32k.sys!EngUnlockSurface + 2 BF834426 1 Byte [55]
.text win32k.sys!EngUnlockSurface + 2 BF834426 44 Bytes [55, 8B, EC, 56, 8B, 75, 08, ...]
.text win32k.sys!EngUnlockSurface + 2F BF834453 120 Bytes [FD, FF, 5E, 5D, C2, 04, 00, ...]
.text win32k.sys!EngLockSurface + 16 BF8344CC 85 Bytes [8B, 75, FC, 85, F6, 74, 1A, ...]
.text win32k.sys!EngLockSurface + 6C BF834522 287 Bytes [C0, 05, 00, 00, 85, C9, 74, ...]
.text win32k.sys!EngCreateBitmap + AB BF834642 12 Bytes [53, 56, 57, 8B, 45, 10, 8B, ...]
.text win32k.sys!EngCreateBitmap + B8 BF83464F 37 Bytes [75, 24, FF, 45, FC, 83, 7D, ...]
.text win32k.sys!EngCreateBitmap + DF BF834676 14 Bytes [C1, C1, E0, 03, 89, 45, F8, ...] {ROL ECX, 0xe0; ADD ECX, [ECX+0x45c7f845]; HLT ; OR [EAX], AL; ADD [EAX], AL}
.text win32k.sys!EngCreateBitmap + EE BF834685 82 Bytes [B6, 45, F8, 8B, 75, 10, 33, ...]
.text win32k.sys!EngCreateBitmap + 141 BF8346D8 104 Bytes [D2, E3, F6, D3, 20, 18, 8D, ...]
.text ...
.text win32k.sys!CLIPOBJ_cEnumStart + 12 BF83B2AE 21 Bytes CALL BF83B347 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!CLIPOBJ_bEnum + 6 BF83B2C4 68 Bytes [75, 10, 8B, 4D, 08, FF, 75, ...]
.text win32k.sys!CLIPOBJ_bEnum + 4B BF83B309 92 Bytes [6A, 00, EB, DA, 33, C0, EB, ...]
.text win32k.sys!CLIPOBJ_bEnum + A8 BF83B366 25 Bytes [89, 59, 5C, 89, 41, 70, 8D, ...]
.text win32k.sys!CLIPOBJ_bEnum + C2 BF83B380 197 Bytes [71, 48, 33, F6, 83, FB, 02, ...]
.text win32k.sys!CLIPOBJ_bEnum + 188 BF83B446 21 Bytes [FF, 55, 8B, EC, 83, EC, 20, ...]
.text ...
.text win32k.sys!EngCopyBits + 1F BF83E424 9 Bytes [56, 57, 89, 45, FC, 0F, 85, ...]
.text win32k.sys!EngCopyBits + 2A BF83E42F 76 Bytes [8B, 75, 08, 8B, 46, 0C, 33, ...]
.text win32k.sys!EngCopyBits + 77 BF83E47C 165 Bytes [FF, 8B, 43, 20, 3B, 46, 20, ...]
.text win32k.sys!EngCopyBits + 11E BF83E523 25 Bytes [8B, 04, B5, 80, B0, 99, BF, ...]
.text win32k.sys!EngCopyBits + 138 BF83E53D 8 Bytes [FF, 89, 75, FC, 0F, 86, 0D, ...]
.text ...
.text win32k.sys!EngMapFontFileFD + 2 BF83E9D0 8 Bytes [55, 8B, EC, 6A, 01, FF, 75, ...] {PUSH EBP; MOV EBP, ESP; PUSH 0x1; PUSH DWORD [EBP+0x10]}
.text win32k.sys!EngMapFontFileFD + B BF83E9D9 24 Bytes [75, 0C, FF, 75, 08, E8, 92, ...]
.text win32k.sys!EngMapFontFileFD + 24 BF83E9F2 121 Bytes [45, 08, 85, C0, 74, 17, 8D, ...]
.text win32k.sys!EngMapFontFileFD + 9F BF83EA6D 237 Bytes [00, EB, 3F, 90, 90, 90, 90, ...]
.text win32k.sys!EngMapFontFileFD + 18D BF83EB5B 223 Bytes [D9, 5B, FC, FF, FF, 46, 2C, ...]
.text win32k.sys!EngUnmapFontFileFD + 52 BF83EC3B 8 Bytes [00, F6, C1, 01, 0F, 85, 25, ...]
.text win32k.sys!EngUnmapFontFileFD + 5B BF83EC44 41 Bytes [00, 8B, 40, 4C, 49, 83, E1, ...]
.text win32k.sys!EngUnmapFontFileFD + 85 BF83EC6E 13 Bytes [C7, 45, F8, 01, 00, 00, 00, ...]
.text win32k.sys!EngUnmapFontFileFD + 93 BF83EC7C 9 Bytes [8B, 4D, 0C, 85, C9, 0F, 84, ...]
.text win32k.sys!EngUnmapFontFileFD + 9D BF83EC86 1 Byte [00]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82E8E2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F83B293C] sprh.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F83B2990] sprh.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8383040] sprh.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F838313C] sprh.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F83830BE] sprh.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F83837FC] sprh.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F83836D2] sprh.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82D932D8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82EE71F8
Device \FileSystem\Fastfat \FatCdrom 82D00500
Device \Driver\usbuhci \Device\USBPDO-0 82D7D500
Device \Driver\usbuhci \Device\USBPDO-1 82D7D500
Device \Driver\usbuhci \Device\USBPDO-2 82D7D500
Device \Driver\usbuhci \Device\USBPDO-3 82D7D500
Device \Driver\usbehci \Device\USBPDO-4 82D901F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 82EE91F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82EE91F8
Device \Driver\Cdrom \Device\CdRom0 82DDA500
Device \Driver\Cdrom \Device\CdRom1 82DDA500
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 82E8C1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82E8C1F8
Device \Driver\atapi \Device\Ide\IdePort0 82E8C1F8
Device \Driver\atapi \Device\Ide\IdePort1 82E8C1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 82E8C1F8
Device \Driver\USBSTOR \Device\00000074 82CE11F8
Device \Driver\USBSTOR \Device\00000075 82CE11F8
Device \Driver\USBSTOR \Device\00000076 82CE11F8
Device \Driver\USBSTOR \Device\00000077 82CE11F8
Device \Driver\USBSTOR \Device\00000078 82CE11F8
Device \Driver\usbuhci \Device\USBFDO-0 82D7D500
Device \Driver\usbuhci \Device\USBFDO-1 82D7D500
Device \Driver\usbuhci \Device\USBFDO-2 82D7D500
Device \Driver\usbuhci \Device\USBFDO-3 82D7D500
Device \Driver\usbehci \Device\USBFDO-4 82D901F8
Device \Driver\Ftdisk \Device\FtControl 82EE91F8
Device \FileSystem\Fastfat \Fat 82D00500
Device \FileSystem\Cdfs \Cdfs 82CBD500
Device \FileSystem\Cdfs \Cdfs F7BFABCE

---- Services - GMER 1.0.15 ----

Service system32\drivers\H8SRTqycudkvnmw.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTqycudkvnmw.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTqycudkvnmw.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTampflevtvc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTbiesigdsxi.dat
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTyimnpuosdw.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTkhnnygufkp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC4 0xA2 0x5D 0xA1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTqycudkvnmw.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTqycudkvnmw.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTampflevtvc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTbiesigdsxi.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTyimnpuosdw.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTiylkqqvaum.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC4 0xA2 0x5D 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTqycudkvnmw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTqycudkvnmw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTampflevtvc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTbiesigdsxi.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTyimnpuosdw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTiylkqqvaum.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC4 0xA2 0x5D 0xA1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTqycudkvnmw.sys
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTqycudkvnmw.sys
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTampflevtvc.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTbiesigdsxi.dat
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTyimnpuosdw.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTiylkqqvaum.dll
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC4 0xA2 0x5D 0xA1 ...

---- EOF - GMER 1.0.15 ----


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:55 AM

Posted 19 January 2010 - 10:34 AM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:55 AM

Posted 23 January 2010 - 08:54 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:55 AM

Posted 29 January 2010 - 08:25 AM

Hi,

topic reopened, please post your logs.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 marc_e

marc_e
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 03 February 2010 - 10:47 PM

ComboFix 10-01-26.02 - Owner 01/26/2010 22:47:54.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.196 [GMT -7:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100126-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\FunWebProducts
c:\documents and settings\Owner\Application Data\FunWebProducts\Data\Owner\avatar.dat
c:\documents and settings\Owner\Application Data\FunWebProducts\Data\Owner\zbucks.dat
c:\program files\FunWebProducts
c:\program files\INSTALL.LOG
c:\program files\Internet Explorer\iexplore.exe.tmp
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\windows\patch.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\H8SRTbiesigdsxi.dat
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\krl32mainweq.dll
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\srcr.dat
c:\windows\system32\tmp.reg
c:\windows\system32\twain_32.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTd.sys
-------\Service_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-20 06:19 . 2010-01-20 06:19 56096 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-13 16:58 . 2010-01-13 16:58 -------- d-----w- c:\windows\system32\MpEngineStore
2010-01-13 06:19 . 2010-01-13 06:19 -------- d-----w- c:\program files\Segmation
2010-01-10 06:33 . 2010-01-10 06:33 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-10 00:56 . 2009-03-19 22:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-10 00:56 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-10 00:55 . 2010-01-10 00:56 -------- d-----w- c:\program files\iTunes
2010-01-10 00:55 . 2010-01-10 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-10 00:54 . 2010-01-10 00:54 -------- d-----w- c:\program files\Bonjour
2009-12-30 18:29 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-30 18:29 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-30 18:29 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-12-30 18:29 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-30 18:29 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-30 18:29 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-30 18:29 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-12-30 18:29 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-12-30 18:28 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 06:09 . 2009-03-02 01:01 -------- d-----w- c:\program files\DNA
2010-01-27 06:09 . 2009-03-02 01:01 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2010-01-27 04:48 . 2009-03-02 01:01 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2010-01-20 05:26 . 2009-04-17 19:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Orbit
2010-01-18 18:35 . 2009-06-14 06:51 -------- d-----w- c:\program files\AVS4YOU
2010-01-13 06:48 . 2009-12-27 04:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 03:07 . 2005-07-03 17:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-01-10 00:55 . 2007-07-07 00:59 -------- d-----w- c:\program files\Common Files\Apple
2010-01-10 00:55 . 2005-07-03 18:19 -------- d-----w- c:\program files\iPod
2010-01-10 00:51 . 2010-01-10 00:51 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2010-01-07 23:07 . 2009-12-27 04:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 17:14 . 2009-10-06 23:17 -------- d-----w- c:\documents and settings\Owner\Application Data\MailWasherFree
2010-01-03 17:58 . 2009-04-17 19:34 -------- d-----w- c:\program files\Orbitdownloader
2009-12-27 04:33 . 2009-12-27 04:33 -------- d-----w- c:\program files\Jetico
2009-12-27 04:17 . 2008-06-27 19:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Walgreens
2009-12-27 04:17 . 2008-06-27 19:13 -------- d-----w- c:\program files\Common Files\Simple Star Shared
2009-12-27 04:17 . 2008-06-27 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Walgreens
2009-12-27 04:13 . 2008-07-01 00:01 -------- d-----w- c:\program files\Coupons
2009-12-26 19:39 . 2003-04-10 06:52 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-26 15:32 . 2009-12-26 15:31 -------- d-----w- c:\program files\QuickTime
2009-12-10 15:20 . 2009-02-22 21:25 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-03 23:14 . 2009-12-27 04:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2008-09-03 22:19 . 2008-09-03 22:19 64 ----a-w- c:\program files\recovery.dsk
2008-09-03 22:19 . 2008-09-03 22:19 1203 -c--a-w- c:\program files\recovery.dat
2006-09-02 18:34 . 2006-09-02 18:34 774144 ----a-w- c:\program files\RngInterstitial.dll
2004-08-04 06:56 . 2008-07-10 22:55 561179 ----a-w- c:\program files\Common Files\dao360.dll
2001-09-29 00:00 . 2008-11-11 23:00 164864 ----a-w- c:\program files\UNWISE.EXE
1998-04-27 05:00 . 2008-07-10 22:55 570128 ----a-w- c:\program files\Common Files\DAO350.DLL
2007-12-15 14:52 . 2007-12-15 14:52 214344 ----a-w- c:\program files\mozilla firefox\plugins\atcliun.dll
2007-12-19 18:59 . 2007-12-15 14:51 44360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-12-19 18:59 . 2007-12-15 14:51 107928 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-12-15 14:51 . 2007-12-15 14:51 98704 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2007-12-15 14:52 . 2007-12-15 14:52 28672 ----a-w- c:\program files\mozilla firefox\plugins\ptexmeet.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\bits\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\dllcache\qmgr.dll
[-] 2007-03-29 . 65E23953D337574E549B1EF34FE0B1DA . 409600 . . [6.7.2600.3109] . . c:\windows\$hf_mig$\KB923845\SP2QFE\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtUninstallKB923845$\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\ServicePackFiles\i386\qmgr.dll
[7] 2004-07-01 . 696AC82FB290A03F205901442E0E9589 . 361984 . . [6.6.2600.1569] . . c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2002-08-29 . 6A1CF14D0E7D0B2241F552223769C8A7 . 221696 . . [6.2.2600.1106] . . c:\windows\$NtUninstallKB842773$\qmgr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-01-13 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"nwiz"="nwiz.exe" [2005-04-01 1495040]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-12 114688]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 163840]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 69632]
"BCWipeTM Startup"="c:\program files\Jetico\BCWipe\BCWipeTM.exe" [2005-01-14 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WPN311 Smart Wizard.lnk]
backup=c:\windows\pss\NETGEAR WPN311 Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"AutoEx9x"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Fiserv Life Portraits\\FipWebServer.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/23/2008 2:21 PM 716272]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/30/2009 11:29 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/30/2009 11:29 AM 20560]
R2 WinFlxCSV;Winflex Service;c:\program files\Common Files\MOO\WinFlx.exe [10/17/2007 8:27 AM 32768]
S3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\DRIVERS\SWLD23U.sys --> c:\windows\system32\DRIVERS\SWLD23U.sys [?]
S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\Drivers\swlubtl.sys --> c:\windows\system32\Drivers\swlubtl.sys [?]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [8/15/2002 10:09 PM 88080]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-01-23 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 22:53]

2010-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\x0v2gtua.default\
FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\x0v2gtua.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 23:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82E811F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84e3fc3
\Driver\ACPI -> ACPI.sys @ 0xf8341cb8
\Driver\atapi -> 0x82e811f8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Realtek RTL8139/810X Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf81e3bc3
PacketIndicateHandler -> NDIS.sys @ 0xf81efb21
SendHandler -> NDIS.sys @ 0xf81e3d33
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'explorer.exe'(28644)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Softex\OmniPass\Omniserv.exe
c:\program files\Kyocera\FileUtility\SFUSVC.exe
c:\program files\Kyocera\FileUtility\nsCatCom.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
.
**************************************************************************
.
Completion time: 2010-01-26 23:16:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-27 06:16
ComboFix2.txt 2008-08-07 23:59

Pre-Run: 63,071,092,736 bytes free
Post-Run: 63,248,588,800 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=,1,2,3,4
- - End Of File - - FDCA1AC8E26DA37753EF9C6E3D3B3DB9


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:55 AM

Posted 05 February 2010 - 12:13 PM

Hi,

the logs are looking rather good. How is your PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 marc_e

marc_e
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 06 February 2010 - 12:21 AM

Computer is runnning much better. I did have a problem the other night when iexplore.exe was using 100% of my CPU for an extended period of time. I ended the process and everything went back to normal. So I hope that is the end of the problems. Thanks,

Marc

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:55 AM

Posted 08 February 2010 - 11:21 AM

Hi,

this is looking rather good. Please run a scan with Malwarebytes next:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:55 AM

Posted 20 February 2010 - 08:27 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users