Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser has been hijacked


  • This topic is locked This topic is locked
18 replies to this topic

#1 funkyk

funkyk

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 15 February 2010 - 10:37 PM

For about a week now Goggle gets hijacked to unwanted sites on the first attempt. On the second attempt there is no hijack. At the first sign of trouble I tried to load various anti-malwares with no luck, I could not access their sites. Fortunately my neighbor operates an ISP, knows a little about computers and was able to get Spybot loaded. We scanned and Spybot detected a half dozen infections and were cleaned. Unfortunately the hijackings continue.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 15:31:59.68 on Mon 02/15/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.228 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Java\Java Update\jaucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Owner\MYDOCU~1\DOWNLO~1\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [EPSON WorkForce 600 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieka.exe /fu "c:\windows\temp\E_S4F.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245261501015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: {BB1FAC27-97DD-47C4-B57B-C238531BF630} = 206.63.24.5,206.63.224.5,206.63.24.6
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\gippy1q1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.egriz.com/grizboard/viewforum.php?f=1
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-17 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-17 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-17 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-17 297752]
R3 VAD_DEV;Virtual Audio Service;c:\windows\system32\drivers\vad.sys [2009-6-25 16384]

=============== Created Last 30 ================

2010-02-15 04:34:15 0 d-----w- c:\windows\pss
2010-02-13 21:12:39 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-13 21:12:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-13 00:14:27 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-02-13 00:14:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-13 00:14:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-13 00:14:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-13 00:14:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 17:52:05 74260 ----a-w- c:\windows\unins001.dat
2010-02-12 17:52:05 702297 ----a-w- c:\windows\unins001.exe
2010-02-12 17:31:07 702297 ----a-w- c:\windows\unins000.exe
2010-02-12 17:31:07 22984 ----a-w- c:\windows\unins000.dat
2010-02-12 04:33:37 0 d-----w- c:\program files\SpywareBlaster
2010-01-30 19:59:00 0 d-----w- c:\docume~1\owner\applic~1\iPod2PC3
2010-01-30 19:59:00 0 d-----w- c:\docume~1\owner\applic~1\EurekaLog
2010-01-30 19:58:27 0 d-----w- c:\program files\iPod2PC

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-18 01:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 15:32:52.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:32 AM

Posted 19 February 2010 - 01:24 PM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



First time you run it it makes the log on your desktop. You may have removed it. In that case run OTL again. Set Extra Registry to "Use Safelist". Set all other sections to none. It will make two logs. We need just Extra.txt, not the one that opens up.

unite.jpg


#3 funkyk

funkyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 19 February 2010 - 02:04 PM

Hello Syler, thanks for timely response.

Yes, my problem with the browser hijacking continues. Other than the continuous hijacking, the system operates and performs as expected. Below you will find the reports that you requested.



OTL logfile created on: 2/19/2010 10:34:04 AM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.00 Mb Total Physical Memory | 199.00 Mb Available Physical Memory | 26.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 19.08 Gb Free Space | 65.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive P: | 268.80 Gb Total Space | 263.49 Gb Free Space | 98.02% Space Free | Partition Type: NTFS

Computer Name: KEN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/19 10:30:08 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
PRC - [2010/02/18 06:00:53 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/11 15:21:52 | 000,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe
PRC - [2009/12/17 17:14:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/11 08:49:25 | 002,043,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/08/16 08:38:48 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/16 08:38:40 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/16 08:38:22 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/19 16:05:24 | 000,591,696 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2007/10/18 19:10:42 | 000,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2007/01/31 13:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2005/06/21 15:44:34 | 000,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2002/04/10 15:44:04 | 000,679,936 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe


========== Modules (SafeList) ==========

MOD - [2010/02/19 10:30:08 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Nero BackItUp Scheduler 4.0)
SRV - [2009/12/17 17:14:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/16 08:38:22 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2007/01/31 13:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/04/03 23:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 11:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2009/08/16 08:38:47 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/16 08:38:47 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/06/21 21:23:10 | 000,059,440 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2009/06/21 21:23:10 | 000,023,724 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2009/06/17 10:38:01 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2008/09/25 16:24:16 | 000,016,384 | ---- | M] (Windows ® DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vad.sys -- (VAD_DEV)
DRV - [2008/04/13 08:39:15 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2005/06/21 16:12:34 | 000,807,998 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/08/03 21:41:55 | 000,011,868 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2004/08/03 21:41:54 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsfdpsp2.sys -- (HSF_DP)
DRV - [2004/08/03 21:41:48 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsfcxts2.sys -- (winachsf)
DRV - [2004/08/03 21:41:46 | 000,220,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsfbs2s2.sys -- (HSFHWBS2)
DRV - [2002/09/10 08:45:50 | 000,041,728 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/09/03 08:53:10 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2002/08/05 08:23:58 | 000,545,208 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/06/21 10:45:58 | 000,069,792 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel® Graphics Chipset (KCH)
DRV - [2002/06/21 10:45:48 | 000,090,784 | ---- | M] (Intel Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel® Graphics Platform (SoftBIOS)
DRV - [2002/04/10 16:01:12 | 000,024,554 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/04/10 16:01:00 | 000,029,638 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2002/04/10 16:00:44 | 000,117,898 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2002/04/10 15:48:04 | 000,236,032 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/04/10 15:45:16 | 000,206,336 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2002/04/01 12:15:00 | 000,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/22 07:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 05:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)
DRV - [2001/08/17 05:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)
DRV - [2001/08/17 05:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 05:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)
DRV - [2001/08/17 05:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)
DRV - [2001/08/17 05:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)
DRV - [2001/08/17 05:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)
DRV - [2001/08/17 05:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)
DRV - [2001/08/17 05:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1960408961-484061587-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1960408961-484061587-725345543-1003\..\URLSearchHook: *{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1960408961-484061587-725345543-1003\..\URLSearchHook: *{C94E154B-1459-4A47-966B-4B843BEFC7DB} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1960408961-484061587-725345543-1003\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1960408961-484061587-725345543-1003\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-1960408961-484061587-725345543-1003\S-1-5-21-1960408961-484061587-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "bing.com"
FF - prefs.js..browser.search.order.1: "Ask"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.egriz.com/grizboard/viewforum.php?f=1"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/18 06:00:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/18 06:00:57 | 000,000,000 | ---D | M]

[2009/06/17 10:44:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/12/28 08:49:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gippy1q1.default\extensions
[2009/08/27 19:30:35 | 000,000,681 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gippy1q1.default\searchplugins\ask.xml
[2009/10/01 18:55:52 | 000,002,172 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gippy1q1.default\searchplugins\bing.xml
[2010/02/16 18:45:36 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/04 12:36:41 | 000,003,803 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\MyHeritage.xml

O1 HOSTS File: ([2002/09/03 08:34:19 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-1960408961-484061587-725345543-1003\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-1960408961-484061587-725345543-1003..\Run: [EPSON WorkForce 600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-1960408961-484061587-725345543-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1960408961-484061587-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1960408961-484061587-725345543-1003\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-1960408961-484061587-725345543-1003\..Trusted Domains: 25 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1245261501015 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/17 08:28:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/06/17 08:28:08 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found


CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 30 Days ==========

[2010/02/15 16:38:29 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 8
[2010/02/14 20:34:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/02/13 13:12:39 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/02/13 13:12:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/02/12 16:14:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/02/12 16:14:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/12 16:14:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/12 09:52:05 | 000,702,297 | ---- | C] (PC Tools) -- C:\WINDOWS\unins001.exe
[2010/02/12 09:31:07 | 000,702,297 | ---- | C] (PC Tools) -- C:\WINDOWS\unins000.exe
[2010/02/11 20:34:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/11 20:33:37 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/01/30 11:59:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\iPod2PC3
[2010/01/30 11:59:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\EurekaLog
[2010/01/30 11:58:27 | 000,000,000 | ---D | C] -- C:\Program Files\iPod2PC
[2010/01/26 21:43:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/01/26 21:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/01/26 21:42:57 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/26 21:42:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/26 21:42:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/21 00:43:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/14 11:35:56 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/06/17 10:36:00 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/06/17 10:22:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/19 10:31:43 | 000,000,743 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to OTL.lnk
[2010/02/19 06:28:45 | 055,899,862 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/19 06:26:16 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/19 06:26:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/19 00:01:34 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/02/19 00:01:34 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/02/19 00:01:26 | 004,838,984 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/02/18 07:02:54 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/02/15 16:37:22 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to cbSetup8.lnk
[2010/02/15 15:57:26 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/02/15 15:56:41 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to Defogger.lnk
[2010/02/15 15:41:42 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to gmer.lnk
[2010/02/15 15:31:04 | 000,000,743 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to dds.lnk
[2010/02/14 21:38:38 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to ComboFix.lnk
[2010/02/14 21:19:10 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/13 13:12:56 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/02/12 16:15:32 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Outlook 2003.lnk
[2010/02/12 09:56:59 | 000,074,260 | ---- | M] () -- C:\WINDOWS\unins001.dat
[2010/02/12 09:56:46 | 000,702,297 | ---- | M] (PC Tools) -- C:\WINDOWS\unins001.exe
[2010/02/12 09:44:49 | 000,022,984 | ---- | M] () -- C:\WINDOWS\unins000.dat
[2010/02/12 09:44:43 | 000,702,297 | ---- | M] (PC Tools) -- C:\WINDOWS\unins000.exe
[2010/02/12 09:38:51 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2010/02/11 05:51:15 | 000,022,016 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Feb 2 Mina.doc
[2010/02/10 22:44:47 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/30 11:58:34 | 000,001,528 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\iPod2PC.lnk
[2010/01/30 11:05:54 | 000,000,039 | ---- | M] () -- C:\WINDOWS\Irremote.ini
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/19 10:31:43 | 000,000,743 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to OTL.lnk
[2010/02/15 16:37:22 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to cbSetup8.lnk
[2010/02/15 15:57:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/02/15 15:56:41 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to Defogger.lnk
[2010/02/15 15:41:42 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to gmer.lnk
[2010/02/15 15:31:04 | 000,000,743 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to dds.lnk
[2010/02/14 21:38:38 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to ComboFix.lnk
[2010/02/13 13:12:56 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/02/12 09:52:05 | 000,074,260 | ---- | C] () -- C:\WINDOWS\unins001.dat
[2010/02/12 09:31:07 | 000,022,984 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2010/02/11 20:33:44 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2010/02/11 05:51:14 | 000,022,016 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Feb 2 Mina.doc
[2010/01/30 11:58:34 | 000,001,528 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\iPod2PC.lnk
[2009/10/30 21:58:25 | 006,963,712 | ---- | C] () -- C:\WINDOWS\System32\videotrans.dll
[2009/10/30 21:58:25 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\viscomgifenc.dll
[2009/10/30 21:58:25 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\viscomtran.dll
[2009/10/30 21:58:24 | 000,452,608 | ---- | C] () -- C:\WINDOWS\System32\videoformat.dll
[2009/10/30 21:58:24 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll
[2009/10/30 21:58:24 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2009/10/30 21:58:24 | 000,154,624 | ---- | C] () -- C:\WINDOWS\System32\imgscaler.dll
[2009/10/30 21:58:24 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\img_utils.dll
[2009/10/30 21:58:24 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\videocore.dll
[2009/07/30 19:57:45 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2009/06/21 22:45:15 | 000,000,039 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009/06/19 09:34:37 | 000,000,204 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2009/06/18 11:33:32 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/18 10:40:57 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\String Ensemble
[2009/06/18 10:40:57 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Owner\Application Data\Static Library
[2009/06/18 10:40:57 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2009/06/18 10:37:42 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Stingers
[2009/06/18 10:37:42 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Owner\Application Data\Standard Tool
[2009/06/18 10:37:41 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2009/06/18 08:30:10 | 000,000,070 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\FASTWiz.log
[2009/06/17 23:08:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2009/06/17 11:48:25 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/06/17 11:47:26 | 000,000,079 | ---- | C] () -- C:\WINDOWS\EPWF600.ini
[2009/06/17 09:39:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/06/17 09:03:12 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2009/06/17 09:02:50 | 000,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/06/17 10:13:43 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/06/17 11:12:42 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/06/17 10:13:43 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2009/06/17 11:12:42 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 22:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/09/03 09:04:09 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2009/06/17 10:13:43 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/06/17 11:12:42 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/06/17 10:13:43 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2009/06/17 11:12:42 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 21:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/03 23:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/03 23:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 23:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >


OTL Extras logfile created on: 2/19/2010 10:34:04 AM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.00 Mb Total Physical Memory | 199.00 Mb Available Physical Memory | 26.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 19.08 Gb Free Space | 65.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive P: | 268.80 Gb Total Space | 263.49 Gb Free Space | 98.02% Space Free | Partition Type: NTFS

Computer Name: KEN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1960408961-484061587-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 18
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = BACS
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = B44Inst
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73568F76-7A37-9DB4-73B1-11DCF1A2FC52}" = FOX News Live
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BD01E97F-2A6A-495E-BE38-22C7B80F3CD7}" = Cheetah DVD Burner
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG8Uninstall" = AVG Free 8.5
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CobBackup8" = Cobian Backup 8
"CSCLIB" = Canon Camera Support Core Library
"EOS Utility" = Canon Utilities EOS Utility
"EPSON Scanner" = EPSON Scan
"EPSON WorkForce 600 Series" = EPSON WorkForce 600 Series Printer Uninstall
"InstallShield_{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = Broadcom Advanced Control Suite
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x Driver Installer
"iPod2PC_is1" = iPod2PC 3.9.4
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"PhotoStitch" = Canon Utilities PhotoStitch
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wondershare PPT2DVD Lite_is1" = Wondershare PPT2DVD Lite 5.1.5.219
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/12/2010 11:59:09 AM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/12/2010 11:59:10 AM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/12/2010 1:00:15 PM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2/12/2010 1:00:15 PM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/12/2010 1:12:56 PM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/12/2010 1:12:56 PM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/12/2010 1:58:51 PM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2/12/2010 2:02:51 PM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2/15/2010 3:04:33 PM | Computer Name = KEN | Source = Application Error | ID = 1000
Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
teatimer.exe, version 1.6.6.32, fault address 0x0006e66e.

Error - 2/15/2010 7:51:12 PM | Computer Name = KEN | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0000c4b1.

[ System Events ]
Error - 12/7/2009 2:08:35 PM | Computer Name = KEN | Source = Dhcp | ID = 1002
Description = The IP address lease 98.247.5.119 for the Network Card with network
address 000874BAEAFE has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 12/8/2009 2:18:10 PM | Computer Name = KEN | Source = Dhcp | ID = 1002
Description = The IP address lease 98.247.5.119 for the Network Card with network
address 000874BAEAFE has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 12/8/2009 2:18:58 PM | Computer Name = KEN | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 000874BAEAFE.

Error - 12/8/2009 2:20:45 PM | Computer Name = KEN | Source = Dhcp | ID = 1002
Description = The IP address lease 98.247.5.119 for the Network Card with network
address 000874BAEAFE has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 12/8/2009 2:21:33 PM | Computer Name = KEN | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 000874BAEAFE.

Error - 12/9/2009 1:56:01 AM | Computer Name = KEN | Source = Dhcp | ID = 1002
Description = The IP address lease 98.247.5.119 for the Network Card with network
address 000874BAEAFE has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 12/9/2009 1:57:38 AM | Computer Name = KEN | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 000874BAEAFE.

Error - 12/9/2009 2:15:01 AM | Computer Name = KEN | Source = Dhcp | ID = 1002
Description = The IP address lease 98.247.5.119 for the Network Card with network
address 000874BAEAFE has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 12/9/2009 2:15:33 AM | Computer Name = KEN | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 000874BAEAFE.


< End of report >


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:32 AM

Posted 19 February 2010 - 04:44 PM

Hi funkyk,

Before you do any of the next step you need to temporarily disable the TeaTimer protection in spybot, as it may
stop the tools we use from doing their job. Please keep it disabled whilst I am helping you then you can enable it again
when your clean.

To disable Teatimer, open Spybot and click on the Mode tab and select Advanced mode.
It will ask you if your sure you want to go into advanced mode, select yes.
Now go to tools and click on the resident tab.
Uncheck the box that says "Resident "TeaTimer" (Protection of over-all system settings) active".
Then close Spybot and reboot your computer.


  • Go to Kaspersky and Download TDSSKiller.zip.
  • Extract the contents of TDSSKiller.zip to your Desktop.
  • Click Start >> Run then copy and paste the following bold command line into the Run box and click OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
  • When done, a log file should be created on your C: drive called TDSSKiller.txt please post this log in your next reply.



Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    IE - HKU\S-1-5-21-1960408961-484061587-725345543-1003\..\URLSearchHook: *{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-21-1960408961-484061587-725345543-1003\..\URLSearchHook: *{C94E154B-1459-4A47-966B-4B843BEFC7DB} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-21-1960408961-484061587-725345543-1003\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
    O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A...01F/wmvadvd.cab (Reg Error: Key error.)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    @Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    [2010/02/14 21:38:38 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to ComboFix.lnk
    :Commands
    [purity]
    [emptytemp]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run OTL again and post a new OTL log.


Then please post back here with the following logs:
  • TDSSKiller.txt
  • OTL results
  • New OTL log

Thanks

unite.jpg


#5 funkyk

funkyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 19 February 2010 - 07:47 PM

Syler, I have run the programs and scans you have requested. The TDSSkiller did not run as you described. When opened it ran automatically and did not allow me to paste any commands into the run box. Also after the reboot from the OTL run fix, I got blue screen and could only restart from a time and condition previous to the changes that were made.
At any rate I have attached the files you have requested.

15:46:05:328 1500 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
15:46:05:328 1500 ================================================================================
15:46:05:328 1500 SystemInfo:

15:46:05:328 1500 OS Version: 5.1.2600 ServicePack: 3.0
15:46:05:328 1500 Product type: Workstation
15:46:05:328 1500 ComputerName: KEN
15:46:05:328 1500 UserName: Owner
15:46:05:328 1500 Windows directory: C:\WINDOWS
15:46:05:328 1500 Processor architecture: Intel x86
15:46:05:328 1500 Number of processors: 1
15:46:05:328 1500 Page size: 0x1000
15:46:05:328 1500 Boot type: Normal boot
15:46:05:328 1500 ================================================================================
15:46:05:343 1500 UnloadDriverW: NtUnloadDriver error 2
15:46:05:343 1500 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:46:05:343 1500 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
15:46:05:375 1500 UtilityInit: KLMD drop and load success
15:46:05:375 1500 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
15:46:05:375 1500 UtilityInit: KLMD open success
15:46:05:375 1500 UtilityInit: Initialize success
15:46:05:375 1500
15:46:05:375 1500 Scanning Services ...
15:46:05:375 1500 CreateRegParser: Registry parser init started
15:46:05:375 1500 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
15:46:05:375 1500 CreateRegParser: DisableWow64Redirection error
15:46:05:375 1500 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:46:05:390 1500 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
15:46:05:390 1500 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:46:05:390 1500 wfopen_ex: Trying to KLMD file open
15:46:05:390 1500 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
15:46:05:390 1500 wfopen_ex: File opened ok (Flags 2)
15:46:05:390 1500 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3848E8
15:46:05:390 1500 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:46:05:390 1500 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
15:46:05:390 1500 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:46:05:390 1500 wfopen_ex: Trying to KLMD file open
15:46:05:390 1500 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
15:46:05:390 1500 wfopen_ex: File opened ok (Flags 2)
15:46:05:390 1500 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384990
15:46:05:390 1500 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
15:46:05:390 1500 CreateRegParser: EnableWow64Redirection error
15:46:05:390 1500 CreateRegParser: RegParser init completed
15:46:05:734 1500 GetAdvancedServicesInfo: Raw services enum returned 327 services
15:46:05:734 1500 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:46:05:734 1500 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:46:05:734 1500
15:46:05:734 1500 Scanning Kernel memory ...
15:46:05:734 1500 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
15:46:05:734 1500 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 82F92A08
15:46:05:734 1500 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
15:46:05:734 1500
15:46:05:734 1500 DetectCureTDL3: DEVICE_OBJECT: 82D49C68
15:46:05:734 1500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82D49C68
15:46:05:734 1500 KLMD_ReadMem: Trying to ReadMemory 0x82D49C68[0x38]
15:46:05:734 1500 DetectCureTDL3: DRIVER_OBJECT: 82F92A08
15:46:05:734 1500 KLMD_ReadMem: Trying to ReadMemory 0x82F92A08[0xA8]
15:46:05:734 1500 KLMD_ReadMem: Trying to ReadMemory 0xE1022950[0x18]
15:46:05:734 1500 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_CREATE : F75A9BB0
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_CLOSE : F75A9BB0
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_READ : F75A3D1F
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_WRITE : F75A3D1F
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F75A42E2
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F75A43BB
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A7F28
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_SHUTDOWN : F75A42E2
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_POWER : F75A5C82
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F75AA99E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
15:46:05:734 1500 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
15:46:05:734 1500 TDL3_FileDetect: Processing driver: Disk
15:46:05:734 1500 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:46:05:734 1500 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:46:05:750 1500 TDL3_FileDetect: Processing driver: Disk
15:46:05:750 1500 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:46:05:750 1500 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:46:05:765 1500 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:46:05:765 1500
15:46:05:765 1500 DetectCureTDL3: DEVICE_OBJECT: 82E44030
15:46:05:765 1500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82E44030
15:46:05:765 1500 DetectCureTDL3: DEVICE_OBJECT: 82DA6B40
15:46:05:765 1500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82DA6B40
15:46:05:765 1500 KLMD_ReadMem: Trying to ReadMemory 0x82DA6B40[0x38]
15:46:05:765 1500 DetectCureTDL3: DRIVER_OBJECT: 82E1F658
15:46:05:765 1500 KLMD_ReadMem: Trying to ReadMemory 0x82E1F658[0xA8]
15:46:05:765 1500 KLMD_ReadMem: Trying to ReadMemory 0xE19C2200[0x1E]
15:46:05:765 1500 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_CREATE : F7950218
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_CLOSE : F7950218
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_READ : F795023C
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_WRITE : F795023C
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F7950180
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F794B9E6
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_POWER : F794F5F0
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F794DA6E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
15:46:05:765 1500 TDL3_FileDetect: Processing driver: usbstor
15:46:05:765 1500 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:46:05:765 1500 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:46:05:765 1500 KLMD_ReadMem: Trying to ReadMemory 0xF794CF26[0x400]
15:46:05:765 1500 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
15:46:05:765 1500 TDL3_FileDetect: Processing driver: usbstor
15:46:05:765 1500 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:46:05:765 1500 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:46:05:765 1500 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
15:46:05:765 1500
15:46:05:765 1500 DetectCureTDL3: DEVICE_OBJECT: 82F4DC68
15:46:05:765 1500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F4DC68
15:46:05:765 1500 KLMD_ReadMem: Trying to ReadMemory 0x82F4DC68[0x38]
15:46:05:765 1500 DetectCureTDL3: DRIVER_OBJECT: 82F92A08
15:46:05:765 1500 KLMD_ReadMem: Trying to ReadMemory 0x82F92A08[0xA8]
15:46:05:765 1500 KLMD_ReadMem: Trying to ReadMemory 0xE1022950[0x18]
15:46:05:765 1500 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_CREATE : F75A9BB0
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_CLOSE : F75A9BB0
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_READ : F75A3D1F
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_WRITE : F75A3D1F
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F75A42E2
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F75A43BB
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A7F28
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SHUTDOWN : F75A42E2
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_POWER : F75A5C82
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F75AA99E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
15:46:05:765 1500 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
15:46:05:765 1500 TDL3_FileDetect: Processing driver: Disk
15:46:05:765 1500 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:46:05:765 1500 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:46:05:781 1500 TDL3_FileDetect: Processing driver: Disk
15:46:05:781 1500 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:46:05:781 1500 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:46:05:781 1500 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:46:05:781 1500
15:46:05:781 1500 DetectCureTDL3: DEVICE_OBJECT: 82F849F0
15:46:05:781 1500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F849F0
15:46:05:781 1500 KLMD_ReadMem: Trying to ReadMemory 0x82F849F0[0x38]
15:46:05:781 1500 DetectCureTDL3: DRIVER_OBJECT: 82F92A08
15:46:05:781 1500 KLMD_ReadMem: Trying to ReadMemory 0x82F92A08[0xA8]
15:46:05:781 1500 KLMD_ReadMem: Trying to ReadMemory 0xE1022950[0x18]
15:46:05:781 1500 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_CREATE : F75A9BB0
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_CLOSE : F75A9BB0
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_READ : F75A3D1F
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_WRITE : F75A3D1F
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F75A42E2
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F75A43BB
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A7F28
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SHUTDOWN : F75A42E2
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_POWER : F75A5C82
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F75AA99E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
15:46:05:781 1500 TDL3_FileDetect: Processing driver: Disk
15:46:05:781 1500 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:46:05:781 1500 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:46:05:781 1500 TDL3_FileDetect: Processing driver: Disk
15:46:05:781 1500 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:46:05:781 1500 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:46:05:781 1500 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:46:05:781 1500
15:46:05:781 1500 DetectCureTDL3: DEVICE_OBJECT: 82F90AB8
15:46:05:781 1500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F90AB8
15:46:05:781 1500 DetectCureTDL3: DEVICE_OBJECT: 82F95F18
15:46:05:781 1500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F95F18
15:46:05:781 1500 DetectCureTDL3: DEVICE_OBJECT: 82F51D98
15:46:05:781 1500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F51D98
15:46:05:781 1500 KLMD_ReadMem: Trying to ReadMemory 0x82F51D98[0x38]
15:46:05:781 1500 DetectCureTDL3: DRIVER_OBJECT: 82FCBD20
15:46:05:781 1500 KLMD_ReadMem: Trying to ReadMemory 0x82FCBD20[0xA8]
15:46:05:781 1500 KLMD_ReadMem: Trying to ReadMemory 0xE101ADF8[0x1A]
15:46:05:781 1500 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_CREATE : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_CLOSE : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_READ : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_WRITE : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SET_INFORMATION : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_QUERY_EA : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SET_EA : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SHUTDOWN : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_CLEANUP : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SET_SECURITY : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_POWER : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : F74D5B3A
15:46:05:781 1500 DetectCureTDL3: IRP_MJ_SET_QUOTA : F74D5B3A
15:46:05:781 1500 TDL3_FileDetect: Processing driver: atapi
15:46:05:781 1500 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
15:46:05:781 1500 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
15:46:05:796 1500 DetectCureTDL3: All IRP handlers pointed to one addr: F74D5B3A
15:46:05:796 1500 KLMD_ReadMem: Trying to ReadMemory 0xF74D5B3A[0x400]
15:46:05:796 1500 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
15:46:05:796 1500 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
15:46:05:796 1500 KLMD_ReadMem: Trying to ReadMemory 0x82FCB6F4[0x4]
15:46:05:796 1500 TDL3_IrpHookDetect: New IrpHandler addr: 82F358C8
15:46:05:796 1500 KLMD_ReadMem: Trying to ReadMemory 0x82F358C8[0x400]
15:46:05:796 1500 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
15:46:05:796 1500 Driver "atapi" Irp handler infected by TDSS rootkit ... 15:46:05:796 1500 KLMD_WriteMem: Trying to WriteMemory 0x82F3594E[0xD]
15:46:05:796 1500 cured
15:46:05:796 1500 KLMD_ReadMem: Trying to ReadMemory 0xF74D3864[0x400]
15:46:05:796 1500 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
15:46:05:796 1500 TDL3_FileDetect: Processing driver: atapi
15:46:05:796 1500 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
15:46:05:796 1500 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
15:46:05:796 1500 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
15:46:05:796 1500 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 15:46:05:796 1500 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
15:46:05:796 1500 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
15:46:05:812 1500 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
15:46:05:906 1500 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp1.cab
15:46:05:921 1500 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
15:46:05:937 1500 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
15:46:05:953 1500 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
15:46:06:000 1500 CabinetCallback: File extracted successfully: C:\DOCUME~1\Owner\LOCALS~1\Temp\bck2.tmp
15:46:06:000 1500 ValidateDriverFile: Stage 1 passed
15:46:06:000 1500 ValidateDriverFile: Stage 2 passed
15:46:06:156 1500 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
15:46:07:312 1500 DigitalSignVerifyByHandle: Cat DS result: 00000000
15:46:07:312 1500 ValidateDriverFile: Stage 3 passed
15:46:07:312 1500 CabinetCallback: File validated successfully, restore information prepared
15:46:07:312 1500 FindDriverFileBackup: Backup copy found in cab-file
15:46:07:312 1500 TDL3_FileCure: Backup copy found, using it..
15:46:07:312 1500 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk3.tmp
15:46:07:343 1500 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk3.tmp, system32\drivers\atapi.sys)
15:46:07:343 1500 TDL3_FileCure: KLMD jobs schedule success
15:46:07:343 1500 will be cured on next reboot
15:46:07:343 1500 UtilityBootReinit: Reboot required for cure complete..
15:46:07:343 1500 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
15:46:07:343 1500 UtilityBootReinit: KLMD drop success
15:46:07:343 1500 KLMD_ApplyPendList: Pending buffer(58B8_3130, 600) dropped successfully
15:46:07:343 1500 UtilityBootReinit: Cure on reboot scheduled successfully
15:46:07:343 1500
15:46:07:343 1500 Completed
15:46:07:343 1500
15:46:07:343 1500 Results:
15:46:07:343 1500 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
15:46:07:343 1500 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:46:07:343 1500 File objects infected / cured / cured on reboot: 1 / 0 / 1
15:46:07:343 1500
15:46:07:343 1500 UnloadDriverW: NtUnloadDriver error 1
15:46:07:343 1500 KLMD_Unload: UnloadDriverW(klmd21) error 1
15:46:07:343 1500 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
15:46:07:343 1500 UtilityDeinit: KLMD(ARK) unloaded successfully


All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1960408961-484061587-725345543-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\*{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48}\ not found.
Registry value HKEY_USERS\S-1-5-21-1960408961-484061587-725345543-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\*{C94E154B-1459-4A47-966B-4B843BEFC7DB} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{C94E154B-1459-4A47-966B-4B843BEFC7DB}\ not found.
Registry value HKEY_USERS\S-1-5-21-1960408961-484061587-725345543-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\*{CFBFAE00-17A6-11D0-99CB-00C04FD64497} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\ not found.
Starting removal of ActiveX control {32505657-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\wmvadvd.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{32505657-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32505657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{32505657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32505657-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
C:\Documents and Settings\Owner\Desktop\Shortcut to ComboFix.lnk moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Ken Funke

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33668 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 459540 bytes
->Temporary Internet Files folder emptied: 48324957 bytes
->Java cache emptied: 41392332 bytes
->FireFox cache emptied: 111045332 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1145933 bytes
%systemroot%\System32 .tmp files removed: 1162769 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 96512 bytes
Windows Temp folder emptied: 2312420 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23908926 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 41380 bytes
RecycleBin emptied: 134865 bytes

Total Files Cleaned = 220.00 mb


OTL by OldTimer - Version 3.1.30.1 log created on 02192010_160603

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


OTL logfile created on: 2/19/2010 4:21:49 PM - Run 2
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.00 Mb Total Physical Memory | 378.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 19.26 Gb Free Space | 65.73% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive P: | 268.80 Gb Total Space | 263.49 Gb Free Space | 98.02% Space Free | Partition Type: NTFS

Computer Name: KEN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/19 10:30:08 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
PRC - [2010/02/18 06:00:53 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/11 15:21:52 | 000,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe
PRC - [2009/12/17 17:14:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/11 08:49:25 | 002,043,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/08/16 08:38:48 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/16 08:38:46 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/16 08:38:40 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/16 08:38:22 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/08/05 10:37:58 | 012,313,432 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [2009/06/22 20:23:38 | 000,196,424 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/19 16:05:24 | 000,591,696 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2007/10/18 19:10:42 | 000,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2007/01/31 13:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2005/06/21 15:44:34 | 000,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2002/04/10 15:44:04 | 000,679,936 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe


========== Modules (SafeList) ==========

MOD - [2010/02/19 10:30:08 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Nero BackItUp Scheduler 4.0)
SRV - [2009/12/17 17:14:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/16 08:38:22 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2007/01/31 13:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/04/03 23:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 11:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2009/08/16 08:38:47 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/16 08:38:47 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/06/21 21:23:10 | 000,059,440 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2009/06/21 21:23:10 | 000,023,724 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2009/06/17 10:38:01 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2008/09/25 16:24:16 | 000,016,384 | ---- | M] (Windows ® DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vad.sys -- (VAD_DEV)
DRV - [2008/04/13 08:39:15 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2005/06/21 16:12:34 | 000,807,998 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/08/03 21:41:55 | 000,011,868 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2004/08/03 21:41:54 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsfdpsp2.sys -- (HSF_DP)
DRV - [2004/08/03 21:41:48 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsfcxts2.sys -- (winachsf)
DRV - [2004/08/03 21:41:46 | 000,220,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsfbs2s2.sys -- (HSFHWBS2)
DRV - [2002/09/10 08:45:50 | 000,041,728 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/09/03 08:53:10 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2002/08/05 08:23:58 | 000,545,208 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/06/21 10:45:58 | 000,069,792 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel® Graphics Chipset (KCH)
DRV - [2002/06/21 10:45:48 | 000,090,784 | ---- | M] (Intel Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel® Graphics Platform (SoftBIOS)
DRV - [2002/04/10 16:01:12 | 000,024,554 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/04/10 16:01:00 | 000,029,638 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2002/04/10 16:00:44 | 000,117,898 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2002/04/10 15:48:04 | 000,236,032 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/04/10 15:45:16 | 000,206,336 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2002/04/01 12:15:00 | 000,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/22 07:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 05:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)
DRV - [2001/08/17 05:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)
DRV - [2001/08/17 05:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 05:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)
DRV - [2001/08/17 05:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)
DRV - [2001/08/17 05:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)
DRV - [2001/08/17 05:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)
DRV - [2001/08/17 05:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)
DRV - [2001/08/17 05:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "bing.com"
FF - prefs.js..browser.search.order.1: "Ask"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.egriz.com/grizboard/viewforum.php?f=1"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/18 06:00:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/18 06:00:57 | 000,000,000 | ---D | M]

[2009/06/17 10:44:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/12/28 08:49:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gippy1q1.default\extensions
[2009/08/27 19:30:35 | 000,000,681 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gippy1q1.default\searchplugins\ask.xml
[2009/10/01 18:55:52 | 000,002,172 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gippy1q1.default\searchplugins\bing.xml
[2010/02/16 18:45:36 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/04 12:36:41 | 000,003,803 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\MyHeritage.xml

O1 HOSTS File: ([2002/09/03 08:34:19 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [EPSON WorkForce 600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: 25 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1245261501015 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/17 08:28:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/19 16:06:03 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/02/19 15:46:07 | 000,031,752 | ---- | C] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys
[2010/02/15 19:39:02 | 000,175,880 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/02/15 16:38:29 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 8
[2010/02/14 20:34:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/02/13 13:12:39 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/02/13 13:12:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/02/12 16:14:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/02/12 16:14:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/12 16:14:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/12 09:52:05 | 000,702,297 | ---- | C] (PC Tools) -- C:\WINDOWS\unins001.exe
[2010/02/12 09:31:07 | 000,702,297 | ---- | C] (PC Tools) -- C:\WINDOWS\unins000.exe
[2010/02/11 20:34:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/11 20:33:37 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/01/30 11:59:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\iPod2PC3
[2010/01/30 11:59:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\EurekaLog
[2010/01/30 11:58:27 | 000,000,000 | ---D | C] -- C:\Program Files\iPod2PC
[2010/01/26 21:43:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/01/26 21:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/01/26 21:42:57 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/26 21:42:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/26 21:42:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/21 00:43:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/14 11:35:56 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/06/17 10:36:00 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/06/17 10:22:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/02/19 16:13:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/19 16:13:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/19 16:06:42 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/02/19 16:06:42 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/02/19 16:01:47 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to TDSSKiller.2.2.4_19.02.2010_15.46.05_log.lnk
[2010/02/19 15:46:07 | 000,031,752 | ---- | M] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys
[2010/02/19 15:45:06 | 000,175,880 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/02/19 15:43:30 | 000,000,674 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to tdsskiller.lnk
[2010/02/19 10:31:43 | 000,000,743 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to OTL.lnk
[2010/02/19 06:28:45 | 055,899,862 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/19 00:01:26 | 004,838,984 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/02/18 07:02:54 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/02/15 16:37:22 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to cbSetup8.lnk
[2010/02/15 15:57:26 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/02/15 15:56:41 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to Defogger.lnk
[2010/02/15 15:41:42 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to gmer.lnk
[2010/02/15 15:31:04 | 000,000,743 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to dds.lnk
[2010/02/14 21:19:10 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/13 13:12:56 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/02/12 16:15:32 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Outlook 2003.lnk
[2010/02/12 09:56:59 | 000,074,260 | ---- | M] () -- C:\WINDOWS\unins001.dat
[2010/02/12 09:56:46 | 000,702,297 | ---- | M] (PC Tools) -- C:\WINDOWS\unins001.exe
[2010/02/12 09:44:49 | 000,022,984 | ---- | M] () -- C:\WINDOWS\unins000.dat
[2010/02/12 09:44:43 | 000,702,297 | ---- | M] (PC Tools) -- C:\WINDOWS\unins000.exe
[2010/02/12 09:38:51 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2010/02/11 05:51:15 | 000,022,016 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Feb 2 Mina.doc
[2010/02/10 22:44:47 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/30 11:58:34 | 000,001,528 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\iPod2PC.lnk
[2010/01/30 11:05:54 | 000,000,039 | ---- | M] () -- C:\WINDOWS\Irremote.ini

========== Files Created - No Company Name ==========

[2010/02/19 16:01:47 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to TDSSKiller.2.2.4_19.02.2010_15.46.05_log.lnk
[2010/02/19 15:43:30 | 000,000,674 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to tdsskiller.lnk
[2010/02/19 10:31:43 | 000,000,743 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to OTL.lnk
[2010/02/15 16:37:22 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to cbSetup8.lnk
[2010/02/15 15:57:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/02/15 15:56:41 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to Defogger.lnk
[2010/02/15 15:41:42 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to gmer.lnk
[2010/02/15 15:31:04 | 000,000,743 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to dds.lnk
[2010/02/13 13:12:56 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/02/12 09:52:05 | 000,074,260 | ---- | C] () -- C:\WINDOWS\unins001.dat
[2010/02/12 09:31:07 | 000,022,984 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2010/02/11 20:33:44 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2010/02/11 05:51:14 | 000,022,016 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Feb 2 Mina.doc
[2010/01/30 11:58:34 | 000,001,528 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\iPod2PC.lnk
[2009/10/30 21:58:25 | 006,963,712 | ---- | C] () -- C:\WINDOWS\System32\videotrans.dll
[2009/10/30 21:58:25 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\viscomgifenc.dll
[2009/10/30 21:58:25 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\viscomtran.dll
[2009/10/30 21:58:24 | 000,452,608 | ---- | C] () -- C:\WINDOWS\System32\videoformat.dll
[2009/10/30 21:58:24 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll
[2009/10/30 21:58:24 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2009/10/30 21:58:24 | 000,154,624 | ---- | C] () -- C:\WINDOWS\System32\imgscaler.dll
[2009/10/30 21:58:24 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\img_utils.dll
[2009/10/30 21:58:24 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\videocore.dll
[2009/07/30 19:57:45 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2009/06/21 22:45:15 | 000,000,039 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009/06/19 09:34:37 | 000,000,204 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2009/06/18 11:33:32 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/18 10:40:57 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\String Ensemble
[2009/06/18 10:40:57 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Owner\Application Data\Static Library
[2009/06/18 10:40:57 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2009/06/18 10:37:42 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Stingers
[2009/06/18 10:37:42 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Owner\Application Data\Standard Tool
[2009/06/18 10:37:41 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2009/06/18 08:30:10 | 000,000,070 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\FASTWiz.log
[2009/06/17 23:08:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2009/06/17 11:48:25 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/06/17 11:47:26 | 000,000,079 | ---- | C] () -- C:\WINDOWS\EPWF600.ini
[2009/06/17 09:39:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/06/17 09:03:12 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2009/06/17 09:02:50 | 000,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:32 AM

Posted 19 February 2010 - 08:00 PM

funkyk,

Your not meant to run TDSSkiller first you meant to put that line into the windows run box and that will open and run TDSSKiller, anyhow
it looks like it has done it's job lets try and confirm this. can you tell me if you ar estill getting redirected?
  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.

Edited by syler, 19 February 2010 - 08:02 PM.

unite.jpg


#7 funkyk

funkyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 19 February 2010 - 08:33 PM

Sorry, still getting hijacked.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:32 AM

Posted 19 February 2010 - 08:53 PM

No problem, please run OTL again with these instructions, are you getting hijacked in IE ,firefox or both?

unite.jpg


#9 funkyk

funkyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 20 February 2010 - 09:01 AM

Syler, these are the reports you requested and yes, I get hijacked in both IE and firefox.



OTL logfile created on: 2/20/2010 5:39:19 AM - Run 4
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.00 Mb Total Physical Memory | 300.00 Mb Available Physical Memory | 39.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 19.18 Gb Free Space | 65.47% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive P: | 268.80 Gb Total Space | 263.49 Gb Free Space | 98.02% Space Free | Partition Type: NTFS

Computer Name: KEN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Files/Folders - Created Within 30 Days ==========

[2010/02/19 16:06:03 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/02/19 15:46:07 | 000,031,752 | ---- | C] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys
[2010/02/15 19:39:02 | 000,175,880 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/02/15 16:38:29 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 8
[2010/02/14 20:34:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/02/13 13:12:39 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/02/13 13:12:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/02/12 16:14:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/02/12 16:14:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/12 16:14:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/12 09:52:05 | 000,702,297 | ---- | C] (PC Tools) -- C:\WINDOWS\unins001.exe
[2010/02/12 09:31:07 | 000,702,297 | ---- | C] (PC Tools) -- C:\WINDOWS\unins000.exe
[2010/02/11 20:34:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/11 20:33:37 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/01/30 11:59:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\iPod2PC3
[2010/01/30 11:59:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\EurekaLog
[2010/01/30 11:58:27 | 000,000,000 | ---D | C] -- C:\Program Files\iPod2PC
[2010/01/26 21:43:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/01/26 21:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/01/26 21:42:57 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/26 21:42:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/26 21:42:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/21 00:43:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/14 11:35:56 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/06/17 10:36:00 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/06/17 10:22:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/02/20 05:16:08 | 055,963,047 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/20 05:13:34 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/20 05:13:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/19 21:11:00 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/02/19 21:11:00 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/02/19 15:46:07 | 000,031,752 | ---- | M] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys
[2010/02/19 15:45:06 | 000,175,880 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/02/19 15:43:30 | 000,000,674 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to tdsskiller.lnk
[2010/02/19 10:31:43 | 000,000,743 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to OTL.lnk
[2010/02/19 00:01:26 | 004,838,984 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/02/18 07:02:54 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/02/15 16:37:22 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to cbSetup8.lnk
[2010/02/15 15:57:26 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/02/15 15:56:41 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to Defogger.lnk
[2010/02/15 15:41:42 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to gmer.lnk
[2010/02/15 15:31:04 | 000,000,743 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to dds.lnk
[2010/02/14 21:19:10 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/13 13:12:56 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/02/12 16:15:32 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Outlook 2003.lnk
[2010/02/12 09:56:59 | 000,074,260 | ---- | M] () -- C:\WINDOWS\unins001.dat
[2010/02/12 09:56:46 | 000,702,297 | ---- | M] (PC Tools) -- C:\WINDOWS\unins001.exe
[2010/02/12 09:44:49 | 000,022,984 | ---- | M] () -- C:\WINDOWS\unins000.dat
[2010/02/12 09:44:43 | 000,702,297 | ---- | M] (PC Tools) -- C:\WINDOWS\unins000.exe
[2010/02/12 09:38:51 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2010/02/11 05:51:15 | 000,022,016 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Feb 2 Mina.doc
[2010/02/10 22:44:47 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/30 11:58:34 | 000,001,528 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\iPod2PC.lnk
[2010/01/30 11:05:54 | 000,000,039 | ---- | M] () -- C:\WINDOWS\Irremote.ini

========== Files Created - No Company Name ==========

[2010/02/19 15:43:30 | 000,000,674 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to tdsskiller.lnk
[2010/02/19 10:31:43 | 000,000,743 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to OTL.lnk
[2010/02/15 16:37:22 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to cbSetup8.lnk
[2010/02/15 15:57:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/02/15 15:56:41 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to Defogger.lnk
[2010/02/15 15:41:42 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to gmer.lnk
[2010/02/15 15:31:04 | 000,000,743 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to dds.lnk
[2010/02/13 13:12:56 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/02/12 09:52:05 | 000,074,260 | ---- | C] () -- C:\WINDOWS\unins001.dat
[2010/02/12 09:31:07 | 000,022,984 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2010/02/11 20:33:44 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2010/02/11 05:51:14 | 000,022,016 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Feb 2 Mina.doc
[2010/01/30 11:58:34 | 000,001,528 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\iPod2PC.lnk
[2009/10/30 21:58:25 | 006,963,712 | ---- | C] () -- C:\WINDOWS\System32\videotrans.dll
[2009/10/30 21:58:25 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\viscomgifenc.dll
[2009/10/30 21:58:25 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\viscomtran.dll
[2009/10/30 21:58:24 | 000,452,608 | ---- | C] () -- C:\WINDOWS\System32\videoformat.dll
[2009/10/30 21:58:24 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll
[2009/10/30 21:58:24 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2009/10/30 21:58:24 | 000,154,624 | ---- | C] () -- C:\WINDOWS\System32\imgscaler.dll
[2009/10/30 21:58:24 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\img_utils.dll
[2009/10/30 21:58:24 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\videocore.dll
[2009/07/30 19:57:45 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2009/06/21 22:45:15 | 000,000,039 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009/06/19 09:34:37 | 000,000,204 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2009/06/18 11:33:32 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/18 10:40:57 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\String Ensemble
[2009/06/18 10:40:57 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Owner\Application Data\Static Library
[2009/06/18 10:40:57 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2009/06/18 10:37:42 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Stingers
[2009/06/18 10:37:42 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Owner\Application Data\Standard Tool
[2009/06/18 10:37:41 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2009/06/18 08:30:10 | 000,000,070 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\FASTWiz.log
[2009/06/17 23:08:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2009/06/17 11:48:25 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/06/17 11:47:26 | 000,000,079 | ---- | C] () -- C:\WINDOWS\EPWF600.ini
[2009/06/17 09:39:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/06/17 09:03:12 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2009/06/17 09:02:50 | 000,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/06/17 10:13:43 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/06/17 11:12:42 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/06/17 10:13:43 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2009/06/17 11:12:42 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 22:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/09/03 09:04:09 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2009/06/17 10:13:43 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/06/17 11:12:42 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/06/17 10:13:43 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2009/06/17 11:12:42 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 21:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/03 23:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/03 23:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 23:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
< End of report >


OTL Extras logfile created on: 2/20/2010 5:39:19 AM - Run 4
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.00 Mb Total Physical Memory | 300.00 Mb Available Physical Memory | 39.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 19.18 Gb Free Space | 65.47% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive P: | 268.80 Gb Total Space | 263.49 Gb Free Space | 98.02% Space Free | Partition Type: NTFS

Computer Name: KEN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1960408961-484061587-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 18
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = BACS
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = B44Inst
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73568F76-7A37-9DB4-73B1-11DCF1A2FC52}" = FOX News Live
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BD01E97F-2A6A-495E-BE38-22C7B80F3CD7}" = Cheetah DVD Burner
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG8Uninstall" = AVG Free 8.5
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CobBackup8" = Cobian Backup 8
"CSCLIB" = Canon Camera Support Core Library
"EOS Utility" = Canon Utilities EOS Utility
"EPSON Scanner" = EPSON Scan
"EPSON WorkForce 600 Series" = EPSON WorkForce 600 Series Printer Uninstall
"InstallShield_{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = Broadcom Advanced Control Suite
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x Driver Installer
"iPod2PC_is1" = iPod2PC 3.9.4
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"PhotoStitch" = Canon Utilities PhotoStitch
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wondershare PPT2DVD Lite_is1" = Wondershare PPT2DVD Lite 5.1.5.219
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/12/2010 11:59:09 AM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/12/2010 11:59:10 AM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/12/2010 1:00:15 PM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2/12/2010 1:00:15 PM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/12/2010 1:12:56 PM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/12/2010 1:12:56 PM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/12/2010 1:58:51 PM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2/12/2010 2:02:51 PM | Computer Name = KEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2/15/2010 3:04:33 PM | Computer Name = KEN | Source = Application Error | ID = 1000
Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
teatimer.exe, version 1.6.6.32, fault address 0x0006e66e.

Error - 2/15/2010 7:51:12 PM | Computer Name = KEN | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0000c4b1.

[ System Events ]
Error - 12/7/2009 2:08:35 PM | Computer Name = KEN | Source = Dhcp | ID = 1002
Description = The IP address lease 98.247.5.119 for the Network Card with network
address 000874BAEAFE has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 12/8/2009 2:18:10 PM | Computer Name = KEN | Source = Dhcp | ID = 1002
Description = The IP address lease 98.247.5.119 for the Network Card with network
address 000874BAEAFE has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 12/8/2009 2:18:58 PM | Computer Name = KEN | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 000874BAEAFE.

Error - 12/8/2009 2:20:45 PM | Computer Name = KEN | Source = Dhcp | ID = 1002
Description = The IP address lease 98.247.5.119 for the Network Card with network
address 000874BAEAFE has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 12/8/2009 2:21:33 PM | Computer Name = KEN | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 000874BAEAFE.

Error - 12/9/2009 1:56:01 AM | Computer Name = KEN | Source = Dhcp | ID = 1002
Description = The IP address lease 98.247.5.119 for the Network Card with network
address 000874BAEAFE has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 12/9/2009 1:57:38 AM | Computer Name = KEN | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 000874BAEAFE.

Error - 12/9/2009 2:15:01 AM | Computer Name = KEN | Source = Dhcp | ID = 1002
Description = The IP address lease 98.247.5.119 for the Network Card with network
address 000874BAEAFE has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 12/9/2009 2:15:33 AM | Computer Name = KEN | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 000874BAEAFE.


< End of report >


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:32 AM

Posted 20 February 2010 - 12:37 PM

Looks like the Rootkit is still there, let's try something else.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#11 funkyk

funkyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 20 February 2010 - 02:44 PM



ComboFix 10-02-20.01 - Owner 02/20/2010 11:11:39.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.528 [GMT -8:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\EurekaLog
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-20 18:43 . 2010-02-20 18:43 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-02-20 00:06 . 2010-02-20 00:06 -------- d-----w- C:\_OTL
2010-02-19 23:46 . 2010-02-19 23:46 31752 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-02-16 00:38 . 2010-02-16 00:39 -------- d-----w- c:\program files\Cobian Backup 8
2010-02-13 21:12 . 2010-02-13 23:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-13 21:12 . 2010-02-13 21:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-13 00:14 . 2010-02-13 00:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-13 00:14 . 2010-02-13 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-13 00:14 . 2010-02-16 00:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 17:52 . 2010-02-12 17:56 74260 ----a-w- c:\windows\unins001.dat
2010-02-12 17:52 . 2010-02-12 17:56 702297 ----a-w- c:\windows\unins001.exe
2010-02-12 17:31 . 2010-02-12 17:44 22984 ----a-w- c:\windows\unins000.dat
2010-02-12 17:31 . 2010-02-12 17:44 702297 ----a-w- c:\windows\unins000.exe
2010-02-12 04:34 . 2010-02-20 18:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-12 04:33 . 2010-02-17 07:16 -------- d-----w- c:\program files\SpywareBlaster
2010-01-30 19:59 . 2010-01-30 19:59 -------- d-----w- c:\documents and settings\Owner\Application Data\iPod2PC3
2010-01-30 19:58 . 2010-02-06 14:52 -------- d-----w- c:\program files\iPod2PC
2010-01-27 05:43 . 2010-01-27 05:43 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 05:43 . 2010-01-27 05:43 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3614ce97-n\msvcp71.dll
2010-01-27 05:43 . 2010-01-27 05:43 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3614ce97-n\msvcr71.dll
2010-01-27 05:43 . 2010-01-27 05:43 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3614ce97-n\jmc.dll
2010-01-27 05:43 . 2010-01-27 05:43 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4b9560bc-n\decora-sse.dll
2010-01-27 05:43 . 2010-01-27 05:43 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4b9560bc-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 19:39 . 2009-06-22 06:28 -------- d-----w- c:\program files\Common Files\Nero
2010-01-30 19:18 . 2009-06-22 06:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-01-30 19:06 . 2009-06-22 06:29 -------- d-----w- c:\program files\Nero
2010-01-27 05:42 . 2009-07-03 04:59 -------- d-----w- c:\program files\Java
2010-01-21 14:31 . 2009-09-13 02:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-13 19:55 . 2009-06-17 23:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-13 19:29 . 2010-01-13 19:29 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-08 17:49 . 2009-07-08 15:04 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-08 17:49 . 2009-08-05 14:44 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-08 17:49 . 2009-07-08 15:04 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-31 16:50 . 2002-09-03 17:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 16:13 . 2009-12-28 16:13 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-28 16:13 . 2009-12-28 16:13 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-22 05:21 . 2002-09-03 17:12 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-18 01:14 . 2009-07-03 04:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2009-06-17 16:25 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-03 16:50 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-09-03 16:42 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2002-09-03 16:53 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2002-09-03 16:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 21:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-20 591696]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 16:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2009 10:37 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/17/2009 10:38 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/17/2009 10:37 AM 297752]
R3 VAD_DEV;Virtual Audio Service;c:\windows\system32\drivers\vad.sys [6/25/2009 7:44 PM 16384]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {BB1FAC27-97DD-47C4-B57B-C238531BF630} = 206.63.24.5,206.63.224.5,206.63.24.6
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {32505657-9980-0010-8000-00AA00389B71}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gippy1q1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.egriz.com/grizboard/viewforum.php?f=1
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 11:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x83B358C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7727f28
\Driver\ACPI -> ACPI.sys @ 0xf769acb8
\Driver\atapi -> atapi.sys @ 0xf7655b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf755ebb0
PacketIndicateHandler -> NDIS.sys @ 0xf756ba21
SendHandler -> NDIS.sys @ 0xf754987b
user & kernel MBR OK

**************************************************************************
.
Completion time: 2010-02-20 11:20:26
ComboFix-quarantined-files.txt 2010-02-20 19:20

Pre-Run: 20,527,316,992 bytes free
Post-Run: 20,492,242,944 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 8E2FF34980F45D65A1D6ABFCC0D160FA


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:32 AM

Posted 21 February 2010 - 03:05 PM

We need to replace a file using the recovery console.

  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
CMD /K COPY C:\WINDOWS\ServicePackFiles\i386\atapi.sys C:\atapi.sys
  • The command prompt should pop up and say 1 file(s) copied, if it doesn't please let me know before continuing.



Reboot your computer.

On the black screen with the startup menu select Microsoft Windows Recovery Console.

When the recovery console has started there is a menu where your asked to select which windows installation you want to login to, usually there is only one:

1. C:\WINDOWS

select the number and press Enter

If it ask you to type the administrator password, do so then press Enter.

It should then come up with C:\WINDOWS>

Now type in the following line, then press Enter.

COPY C:\atapi.sys C:\windows\system32\drivers\atapi.sys

It will then ask if you want to overwrite atapi.sys, press Y then Enter

If successful it should say "1 file(s) copied"

Then type EXIT and press Enter to reboot the machine.


  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.

unite.jpg


#13 funkyk

funkyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 21 February 2010 - 03:41 PM



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:32 AM

Posted 21 February 2010 - 04:13 PM

That looks good, can you tell me if you are still getting rediredted and post a new DDS log.

unite.jpg


#15 funkyk

funkyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 21 February 2010 - 05:08 PM

After my last post yesterday the redirects were dimmished by about 25 percent. This morning I noticed that only about half of all my searches were redirected and now none of my last ten searches were redirected. I'll keep my fingers crossed


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/17/2009 9:30:14 AM
System Uptime: 2/21/2010 12:36:24 PM (1 hours ago)

Motherboard: Dell Computer Corporation | |
Processor: Intel® Pentium® 4 CPU 1.80GHz | Socket 478 | 1794/400mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 29 GiB total, 19.114 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
P: is FIXED (NTFS) - 269 GiB total, 263.481 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP243: 1/13/2010 11:04:34 PM - Software Distribution Service 3.0
RP244: 1/14/2010 11:22:56 PM - Software Distribution Service 3.0
RP245: 1/16/2010 8:34:11 AM - System Checkpoint
RP246: 1/17/2010 8:52:31 AM - System Checkpoint
RP247: 1/18/2010 10:16:17 AM - System Checkpoint
RP248: 1/19/2010 10:56:50 AM - System Checkpoint
RP249: 1/20/2010 11:18:48 AM - System Checkpoint
RP250: 1/21/2010 12:43:02 AM - Software Distribution Service 3.0
RP251: 1/22/2010 12:15:49 AM - Software Distribution Service 3.0
RP252: 1/23/2010 7:18:19 AM - System Checkpoint
RP253: 1/24/2010 8:03:11 AM - System Checkpoint
RP254: 1/25/2010 8:23:39 AM - System Checkpoint
RP255: 1/26/2010 8:35:39 AM - System Checkpoint
RP256: 1/26/2010 9:42:23 PM - Installed Java™ 6 Update 18
RP257: 1/27/2010 9:45:43 PM - System Checkpoint
RP258: 1/29/2010 8:55:52 AM - System Checkpoint
RP259: 1/30/2010 10:47:04 AM - System Checkpoint
RP260: 1/30/2010 11:04:46 AM - Removed Nero 9 Trial 4.4.8.1
RP261: 1/31/2010 11:14:41 AM - System Checkpoint
RP262: 2/1/2010 1:33:32 PM - System Checkpoint
RP263: 2/2/2010 9:39:58 AM - Avg8 Update
RP264: 2/3/2010 10:48:50 AM - System Checkpoint
RP265: 2/4/2010 10:55:42 AM - System Checkpoint
RP266: 2/5/2010 11:19:34 AM - System Checkpoint
RP267: 2/6/2010 1:21:29 PM - System Checkpoint
RP268: 2/7/2010 1:28:34 PM - System Checkpoint
RP269: 2/8/2010 1:48:17 PM - System Checkpoint
RP270: 2/9/2010 2:45:21 PM - System Checkpoint
RP271: 2/10/2010 3:03:47 PM - System Checkpoint
RP272: 2/10/2010 10:40:37 PM - Software Distribution Service 3.0
RP273: 2/12/2010 12:25:22 AM - System Checkpoint
RP274: 2/13/2010 12:39:58 AM - Software Distribution Service 3.0
RP275: 2/14/2010 8:20:17 AM - System Checkpoint
RP276: 2/15/2010 8:30:12 AM - System Checkpoint
RP277: 2/16/2010 9:31:31 AM - System Checkpoint
RP278: 2/17/2010 10:09:51 AM - System Checkpoint
RP279: 2/18/2010 2:35:04 PM - System Checkpoint
RP280: 2/19/2010 10:34:36 AM - OTL Restore Point
RP281: 2/19/2010 6:22:31 PM - OTL Restore Point
RP282: 2/20/2010 5:22:54 AM - OTL Restore Point
RP283: 2/21/2010 1:01:24 PM - System Checkpoint

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.1
Apple Application Support
Apple Software Update
AVG Free 8.5
B44Inst
BACS
Broadcom 440x Driver Installer
Broadcom Advanced Control Suite
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Cheetah DVD Burner
Cobian Backup 8
Dell ResourceCD
Easy CD Creator 5 Basic
Epson Event Manager
EPSON Scan
EPSON WorkForce 600 Series Printer Uninstall
FOX News Live
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
ImagXpress
Intel® Extreme Graphics Driver
iPod2PC 3.9.4
Java Auto Updater
Java™ 6 Update 18
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neroxml
Nikon Message Center
Nikon Transfer
Picture Control Utility
QuickTime
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SoundMAX
Spybot - Search & Destroy
SpywareBlaster 4.2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
ViewNX
WebFldrs XP
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Wondershare PPT2DVD Lite 5.1.5.219

==== Event Viewer Messages From Past Week ========

2/19/2010 4:06:04 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
2/19/2010 4:06:04 PM, error: Service Control Manager [7034] - The Canon Camera Access Library 8 service terminated unexpectedly. It has done this 1 time(s).
2/19/2010 4:06:04 PM, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2/16/2010 5:49:59 AM, error: Service Control Manager [7000] - The Nero BackItUp Scheduler 4.0 service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================



DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 13:58:10.40 on Sun 02/21/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.177 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE
svchost.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Owner\MYDOCU~1\DOWNLO~1\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EPSON WorkForce 600 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieka.exe /fu "c:\docume~1\owner\locals~1\temp\E_S59.tmp" /EF "HKCU"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {32505657-9980-0010-8000-00AA00389B71}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245261501015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: {BB1FAC27-97DD-47C4-B57B-C238531BF630} = 206.63.24.5,206.63.224.5,206.63.24.6
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\gippy1q1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.egriz.com/grizboard/viewforum.php?f=1
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-17 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-17 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-17 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-17 297752]
R3 VAD_DEV;Virtual Audio Service;c:\windows\system32\drivers\vad.sys [2009-6-25 16384]

=============== Created Last 30 ================

2010-02-21 20:17:07 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-21 20:17:07 96512 ----a-w- C:\atapi.sys
2010-02-20 19:10:23 0 d-sha-r- C:\cmdcons
2010-02-20 19:08:18 98816 ----a-w- c:\windows\sed.exe
2010-02-20 19:08:18 77312 ----a-w- c:\windows\MBR.exe
2010-02-20 19:08:18 261632 ----a-w- c:\windows\PEV.exe
2010-02-20 19:08:18 161792 ----a-w- c:\windows\SWREG.exe
2010-02-20 18:43:37 0 d-----w- c:\windows\system32\CatRoot_bak
2010-02-20 00:06:03 0 d-----w- C:\_OTL
2010-02-19 23:46:07 31752 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-02-16 00:38:29 0 d-----w- c:\program files\Cobian Backup 8
2010-02-15 23:57:26 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-02-15 04:34:15 0 d-----w- c:\windows\pss
2010-02-13 21:12:39 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-13 21:12:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-13 00:14:27 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-02-13 00:14:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-13 00:14:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 17:52:05 74260 ----a-w- c:\windows\unins001.dat
2010-02-12 17:52:05 702297 ----a-w- c:\windows\unins001.exe
2010-02-12 17:31:07 702297 ----a-w- c:\windows\unins000.exe
2010-02-12 17:31:07 22984 ----a-w- c:\windows\unins000.dat
2010-02-12 04:33:37 0 d-----w- c:\program files\SpywareBlaster
2010-01-30 19:59:00 0 d-----w- c:\docume~1\owner\applic~1\iPod2PC3
2010-01-30 19:58:27 0 d-----w- c:\program files\iPod2PC

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21:05 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-18 01:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 13:58:33.60 ===============





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users