Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GMER found suspicious modification


  • This topic is locked This topic is locked
23 replies to this topic

#1 foodfromafar

foodfromafar

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 21 February 2010 - 08:50 AM

I started cleaning up my cousin's computer because a Generic Host Process for Win32 services error was occurring which opened a timer box (DCOM Server Process Launcher terminated unexpectedly. System will shutdown in 60 sec.) forcing computer shutdown.

In the process of fixing that, I updated and ran MBAM and found nothing. I updated and ran AVG Free and got an AVG Alert that said "Accessed file is infected. Threat successfully blocked."
File name: 94.102.55.10/index.html
Threat name: Exploit Rogue Scanner (type 1027)
Process name: C:\Windows\system 32\svchost.exe
Process ID: 1232

I decided to run DDS and GMER and ask for your help. Here are the logs:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Theofiel Dib at 1:55:46.82 on Sun 02/21/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.87 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Content Filter\SafeEyes.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Wireless LAN Utility\TIWLANCu.exe
svchost.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Theofiel Dib\Local Settings\Temporary Internet Files\Content.IE5\KHQZKXAJ\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.dellnet.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: Safe &Eyes Toolbar: {430ddb4f-38cc-4e91-af33-4157334ec937} - c:\program files\internet content filter\setoolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [ICF] "c:\program files\internet content filter\SafeEyes.exe"
mRun: [TI WLAN] c:\program files\wireless lan utility\TIWLANCu.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\theofi~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: ICF.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259505648546
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38053.4251967593
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} - hxxp://www.microsoft.com/security/controls/SassCln.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4333/mcfscan.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\theofi~1\applic~1\mozilla\firefox\profiles\0wbal76b.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59099&p=
FF - component: c:\documents and settings\theofiel dib\application data\mozilla\firefox\profiles\0wbal76b.default\extensions\{19627815-20a6-46e6-be34-a0b6967c022a}\components\Engine.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2010-01-22 21:36:23 70628 ----a-w- c:\windows\War3Unin.dat
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:21:05 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-22 05:21:03 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-22 05:21:00 3071488 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-11-29 20:11:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 1:58:48.10 ===============
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-21 08:04:57
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\THEOFI~1\LOCALS~1\Temp\kxdoapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8373A618

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) B49D0000-B49E4480 (83072 bytes)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by foodfromafar, 21 February 2010 - 12:25 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,643 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:16 PM

Posted 23 February 2010 - 05:41 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 foodfromafar

foodfromafar
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 23 February 2010 - 10:27 AM

Thank you, Elise. I will post logs later this afternoon. Pauline

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,643 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:16 PM

Posted 23 February 2010 - 12:11 PM

Okay, thanks for letting me know smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 foodfromafar

foodfromafar
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 23 February 2010 - 04:31 PM

Here is the Gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-23 15:49:29
Windows 5.1.2600 Service Pack 3
Running: k1tlbh7m[1].exe; Driver: C:\DOCUME~1\THEOFI~1\LOCALS~1\Temp\kxdoapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 83724618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#6 foodfromafar

foodfromafar
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 23 February 2010 - 05:05 PM

I ran into a small problem with the OTL thing. I ran it this morning without checking All Users. It posted both logs (OTL open and Extras minimized). When I realized my mistake, I reran it again this afternoon. This time no Extras.txt appeared in the minimized tray. I redownloaded OTL from the mirror and ran the scan again. Same thing. So the Extras log is from the scan I ran this morning. For what it's worth, there is only one User on this computer. I had to put the OTL log in 2 parts.

OTL logfile created on: 2/23/2010 4:49:49 PM - Run 4
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Theofiel Dib\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

382.00 Mb Total Physical Memory | 205.00 Mb Available Physical Memory | 54.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 1024 1024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 3.62 Gb Free Space | 6.49% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D61Q2V21
Current User Name: Theofiel Dib
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/23 16:49:09 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Theofiel Dib\Desktop\OTL.exe
PRC - [2010/02/21 12:58:48 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Theofiel Dib\Desktop\Anti-Malware\OTL.exe
PRC - [2009/12/31 09:11:44 | 002,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/12/12 09:51:20 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/12/12 09:51:17 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/11/29 15:10:41 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/29 15:10:34 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/29 15:09:59 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/11/10 23:08:18 | 000,417,792 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2009/10/10 13:32:18 | 000,203,264 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2009/09/28 09:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/08/21 03:15:32 | 000,900,816 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi.exe
PRC - [2009/05/29 13:41:26 | 000,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 19:12:41 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\wscntfy.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 16:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2005/12/01 17:33:32 | 000,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2005/10/19 07:59:12 | 000,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\hkcmd.exe
PRC - [2005/09/30 18:22:50 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2005/03/14 11:01:36 | 001,150,976 | ---- | M] () -- C:\Program Files\Wireless LAN Utility\TIWLANCu.exe
PRC - [2004/10/25 12:35:16 | 000,049,152 | ---- | M] () -- C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe
PRC - [2002/12/17 12:28:00 | 000,684,032 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PRC - [2002/12/02 20:08:34 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
PRC - [2002/12/02 19:56:10 | 000,040,960 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2002/12/02 19:41:48 | 000,307,200 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2002/12/02 19:30:02 | 000,282,624 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
PRC - [2002/10/08 12:00:24 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe


========== Modules (SafeList) ==========

MOD - [2010/02/23 16:49:09 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Theofiel Dib\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/11/29 15:09:59 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/09/28 09:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/05/30 12:30:20 | 000,541,992 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/05/29 13:41:26 | 000,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2005/09/30 18:22:50 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/10/25 12:35:16 | 000,049,152 | ---- | M] () [Auto | Running] -- C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe -- (tiwlnsvc)
SRV - [2003/07/28 11:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2002/11/27 06:30:30 | 000,065,536 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2002/10/08 12:00:24 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)


========== Driver Services (SafeList) ==========

DRV - [2009/11/29 15:12:01 | 000,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/11/29 15:12:01 | 000,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/11/29 15:12:00 | 000,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/06/17 07:20:34 | 000,012,648 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\psi_mf.sys -- (PSI)
DRV - [2009/03/19 16:32:48 | 000,023,400 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2007/11/13 05:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys -- (Secdrv)
DRV - [2007/01/10 09:26:18 | 000,044,288 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2005/10/19 07:59:12 | 000,807,998 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ialmnt5.sys -- (ialm)
DRV - [2004/12/01 18:35:16 | 000,438,912 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\TNET1130.sys -- (TNET1130)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/04 00:29:54 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)
DRV - [2004/08/04 00:29:49 | 000,019,455 | ---- | M] (IntelŪ Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/04 00:29:47 | 000,012,063 | ---- | M] (IntelŪ Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/04 00:29:45 | 000,023,615 | ---- | M] (IntelŪ Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/04 00:29:43 | 000,033,599 | ---- | M] (IntelŪ Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/04 00:29:42 | 000,019,551 | ---- | M] (IntelŪ Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/04 00:29:41 | 000,029,311 | ---- | M] (IntelŪ Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/04 00:29:37 | 000,012,415 | ---- | M] (IntelŪ Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/04 00:29:37 | 000,012,127 | ---- | M] (IntelŪ Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/04 00:29:37 | 000,011,775 | ---- | M] (IntelŪ Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/04 00:29:36 | 000,161,020 | ---- | M] (IntelŪ Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2003/11/17 15:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 15:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 15:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - [2003/10/08 10:12:24 | 000,120,830 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) IntelŪ Graphics Platform (SoftBIOS)
DRV - [2003/10/08 10:12:16 | 000,098,842 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) IntelŪ Graphics Chipset (KCH)
DRV - [2003/06/23 10:45:34 | 000,027,650 | ---- | M] (America Online) [Kernel | On_Demand | Stopped] -- C:\Program Files\America Online 8.0\atwpkt2.sys -- (ATWPKT2)
DRV - [2003/05/21 19:14:07 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2003/05/21 19:14:07 | 000,143,834 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\pwd_2K.sys -- (pwd_2k)
DRV - [2003/05/21 19:14:07 | 000,030,630 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Mmc_2k.sys -- (mmc_2K)
DRV - [2003/05/21 19:14:07 | 000,025,898 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\Dvd_2k.sys -- (dvd_2K)
DRV - [2003/05/21 19:09:17 | 000,028,164 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MxlW2k.sys -- (MxlW2k)
DRV - [2003/04/15 21:50:40 | 000,009,216 | ---- | M] (SMaL Camera Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\smalidt.sys -- (SMALUSB)
DRV - [2003/04/09 13:48:08 | 000,011,043 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mdmxsdk.sys -- (mdmxsdk)
DRV - [2003/01/15 14:45:06 | 000,042,368 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/12/19 17:48:48 | 000,539,008 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\smwdm.sys -- (smwdm)
DRV - [2002/12/17 12:32:46 | 000,023,436 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys -- (Cdralw2k)
DRV - [2002/12/17 12:27:32 | 000,241,152 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/12/13 03:06:40 | 000,129,875 | R--- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mr97310c.sys -- (MR97310_USB_DUAL_CAMERA)
DRV - [2002/11/27 06:30:30 | 000,050,960 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hpzid412.sys -- (HPZid412)
DRV - [2002/11/27 06:30:30 | 000,022,384 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZius12.sys -- (HPZius12)
DRV - [2002/11/27 06:30:30 | 000,016,080 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZipr12.sys -- (HPZipr12)
DRV - [2002/10/08 11:57:40 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/08/29 05:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\PTILINK.SYS -- (Ptilink)
DRV - [2002/07/19 10:22:08 | 000,017,153 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/04/01 13:15:00 | 000,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\aeaudio.sys -- (aeaudio)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 12:56:16 | 000,007,552 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)
DRV - [2001/08/17 12:53:32 | 000,003,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\qv2kux.sys -- (QV2KUX)
DRV - [2001/08/17 12:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com/
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com/
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\S-1-5-21-681509719-2330655198-2114175392-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\S-1-5-21-681509719-2330655198-2114175392-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\S-1-5-21-681509719-2330655198-2114175392-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..keyword.URL: "http://search.freecause.com/search?fr=freecause&ourmark=3&type=59099&p="


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/12/12 09:57:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/02/22 13:03:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/22 21:18:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/22 11:25:44 | 000,000,000 | ---D | M]

[2008/07/06 13:23:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Theofiel Dib\Application Data\Mozilla\Extensions
[2010/02/22 18:27:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Theofiel Dib\Application Data\Mozilla\Firefox\Profiles\0wbal76b.default\extensions
[2009/06/14 11:14:12 | 000,000,000 | ---D | M] (Pirates - FB) -- C:\Documents and Settings\Theofiel Dib\Application Data\Mozilla\Firefox\Profiles\0wbal76b.default\extensions\{19627815-20a6-46e6-be34-a0b6967c022a}
[2005/10/14 13:21:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Theofiel Dib\Application Data\Mozilla\Firefox\Profiles\0wbal76b.default\extensions\{3CC72AAB-28ED-4ea7-84D7-0A57106CA88F}
[2005/10/14 13:21:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Theofiel Dib\Application Data\Mozilla\Firefox\Profiles\0wbal76b.default\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
[2005/10/14 13:21:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Theofiel Dib\Application Data\Mozilla\Firefox\Profiles\0wbal76b.default\extensions\temp
[2009/06/14 11:14:47 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Theofiel Dib\Application Data\Mozilla\Firefox\Profiles\0wbal76b.default\searchplugins\search-the-web.xml
[2008/07/06 13:23:11 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/11/29 01:59:35 | 000,000,027 | R--- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll ()
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\SYSTEM32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [TI WLAN] C:\Program Files\Wireless LAN Utility\TIWLANCu.exe ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\Theofiel Dib\Start Menu\Programs\Startup\Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (Secunia)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-681509719-2330655198-2114175392-1006_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-681509719-2330655198-2114175392-1006\..Trusted Domains: 26 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (Musicnotes Viewer)

Edited by foodfromafar, 23 February 2010 - 05:14 PM.


#7 foodfromafar

foodfromafar
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 23 February 2010 - 05:56 PM

OTL log Part 2:

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/Facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1259505648546 (MUWebControl Class)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (HouseCall Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...8053.4251967593 (Reg Error: Key error.)
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} http://www.microsoft.com/security/controls/SassCln.CAB (SassCln Object)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...333/mcfscan.cab (McFreeScan Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.197.97.138 24.197.97.133
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Theofiel Dib\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Theofiel Dib\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/03/07 23:42:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/15 11:02:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.CAM -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/23 16:49:22 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Theofiel Dib\Desktop\OTL.exe
[2010/02/22 17:51:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Theofiel Dib\Local Settings\Application Data\AVG Security Toolbar
[2010/02/22 16:42:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/02/22 13:43:12 | 000,000,000 | ---D | C] -- C:\03d6c41f7f5ea90b8fd3f192
[2010/02/22 13:03:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/02/22 12:59:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/22 12:59:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/02/22 12:59:41 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/02/22 12:59:41 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/02/21 21:03:47 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/02/21 13:49:55 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/02/21 10:54:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/02/21 10:49:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/02/20 17:58:06 | 004,938,120 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Theofiel Dib\My Documents\Silverlight.exe
[2010/02/20 12:14:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/02/20 12:14:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/02/20 11:48:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/02/20 11:08:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Theofiel Dib\Desktop\Unused Desktop Shortcuts
[2008/03/16 09:12:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2008/01/21 18:12:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2005/11/13 14:09:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2005/10/11 07:53:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2005/10/11 07:53:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2005/05/31 17:12:31 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\Implode.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/23 16:49:09 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Theofiel Dib\Desktop\OTL.exe
[2010/02/23 16:21:23 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/02/23 16:18:44 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/23 16:18:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/02/23 16:18:33 | 401,133,568 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/23 16:06:01 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\Theofiel Dib\NTUSER.DAT
[2010/02/23 16:06:01 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Theofiel Dib\NTUSER.INI
[2010/02/23 11:02:49 | 000,000,378 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2010/02/23 09:37:37 | 056,121,581 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/22 22:54:28 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/22 19:08:51 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Theofiel Dib\Local Settings\Application Data\prvlcl.dat
[2010/02/22 18:37:16 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/22 17:19:59 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/22 16:43:44 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/02/22 13:03:14 | 000,142,495 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/02/22 13:03:13 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 9.0.lnk
[2010/02/22 12:37:08 | 000,062,488 | ---- | M] () -- C:\Documents and Settings\Theofiel Dib\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/22 12:36:07 | 000,000,135 | ---- | M] () -- C:\Documents and Settings\Theofiel Dib\Local Settings\Application Data\fusioncache.dat
[2010/02/22 11:24:38 | 000,233,576 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/21 21:11:15 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/02/21 21:08:35 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/02/21 10:34:56 | 000,000,883 | ---- | M] () -- C:\WINDOWS\JUNO.INI
[2010/02/20 19:45:57 | 000,509,278 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/02/20 19:45:57 | 000,433,126 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/02/20 19:45:57 | 000,067,574 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2010/02/20 19:37:28 | 002,104,800 | -H-- | M] () -- C:\Documents and Settings\Theofiel Dib\Local Settings\Application Data\IconCache.db
[2010/02/20 17:57:38 | 004,938,120 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Theofiel Dib\My Documents\Silverlight.exe
[2010/02/20 15:13:49 | 000,039,285 | ---- | M] () -- C:\crash.dmp
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/22 13:03:13 | 000,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 9.0.lnk
[2010/02/22 12:36:07 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Theofiel Dib\Local Settings\Application Data\fusioncache.dat
[2010/02/21 21:11:15 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/02/21 21:08:29 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/02/20 20:11:34 | 401,133,568 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/05 09:58:28 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Theofiel Dib\Local Settings\Application Data\prvlcl.dat
[2009/11/11 21:00:18 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/07/02 14:55:26 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/07/02 14:55:26 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/07/02 14:55:26 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2009/02/08 11:05:12 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI
[2009/02/08 11:05:07 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2007/11/26 10:44:20 | 000,000,111 | ---- | C] () -- C:\WINDOWS\marscam.ini
[2007/11/26 10:39:19 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\mr310exv.dll
[2007/11/26 10:39:19 | 000,028,672 | R--- | C] () -- C:\WINDOWS\System32\mr310exd.dll
[2007/11/26 10:39:19 | 000,015,164 | ---- | C] () -- C:\WINDOWS\mr310twc.ini
[2007/01/13 11:17:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/12/09 14:36:45 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\TnetWCoInst.dll
[2005/12/08 12:29:04 | 000,010,781 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/11/19 21:47:45 | 000,001,749 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/10/01 12:04:44 | 000,000,377 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/09 09:19:53 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/05/31 17:12:33 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\P2sodbc.dll
[2005/05/31 17:12:33 | 000,054,272 | ---- | C] () -- C:\WINDOWS\System32\P2irdao.dll
[2005/05/31 17:12:33 | 000,050,176 | ---- | C] () -- C:\WINDOWS\System32\P2ctdao.dll
[2005/05/31 17:12:32 | 000,748,167 | ---- | C] () -- C:\WINDOWS\System32\Co2c40en.dll
[2005/05/31 17:12:32 | 000,039,936 | ---- | C] () -- C:\WINDOWS\System32\Crxlat32.dll
[2005/05/31 17:12:32 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\P2bbnd.dll
[2005/05/31 17:12:23 | 000,000,227 | ---- | C] () -- C:\WINDOWS\teensmrt.ini
[2005/05/30 11:50:49 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2005/05/21 18:14:20 | 000,000,039 | ---- | C] () -- C:\WINDOWS\System32\bre32.dll
[2005/05/14 08:08:53 | 000,000,034 | ---- | C] () -- C:\WINDOWS\Sierra.ini
[2005/01/01 20:42:09 | 000,000,632 | ---- | C] () -- C:\WINDOWS\Vtw.INI
[2004/10/07 14:46:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\TEXTART.INI
[2004/08/12 06:51:41 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2004/07/08 10:42:32 | 000,107,456 | ---- | C] () -- C:\WINDOWS\System32\sh33w32.dll
[2004/06/28 16:21:26 | 000,071,749 | ---- | C] () -- C:\WINDOWS\HCExtOutput.dll
[2004/06/28 16:21:05 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2004/05/24 06:53:29 | 000,000,194 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2004/05/06 05:56:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2004/04/11 17:39:35 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/03/27 16:48:08 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2004/03/22 10:04:17 | 000,000,034 | ---- | C] () -- C:\WINDOWS\AuthMgr.INI
[2004/03/15 08:49:45 | 000,000,117 | ---- | C] () -- C:\WINDOWS\CIV.INI
[2003/10/02 20:00:10 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt
[2003/09/27 09:20:47 | 000,095,744 | ---- | C] () -- C:\Documents and Settings\Theofiel Dib\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/08/15 10:07:18 | 000,000,823 | ---- | C] () -- C:\WINDOWS\TSC.INI
[2003/06/07 07:41:43 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Theofiel Dib\Application Data\PFP100JPR.{PB
[2003/06/07 07:41:43 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Theofiel Dib\Application Data\PFP100JCM.{PB
[2003/06/06 20:14:01 | 000,000,883 | ---- | C] () -- C:\WINDOWS\JUNO.INI
[2003/05/21 19:15:52 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/05/21 19:02:12 | 000,000,626 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/05/21 19:02:12 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2003/05/21 18:56:52 | 000,000,890 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/05/21 18:35:52 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/11/27 06:30:32 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2002/11/01 15:17:50 | 000,000,256 | ---- | C] () -- C:\WINDOWS\aucfg.ini
[2002/07/04 14:05:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\tmupdate.ini
[2001/12/14 12:34:46 | 000,164,864 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[1999/07/23 12:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 09:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
[1997/06/13 19:56:08 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[1996/08/05 23:00:00 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\PCDLIB32.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

OTL Extras log from this morning:

OTL Extras logfile created on: 2/23/2010 9:09:35 AM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Theofiel Dib\Desktop\Anti-Malware
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

382.00 Mb Total Physical Memory | 93.00 Mb Available Physical Memory | 24.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 48.00% Paging File free
Paging file location(s): C:\pagefile.sys 1024 1024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 3.67 Gb Free Space | 6.57% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D61Q2V21
Current User Name: Theofiel Dib
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hta [@ = htafile] -- Reg Error: Key error. File not found
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-681509719-2330655198-2114175392-1006\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htafile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"6112:TCP" = 6112:TCP:*:Enabled:warcraftIII

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\AIM95\aim.exe" = C:\Program Files\AIM95\aim.exe:*:Enabled:AOL Instant Messenger -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealOne Player -- (RealNetworks, Inc.)
"C:\Program Files\Warcraft III\Warcraft III.exe" = C:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III -- (Blizzard Entertainment)
"C:\Program Files\AIM95\aim.exe" = C:\Program Files\AIM95\aim.exe:*:Enabled:AOL Instant Messenger -- File not found
"C:\Program Files\Common Files\aol\Loader\aolload.exe" = C:\Program Files\Common Files\aol\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\Warcraft III\Frozen Throne.exe" = C:\Program Files\Warcraft III\Frozen Throne.exe:*:Enabled:Warcraft III - The Frozen Throne -- (Blizzard Entertainment)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour -- (Apple Inc.)
"C:\Program Files\AVG\AVG9\avgdiagex.exe" = C:\Program Files\AVG\AVG9\avgdiagex.exe:*:Enabled:avgdiagex.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{07DEC7A1-F8D2-4DBB-900B-A2F9302647BB}" = Wireless LAN Utility
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{151C555A-A9E7-4A2E-B6D7-165D04A3C956}" = Dell Picture Studio - Dell Image Expert
"{29D88826-2AB9-11D5-8854-00902761A46D}" = WordPerfect Office 2002
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{43FCA273-9534-40DB-B7C5-D7758875616A}" = Dell Support
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{45893FEB-30FD-4034-8661-3BA4238FE67A}" = Britannica Ready Reference
"{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = BACS
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{544FB392-069D-4BA5-9DC7-FFD47230AEE5}" = Photohands 1.0E
"{54DD126C-E5F5-404C-B4B7-66DF7FD4F2FF}" = MSSoap
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{569FEA14-88A3-4EF1-89D0-78939AB21286}" = Oregon Scientific DS6628 Photo Album
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{64116298-93C5-401D-B06C-39D8E3338508}" = DAO
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{659B48CD-0608-4ED5-94C0-0B6C87114F10}" = Apple Mobile Device Support
"{68D5CEF9-0DA8-47FE-B0EB-4CBFB5AAF662}" = ArcSoft PhotoImpression 4
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}" = Rhapsody Player Engine
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C79CB9C7-10A4-4814-8402-F574672C2192}" = Star Wars Battlefront
"{C900EF06-2E76-49C7-8DB0-41F629B21DC5}" = hp psc 1200 series
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
"{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}" = iTunes
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1B3874F-3057-11D6-B2EA-0050BA18806B}" = Camera Driver
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AIM_7" = AIM 7
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"AolCoach" = AOL Coach Version 1.0(Build:20020823.1)
"AVG9Uninstall" = AVG 9.0
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CD-Cover Editor_is1" = CD-Cover Editor 3.0
"Civilization II Multiplayer Gold Edition" = Civilization II Multiplayer Gold Edition
"CNXT_MODEM_PCI_VEN_14F1&DEV_2702" = Conexant SmartHSFi V92 56K DF PCI Modem
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Compton's Interactive Encyclopedia 1997" = Compton's Interactive Encyclopedia 1997
"CSCLIB" = Canon Camera Support Core Library
"Diablo II" = Diablo II
"EOS Utility" = Canon Utilities EOS Utility
"hp instant support" = hp instant support
"HP PSC 1200 Series" = HP Photo and Imaging 2.0 - hp psc 1200 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"InstallShield_{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = Broadcom Advanced Control Suite
"IrfanView" = IrfanView (remove only)
"Juno" = Juno
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Medieval Total War" = Medieval Total War
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.0.18)" = Mozilla Firefox (3.0.18)
"MSPUB4" = Microsoft Publisher 97
"MUSICMATCH Jukebox" = MUSICMATCH Jukebox
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoStitch" = Canon Utilities PhotoStitch
"Quicken 2002 New User Edition" = Quicken 2002 New User Edition
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"Secunia PSI" = Secunia PSI
"Smilez" = Smilez 3.0
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.2
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Starcraft" = Starcraft
"teenSMARTŪ" = teenSMARTŪ
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"WeatherBug" = WeatherBug
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows XP Service Pack" = Windows XP Service Pack 3
"WordPerfect Office 2002" = WordPerfect Office 2002
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-681509719-2330655198-2114175392-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/21/2010 2:50:21 PM | Computer Name = D61Q2V21 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 2/21/2010 2:50:32 PM | Computer Name = D61Q2V21 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/21/2010 2:50:32 PM | Computer Name = D61Q2V21 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/22/2010 2:25:26 PM | Computer Name = D61Q2V21 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/22/2010 2:25:28 PM | Computer Name = D61Q2V21 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/22/2010 2:26:20 PM | Computer Name = D61Q2V21 | Source = Application Hang | ID = 1001
Description = Fault bucket 724398357.

Error - 2/22/2010 2:26:20 PM | Computer Name = D61Q2V21 | Source = Application Hang | ID = 1001
Description = Fault bucket 724398357.

Error - 2/22/2010 6:52:05 PM | Computer Name = D61Q2V21 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3685, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/22/2010 6:52:13 PM | Computer Name = D61Q2V21 | Source = Application Hang | ID = 1001
Description = Fault bucket 1696040612.

Error - 2/22/2010 9:03:06 PM | Computer Name = D61Q2V21 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.8313.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/21/2010 4:56:42 PM | Computer Name = D61Q2V21 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 2/21/2010 4:56:42 PM | Computer Name = D61Q2V21 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 2/22/2010 12:25:06 PM | Computer Name = D61Q2V21 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 2/22/2010 12:25:06 PM | Computer Name = D61Q2V21 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 2/22/2010 1:25:46 PM | Computer Name = D61Q2V21 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 2/22/2010 1:25:46 PM | Computer Name = D61Q2V21 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 2/22/2010 5:42:13 PM | Computer Name = D61Q2V21 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 2/22/2010 5:42:13 PM | Computer Name = D61Q2V21 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 2/22/2010 6:05:13 PM | Computer Name = D61Q2V21 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 2/22/2010 6:05:13 PM | Computer Name = D61Q2V21 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,643 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:16 PM

Posted 24 February 2010 - 05:55 AM

Hello foodfromafar,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 foodfromafar

foodfromafar
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 24 February 2010 - 10:24 AM

Hello, Elise! The computer in question is mostly used for as a web browser and for email. I would like to clean it up as much as possible and then encourage my cousin to reinstall/reformat. I read the article about reformatting and wanted to make sure that I will safely be able to backup all picture files, documents, and stuff saved. Will the backdoor problem be gone once the OS is reinstalled? I really appreciate your help with all of this! Pauline

ComboFix 10-02-23.04 - Theofiel Dib 02/24/2010 9:05.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.24 [GMT -5:00]
Running from: c:\documents and settings\Theofiel Dib\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\BackUp
c:\windows\EventSystem.log
c:\windows\system32\SIntf16.dll

----- BITS: Possible infected sites -----

hxxp://ds.dellfix.com
.
((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

2010-02-22 22:51 . 2010-02-22 22:51 -------- d-----w- c:\documents and settings\Theofiel Dib\Local Settings\Application Data\AVG Security Toolbar
2010-02-22 18:43 . 2010-02-22 18:52 -------- d-----w- C:\03d6c41f7f5ea90b8fd3f192
2010-02-22 18:03 . 2010-02-22 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-22 17:36 . 2010-02-22 17:36 135 ----a-w- c:\documents and settings\Theofiel Dib\Local Settings\Application Data\fusioncache.dat
2010-02-21 18:49 . 2010-02-21 21:11 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-21 15:49 . 2010-02-21 15:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-21 11:03 . 2010-02-21 11:03 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 13:41 . 2009-07-04 12:43 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-02-24 00:08 . 2009-12-05 14:58 0 ----a-w- c:\documents and settings\Theofiel Dib\Local Settings\Application Data\prvlcl.dat
2010-02-23 03:54 . 2007-07-04 00:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-23 01:41 . 2003-06-07 01:13 -------- d-----w- c:\program files\Juno
2010-02-22 18:02 . 2010-02-23 14:40 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-22 18:02 . 2010-02-23 14:40 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-22 17:58 . 2009-11-29 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-22 17:37 . 2003-06-07 00:25 62488 ----a-w- c:\documents and settings\Theofiel Dib\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-22 16:26 . 2009-11-29 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-22 02:07 . 2003-07-01 23:19 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-22 01:58 . 2009-11-29 14:01 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-22 01:56 . 2010-02-22 02:10 38784 ----a-w- c:\documents and settings\Theofiel Dib\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-22 01:54 . 2010-02-22 01:54 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-20 22:27 . 2009-11-29 05:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 22:26 . 2010-02-20 22:26 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-22 21:43 . 2006-02-25 21:53 -------- d-----w- c:\program files\Warcraft III
2010-01-22 21:36 . 2006-02-25 21:56 70628 ----a-w- c:\windows\War3Unin.dat
2010-01-08 01:08 . 2010-01-08 01:08 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-07 21:07 . 2009-11-29 05:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-11-29 05:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2002-08-29 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2004-02-06 22:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2002-08-29 10:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-08-29 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2002-08-29 10:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-29 20:12 . 2008-06-25 10:16 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-29 20:12 . 2008-06-25 10:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-29 20:12 . 2007-01-10 14:27 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-29 20:11 . 2008-06-25 10:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-27 17:11 . 2005-08-09 14:19 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2004-03-08 12:28 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2002-08-29 10:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2002-08-29 10:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2002-08-29 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2002-08-29 10:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2002-08-29 10:00 11264 ----a-w- c:\windows\system32\msrle32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:02 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"TI WLAN"="c:\program files\Wireless LAN Utility\TIWLANCu.exe" [2005-03-14 1150976]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-01 180269]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Theofiel Dib\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-5-21 24576]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-2 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-2 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-29 20:11 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-05-30 17:30 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-12-01 22:33 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:warcraftIII

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/25/2008 5:16 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/25/2008 5:16 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/29/2009 3:09 PM 285392]
R3 PSI;PSI;c:\windows\SYSTEM32\DRIVERS\psi_mf.sys [6/17/2009 7:20 AM 12648]
R3 TNET1130;802.11 WLAN;c:\windows\SYSTEM32\DRIVERS\TNET1130.sys [12/9/2006 2:36 PM 438912]
S3 oflpydin;oflpydin;\??\c:\docume~1\THEOFI~1\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\THEOFI~1\LOCALS~1\Temp\oflpydin.sys [?]
S3 SMALUSB;Digital Camera Driver;c:\windows\SYSTEM32\DRIVERS\smalidt.sys [8/3/2005 8:12 AM 9216]
.
Contents of the 'Scheduled Tasks' folder

2010-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2004-08-27 c:\windows\Tasks\FRU Task 2002-12-03 04:38ewlett-Packard2002-12-03 04:38p psc 1200 series84887B468ABA3F57D76752217D5938688025EB21085400828.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-03 00:38]

2010-02-24 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-15 16:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.dellnet.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Theofiel Dib\Application Data\Mozilla\Firefox\Profiles\0wbal76b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59099&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false.
- - - - ORPHANS REMOVED - - - -

AddRemove-Medieval Total War - c:\program files\Total War\Medieval - Total War\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 09:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83724618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7793f28
\Driver\ACPI -> ACPI.sys @ 0xf7706cb8
\Driver\atapi -> atapi.sys @ 0xf76be852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf75cabb0
PacketIndicateHandler -> NDIS.sys @ 0xf75b9a0d
SendHandler -> NDIS.sys @ 0xf75cdb40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-681509719-2330655198-2114175392-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-02-24 09:38:53
ComboFix-quarantined-files.txt 2010-02-24 14:38
ComboFix2.txt 2009-11-29 07:35

Pre-Run: 3,962,408,960 bytes free
Post-Run: 5,105,737,728 bytes free

- - End Of File - - 8DF396734ED5D41A656A4CF200BC4E4F


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,643 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:16 PM

Posted 24 February 2010 - 10:29 AM

Yes, the backdoor will be gone after you do a complete reformat and re-install. However, I recommend you to wait a bit with backup, its better to do that when everything is cleaned up. There still is a nasty rootkit on board.
  • Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop (important, before continuing, make sure the file is located on your desktop, otherwise the following steps will not work!).
  • Click start > run and copy paste the following bolded text in the run box
    "%userprofile%\desktop\tdsskiller.exe" -l report.txt.
  • When it finished press any key to continue.
  • If needed reboot the computer.
A logfile (report.txt) will be created on your desktop. Please post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 foodfromafar

foodfromafar
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 24 February 2010 - 12:20 PM

Hi, Elise! I didn't quite understand the tdskiller instructions and managed to run the thing and reboot without generating the log.txt. I ran TDSkiller again after the reboot because it occurred to me I did it wrong and I finally figured out how to do the Start/Run copy paste thing, but the tdskiller box said that everything was fixed upon startup.

What shall I do now? Pauline


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,643 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:16 PM

Posted 24 February 2010 - 01:29 PM

Please let me know if the redirects are gone and re-run Combofix. Post me the log afterwards. This will show me if the rootkit is gone indeed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 foodfromafar

foodfromafar
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 24 February 2010 - 08:29 PM

Hi, Elise! The computer is running absolutely fine. Here is the combofix log. For grins I did a gmer scan and there is no longer any suspicious thing reported.

ComboFix 10-02-24.01 - Theofiel Dib 02/24/2010 19:53:29.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.73 [GMT -5:00]
Running from: c:\documents and settings\Theofiel Dib\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.

2010-02-22 22:51 . 2010-02-22 22:51 -------- d-----w- c:\documents and settings\Theofiel Dib\Local Settings\Application Data\AVG Security Toolbar
2010-02-22 18:43 . 2010-02-22 18:52 -------- d-----w- C:\03d6c41f7f5ea90b8fd3f192
2010-02-22 18:03 . 2010-02-22 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-22 17:36 . 2010-02-22 17:36 135 ----a-w- c:\documents and settings\Theofiel Dib\Local Settings\Application Data\fusioncache.dat
2010-02-21 18:49 . 2010-02-21 21:11 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-21 15:49 . 2010-02-21 15:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-21 11:03 . 2010-02-21 11:03 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 16:11 . 2009-07-04 12:43 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-02-24 15:39 . 2002-08-29 06:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-24 00:08 . 2009-12-05 14:58 0 ----a-w- c:\documents and settings\Theofiel Dib\Local Settings\Application Data\prvlcl.dat
2010-02-23 03:54 . 2007-07-04 00:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-23 01:41 . 2003-06-07 01:13 -------- d-----w- c:\program files\Juno
2010-02-22 18:02 . 2010-02-23 14:40 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-22 18:02 . 2010-02-23 14:40 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-22 17:58 . 2009-11-29 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-22 17:37 . 2003-06-07 00:25 62488 ----a-w- c:\documents and settings\Theofiel Dib\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-22 16:26 . 2009-11-29 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-22 02:07 . 2003-07-01 23:19 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-22 01:58 . 2009-11-29 14:01 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-22 01:56 . 2010-02-22 02:10 38784 ----a-w- c:\documents and settings\Theofiel Dib\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-22 01:54 . 2010-02-22 01:54 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-20 22:27 . 2009-11-29 05:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 22:26 . 2010-02-20 22:26 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-22 21:43 . 2006-02-25 21:53 -------- d-----w- c:\program files\Warcraft III
2010-01-22 21:36 . 2006-02-25 21:56 70628 ----a-w- c:\windows\War3Unin.dat
2010-01-08 01:08 . 2010-01-08 01:08 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-07 21:07 . 2009-11-29 05:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-11-29 05:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2002-08-29 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2004-02-06 22:05 667136 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2002-08-29 10:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-08-29 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2002-08-29 10:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-29 20:12 . 2008-06-25 10:16 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-29 20:12 . 2008-06-25 10:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-29 20:12 . 2007-01-10 14:27 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-29 20:11 . 2008-06-25 10:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-27 17:11 . 2005-08-09 14:19 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2004-03-08 12:28 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2002-08-29 10:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2002-08-29 10:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2002-08-29 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2002-08-29 10:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2002-08-29 10:00 11264 ----a-w- c:\windows\system32\msrle32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:02 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"TI WLAN"="c:\program files\Wireless LAN Utility\TIWLANCu.exe" [2005-03-14 1150976]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-01 180269]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Theofiel Dib\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-5-21 24576]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-2 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-2 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-29 20:11 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-05-30 17:30 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-12-01 22:33 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:warcraftIII

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/25/2008 5:16 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/25/2008 5:16 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/29/2009 3:09 PM 285392]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 1:35 PM 24652]
R3 PSI;PSI;c:\windows\SYSTEM32\DRIVERS\psi_mf.sys [6/17/2009 7:20 AM 12648]
S3 oflpydin;oflpydin;\??\c:\docume~1\THEOFI~1\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\THEOFI~1\LOCALS~1\Temp\oflpydin.sys [?]
S3 SMALUSB;Digital Camera Driver;c:\windows\SYSTEM32\DRIVERS\smalidt.sys [8/3/2005 8:12 AM 9216]
S3 TNET1130;802.11 WLAN;c:\windows\SYSTEM32\DRIVERS\TNET1130.sys [12/9/2006 2:36 PM 438912]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd21
*Deregistered* - kxdoapow
.
Contents of the 'Scheduled Tasks' folder

2010-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2004-08-27 c:\windows\Tasks\FRU Task 2002-12-03 04:38ewlett-Packard2002-12-03 04:38p psc 1200 series84887B468ABA3F57D76752217D5938688025EB21085400828.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-03 00:38]

2010-02-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-15 16:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.dellnet.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Theofiel Dib\Application Data\Mozilla\Firefox\Profiles\0wbal76b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59099&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 20:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-681509719-2330655198-2114175392-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-02-24 20:23:37
ComboFix-quarantined-files.txt 2010-02-25 01:23
ComboFix2.txt 2010-02-24 14:38
ComboFix3.txt 2009-11-29 07:35

Pre-Run: 5,047,312,384 bytes free
Post-Run: 5,002,399,744 bytes free

- - End Of File - - 313F62819F172148A346C1D56635C79B


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,643 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:16 PM

Posted 25 February 2010 - 02:38 AM

Indeed the rootkit is gone. I want to check out two services next.

Click Start > Run, type notepad in the runbox and press enter.
Copy/paste the text in the codebox below into Notepad and save it as peek.bat to your desktop.
CODE
@echo off
regedit /e "klmd21.txt" "HKey_Local_Machine\System\CurrentControlSet\Services\klmd21"
regedit /e "kxdoapow.txt" "HKey_Local_Machine\System\CurrentControlSet\Services\kxdoapow"
start klmd21.txt
start kxdoapow.txt
del %0
Exit Notepad and doubleclick on peek.bat to run it. Two text files will open. Please post their contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 foodfromafar

foodfromafar
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 25 February 2010 - 05:49 PM

Hi, Elise,

When peek.bat ran, a box popped up that said, "Windows cannot find 'klmd21.txt'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users