Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Dr. Guard - what to do


  • This topic is locked This topic is locked
89 replies to this topic

#1 Raksha

Raksha

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 11 March 2010 - 02:50 AM

Virus threat in Chronological order (on my Computer and what I tried to get rid of).

Note, I'm not too familiar with computers, I try to tell my events/ adventures chronologically.

My computer had crashed - not such an unusual feature, most of the time it happens when windows downloaded an update or something (after restarting the computer, it asks you to install the windows updates and restart the system).

Not entirely awake on a Monday morning, I said yes, and was confronted with Dr. Guard, flashing around, warning me. The first thing I did was searching in Windows explorer for the threats and locations it mentioned (couldn't find them). Then I tried to uninstall Dr. Guard couldn't find any option for that either.

Next thing I knew where:
1. No windows task manager available (no ctrl-alt-del function allowed by administrator - what the beep, I'm the administrator!)
2. Dr. Guard knocked down my Windows defender
3. Dr. Guard knocked down my firewall (all open)
4. Dr. Guard ensured that my Google search (with firefox) pages could not be opened ("wrong URL address" something).

I removed the connection with internet. Dr. Guard kept flashing around.

Borrowing someones laptop (with internet) resulted in finding your page (amongst others). Initially, I wasn't sure which anti-Dr. Guard actions I could rely on (they could be from the same "origin" as the malware itself). I decided not to download the program on some sites ("automatically remove Dr. Guard" for example: http://deletemalware.blogspot.com/2010/02/...s-program.html)

Actions taken so far:
1. Kept internet unplugged (not connected to PC)

2. Searched for Dr. Guard folders & tried to delete some of the files by hand (windows explorer) and with Windows commander.

3. Tried to get back my Task manager by starting PC in [safe mode] using directions found somewhere on the internet (borrowed laptop). In this mode, I was able to remove more files from the Dr. Guard folder on C and found folders used on 08Mar2010, which I searched and decided to delete items from that day (I hadn't done any work yet, loose a day - so what, was I thinking). Restarted the computer into "normal mode".

4. DLed rkill.com (from your site on memory stick) and run on infected PC (see log, it detected something)
5. Run iExplore.exe and eXplorer.exe as well, just to be on the safe side.

6. I DLed and installed Malwarebytes' anti malware and ran it like described in your tutorial. This needed connection to the internet, on which Dr. Guard (or whatever else) became pretty active, opening Inernet explorer and loads op popups/ warning threats (most added in attached doc. with screencaptures).

7. Internet connection removed, Malwarebytes' run 1x & restarted (hoping most would be gone)

8. Malwarebytes' re-run after restart - still popups in low right hand corner ("PC under attack" etc). (see screenshots)


9. Stupid me, I decided to install an AVG version (free) which I had downloaded in Oct 2009. This appeared to need internet connection (first time failed since there was no internet, and it noticed Norman residue’s which I had been unable to un-install after it botched up somewhere in Dec2009).

10. Next time, I allowed AVG on the internet - terrible mistake - while Malwarebytes' was running, Dr. Guard residues picked up speed again.

11. At the mean time, I was able to use Windows Task manager again, and saw rapid switching under [processes]. Really, I tried to pin down eg. asr64_ldm.exe, but in the [processes] tab it kept popping in and out faster than I could click with my mouse. Nothing showed up in the [applications] tab.

12. After this, I repeated complete scans of all my drives connected at the time (once, no finds) and C drive over and over again.

13. I also tried rkill.com again, but now the [command prompt] (?) stayed completely black, and a popup showed up (I might have taken a screenshot of it).

14. Now, every time I restart the computer, the "windows" screen starts black, with a message

Header: winlogon.exe Ongeldig beeld (invalid image (?))
Tekst: C:\Douments and settings\Local Service.NT tutorial (?)\Local Settings\Application data\Windows Server\qvxoob.dll. Controleer dit op uw installatiedisk (verify this on your installation disk). See also made screencaps.

15. After clicking on the [X] button, I was able to select my profile to logon. The PC will start in my desktop, but several of the above mentioned buttons keep popping up. All recommending me to verify it on my installation disk.

Here is a list of all the mentioned .exe in the header of each of those (sometimes .dll's also pop up didn't jot down those).
• Winlogon.exe (all followed by same message & referring to qvxoob.dll)
• userinit.exe
• dnusax.exe
• CMD.EXE
• net.exe
Sometimes the following also pops up (with a command prompt in the background), esp. when shutting down the PC again.
• lsass.exe


16. I went on to protect my PC - turning on my firewall (again), using the one of Windows XP. Forgot to check Windows defender (Ad-aware was a lost cause, too old).

17. (10Mar10) Starting up, after clicking away in pt. 15 mentioned "alarms":
lsass.exe - Toepassing
De instructie op 0x774bdf1b verwijst naar geheugen op 0x00000018. De lees of schrijfbewerking ("read") op het geheugen is mislukt.
(roughly translated: the instruction on 0x774bdf1b refers to memory on 0x00000018. The action (read or write) failed)
In the background (black screen, command prompt) popped up, hadn't happened before.

18. restarted in safe modus: finally removed lsass.exe in the documents and settings area (it wasn't removed by malwarebytes' after screening & rebooting many times) manually. I didn't dare to remove the other file mentioned (since it's in the System32 folder). What to do with this one?
Locations of files detected by Malwarebytes'
C:\Documents and Settings\Geertje\Local Settings\Temp\IXP000.TMP\lsass.exe
C:\WINDOWS\system32\drivers\pkrkegnv.sys

(the first is a whole folder with dubious named files could I delete them all? & how? they refuse to leave, see screenshot, pg. 37 - not attached)

19. Restart and rerun Malwarebytes' showed that the lsass.exe was back, with a new friend (lsass no extension).

20. Before making a backup, I wanted to run AVG rescue CD virus killer. Booted the Computer to AVG CD, ran a scan on all discs. AVG (dated from: 10Jan2010, 16:53hrs) showed these 2 culprits on the C drive:
[i]C:\Windows\system32\dllcache\ndis.sys Trojan Horse rootkit-Pakes.AA
C:\Windows\system32\drivers\ndis.sys Trojan Horse rootkit-Pakes.AA[/i]

Can I delete those? (I haven’t yet)
Also: AVG wants to access the internet – I’m afraid to do so (but for updates it’s needed).
Observations
No icons of Dr. Guard present in right hand bottom corner.


My questions:
- how to get rid of the last files detected by Malwarebytes’?
- Are there any more files which weren’t (can’t be yet) detected by Malwarebytes’? I want to be sure, before I get online (on the internet) again.

It might not be Dr. Guard anymore, but something else bothering my computer currently. (I’ve never rigorously cleaned my PC like this…).

- (therefore:) how can I be sure all “findable” malware has been removed?
- Can I expect any damage – from the previously things detected & removed?
- Is it safe now to let my PC access the internet – of course, with all the “protecting programs” running .
- The popups concerning e.g. winlogon.exe etc, are (were) these errors introduced by the virus? Or is there something seriously damaged in my computer system?
- (side question) how do I remove lingering bits of Norman security? (it must be in the register or something. After it budged, I couldn’t uninstall it like the usual software, so I manually deleted the files).


This is a loooong post, I hope I'm not asking the impossible. I would be grateful for any assistance. Thanks.

(turns out I can't attach the screencaps)

Edit 1:
I acted according to the "remove Dr. Guard" post
I haven't come around all the points yet of the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" - still have to make a backup and disable CD emulation software (I run Alcohol 120%). Screenshots and the above text can be supplied in Word doc's if required.

Edit 2:
textual corrections

Attached Files


Edited by Raksha, 11 March 2010 - 03:05 AM.


BC AdBot (Login to Remove)

 


#2 Raksha

Raksha
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 12 March 2010 - 02:46 AM

Update (Actions taken on 11Mar2010)

Here is an overview of activities on my infected computer (maybe someone can point me in the right direction. This continues from the first and quite extensive post.

1- I decided to delete all hits found by the AVG rescue CD (AVG dated 10Jan2010).

2- Restarted the computer, normal modus - during login still messages popu up like:
winlogon.exe Ongeldig beeld
C:\Douments and settings\Local Service.NT tutorial (?)\Local Settings\Application data\Windows Server\qvxoob.dll. Controleer dit op uw installatiediskette.


Translated: invalid image (?) - link - verify this on your installation disk.


Same tekst for the following popups:
• Winlogon.exe (all followed by same message & referring to qvxoob.dll)
• userinit.exe
• dnusax.exe
• CMD.EXE
• net.exe
I click these away with the [X]

3- I uninstalled some programs from my C via the control panel, add/remove programs- windows reacts by giving a popup (forgot to write it down, this is a borrowed PC, not my infected one, but I have a screenshot). After ignoring or clicking away the error message, I was able to load the control panel etc.
Programs removed: HAM, FEAR (game), ABC, OpenOffice, old (?) Java versions.

4- Backup of C drive with DriveImage XML, this directly gave 2 errors before starting with backup-ing:

Warning
Could not initialize Windows Volume Shadow Service (VSS).
Code: ERROR 80042318
Make sure VSSVC.EXE is running in your task manager. Click help for more information

(which I didn't do, exited with [X])

and

Warning
Volume could not be properly locked.
You can still continue, but the backup image might be damaged.


5- I backup-ed the C anyway. Am looking for another backup program (cobian backup)? before continuing with:
Disabeling CD emulation software
Running DDS
Running GMer


If I'm on the wrong (or right track), I would like to hear from anyone who is more expert in this than I am. (quite easy). I intend to continue this track - hopefully being able to swipe the Mc.Nasties away, without loosing my OS or PC. (PS: I won't be able to do anything from the current location today)

Really - help is appreciated a lot. Hope above narration helps.


Regards,


#3 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:41 AM

Posted 12 March 2010 - 12:03 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manč acchč?
Yadi thakč, tahalč
Ki kshama kartč paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#4 Raksha

Raksha
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 13 March 2010 - 12:09 PM

Hi There,


Thank you for taking time and efford for looking in my computer troubles. I'mhappy to oblidge.

Update:
- DDS worked fine
- I had some trouble "disabeling" windows defender (might not have been completely successful)
- Disabled CD emulation programs
- tried GMER: 4 times rebooted computer

Below the results:
DDS (Ver_09-12-01.01) - NTFSx86
Run by Geertje at 17:18:06,53 on za 13-03-2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2047.1679 [GMT 1:00]

AV: Dr. Guard *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Norman Security Suite *On-access scanning enabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\Program Files\Promise\Promise Disk Controller Manager\MsgAgt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\Geertje\Menu Start\Programma's\Opstarten\dnusax.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Geertje\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [27761] c:\docume~1\geertje\locals~1\temp\igqjj.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRunOnce: [wextract_cleanup0] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\docume~1\geertje\locals~1\temp\ixp000.tmp\"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\geertje\menu start\programma's\opstarten\dnusax.exe
StartupFolder: c:\docume~1\alluse~1.win\menust~1\progra~1\opstar~1\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165392383029
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
AppInit_DLLs: app_dll.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 96.168.178.115 secure.antimalwaredefender.com
Hosts: 96.168.178.115 support.antimalwaredefender.com
Hosts: 95.168.173.24 secure.antimalware-defender.com
Hosts: 95.168.173.24 support.antimalware-defender.com
================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geertje\applic~1\mozilla\firefox\profiles\56vx7pwm.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:nl:official
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 UtMsgSvc;UtMsgAgt;c:\program files\promise\promise disk controller manager\MsgAgt.exe [2004-4-2 217088]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 avhmg;avhmg;c:\windows\system32\drivers\avhmg.sys [2010-3-8 0]
S0 sbwddn;sbwddn;c:\windows\system32\drivers\fiwnfah.sys --> c:\windows\system32\drivers\fiwnfah.sys [?]
S1 NGS;Norman General Security Driver;\??\c:\norman\ngs\bin\ngs.sys --> c:\norman\ngs\bin\ngs.sys [?]
S1 NPROSEC;Norman Security driver;\??\c:\norman\ngs\bin\nprosec.sys --> c:\norman\ngs\bin\nprosec.sys [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S2 MSHLP;MSHLP;\??\c:\windows\system32\mssys.sys --> c:\windows\system32\mssys.sys [?]
S2 Ndiskio;Ndiskio;\??\c:\norman\nse\bin\ndiskio.sys --> c:\norman\nse\bin\NDISKIO.SYS [?]
S2 Norman ZANDA;Norman ZANDA;"c:\norman\npm\bin\zanda.exe" --> c:\norman\npm\bin\Zanda.exe [?]
S2 NPROSECSVC;Norman Security service;"c:\norman\ngs\bin\nprosec.exe" --> c:\norman\ngs\bin\Nprosec.exe [?]
S2 NVOY;Norman Resource Provider;"c:\norman\npm\bin\nvoy.exe" --> c:\norman\npm\bin\nvoy.exe [?]
S3 nsesvc;Norman Scanner Engine Service;"c:\norman\nse\bin\nsesvc.exe" -daemon --> c:\norman\nse\bin\NSESVC.EXE [?]
S3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2009-5-18 21832]
S3 nvcoas;Norman Virus Control on-access component;"c:\norman\nvc\bin\nvcoas.exe" --> c:\norman\nvc\bin\nvcoas.exe [?]
S3 Scheduler;Norman Scheduler Service;"c:\norman\npm\bin\scheduler.exe" --> c:\norman\npm\bin\scheduler.exe [?]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2005-12-30 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2005-12-30 5248]

=============== Created Last 30 ================

2010-03-13 16:13:44 54 ----a-w- c:\documents and settings\geertje\defogger_reenable
2010-03-11 20:22:31 0 d-----w- c:\program files\Runtime Software
2010-03-10 18:40:30 0 ---ha-w- C:\BIT8.tmp
2010-03-10 18:03:24 0 ---ha-w- C:\BIT6.tmp
2010-03-09 18:38:33 0 ---ha-w- C:\BIT5.tmp
2010-03-09 17:49:22 0 ---ha-w- C:\BIT4.tmp
2010-03-09 04:38:15 0 ---ha-w- C:\BIT7.tmp
2010-03-08 20:22:19 0 ---ha-w- C:\BIT3.tmp
2010-03-08 20:14:42 0 d--h--w- C:\$AVG
2010-03-08 19:55:59 0 d-----w- c:\program files\AVG
2010-03-08 12:53:50 0 d-----w- c:\docume~1\geertje\applic~1\Malwarebytes
2010-03-08 12:53:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-08 12:53:44 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-03-08 12:53:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-08 12:53:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-08 10:39:39 860672 ----a-w- c:\windows\system32\drivers\pkrkegnv.sys
2010-03-08 10:18:08 0 d-----w- c:\docume~1\geertje\applic~1\AVG8
2010-03-08 10:09:15 0 d-----w- c:\docume~1\alluse~1.win\applic~1\AVG Security Toolbar
2010-03-08 09:41:55 0 d-----w- c:\docume~1\alluse~1.win\applic~1\avg9
2010-03-08 09:16:19 3144 ----a-w- c:\docume~1\alluse~1.win\applic~1\fiosejgfse.dll
2010-03-08 00:55:43 0 ----a-w- c:\windows\system32\drivers\avhmg.sys

==================== Find3M ====================

2010-03-13 13:35:47 7415 ----a-w- c:\program files\Nero Log 2010Mar13.txt
2010-02-24 08:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2009-12-21 19:10:30 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 07:42:53 345600 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:10:21 33280 ----a-w- c:\windows\system32\csrsrv.dll

============= FINISH: 17:18:38,26 ===============


GMER actions taken:
(defogger used to close CD emulation programs) Downloaded> doubleclick> unchecked boxes according to the tutorial> Scan

Crash (reboot) after 3-5 seconds - right at ...\HarddiscVolume4 (probably C)

Microsoft Windows "error signature" when starting up
BCC code: 44, BCP1: 89DEF0D0, BCP2: 00000D64, BCP3: 00000000, BCP4: 00000000
OSVeri 5_1_2000 SP 3_0, Product 256_1

Technical details:
C:\DOCUME~1\Geertje\LOCALS~1\TEMP\WER20c2.dir00\Mini031310-04.dmp
C:\DOCUME~1\Geertje\LOCALS~1\TEMP\WER20c2.dir00\sysdata.xml


I hope the above will help solving. I'm open to all suggestions (apart from chucking out my computer).
Note: the computer is not on the internet, I'm using a "backup option"for that.

Attached Files



#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:41 PM

Posted 13 March 2010 - 01:29 PM

Hello, Raksha
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.


  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    safebootminimal
    safebootnetwork
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 Raksha

Raksha
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 13 March 2010 - 02:11 PM

Hi Thomas,


I'm very happy you are able to look into my computer problem. I saw the forum being swamped with users and there problems. I'm just so happy someone is able to maken time!!

Here the updates:
    since I had enabled Windows defender again (after the DDS run), I had started scanning, but stopped (after 10min or so) after receiving your reply. You might pick that up somewhere in the logs
    Btw, working in safe mode (computer) did not help running a gmer scan.

The instructions I receive from you all are very clear step by step desccriptions (I don't have troubles so far in following them) - thank you all so much!


The OTL report
OTL logfile created on: 13-3-2010 19:53:43 - Run 1
OTL by OldTimer - Version 3.1.37.0 Folder = C:\Documents and Settings\Geertje\Bureaublad
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 81,00% Memory free
3,00 Gb Paging File | 3,00 Gb Available in Paging File | 93,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,53 Gb Total Space | 54,83 Gb Free Space | 73,57% Space Free | Partition Type: NTFS
Drive D: | 74,52 Gb Total Space | 1,35 Gb Free Space | 1,81% Space Free | Partition Type: NTFS
Drive E: | 74,52 Gb Total Space | 5,06 Gb Free Space | 6,79% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 279,47 Gb Total Space | 10,11 Gb Free Space | 3,62% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive J: | 465,64 Gb Total Space | 29,24 Gb Free Space | 6,28% Space Free | Partition Type: FAT32
Drive K: | 488,00 Mb Total Space | 23,41 Mb Free Space | 4,80% Space Free | Partition Type: FAT

Computer Name: GEERTJEXP
Current User Name: Geertje
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010-03-13 19:45:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geertje\Bureaublad\OTL.exe
PRC - [2009-08-05 10:37:58 | 012,313,432 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [2008-04-14 18:02:58 | 001,037,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006-11-03 18:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006-11-03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2005-06-14 05:35:46 | 000,278,528 | ---- | M] (InterVideo Inc.) -- C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
PRC - [2004-04-02 13:57:02 | 000,217,088 | ---- | M] (Promise Technology Inc.) -- C:\Program Files\Promise\Promise Disk Controller Manager\MsgAgt.exe


========== Modules (SafeList) ==========

MOD - [2010-03-13 19:45:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geertje\Bureaublad\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (Scheduler)
SRV - File not found [Auto | Stopped] -- -- (NVOY)
SRV - File not found [On_Demand | Stopped] -- -- (nvcoas)
SRV - File not found [On_Demand | Stopped] -- -- (nsesvc)
SRV - File not found [Auto | Stopped] -- -- (NPROSECSVC)
SRV - File not found [Auto | Stopped] -- -- (Norman ZANDA)
SRV - File not found [On_Demand | Stopped] -- -- (Norman NJeeves)
SRV - File not found [Auto | Stopped] -- -- (eLoggerSvc6)
SRV - File not found [Auto | Stopped] -- -- (avg9wd)
SRV - [2006-11-03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2004-04-02 13:57:02 | 000,217,088 | ---- | M] (Promise Technology Inc.) [Auto | Running] -- C:\Program Files\Promise\Promise Disk Controller Manager\MsgAgt.exe -- (UtMsgSvc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:nl:official"
FF - prefs.js..extensions.enabledItems: betteryoutube@ginatrapani.org:0.4.3
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19
FF - prefs.js..extensions.enabledItems: de-DE@dictionaries.addons.mozilla.org:2.0.1
FF - prefs.js..extensions.enabledItems: fr@dictionaries.addons.mozilla.org:3.5
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100211.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: nl-NL@dictionaries.addons.mozilla.org:2.2.0

FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009-12-07 17:08:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009-12-07 17:08:57 | 000,000,000 | ---D | M]

[2008-12-11 16:35:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Extensions
[2010-03-11 17:56:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions
[2010-02-24 05:34:34 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2008-08-01 04:42:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\betteryoutube@ginatrapani.org
[2010-02-24 05:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\de-DE@dictionaries.addons.mozilla.org
[2008-03-01 11:31:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\de-DE-alt@dictionaries.addons.mozilla.org
[2008-03-01 11:31:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2010-02-24 05:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\fr@dictionaries.addons.mozilla.org
[2009-12-08 16:08:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\nl-NL@dictionaries.addons.mozilla.org
[2010-03-11 17:56:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009-12-07 17:08:38 | 000,001,892 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bolcom-nl.xml
[2009-12-07 17:08:38 | 000,004,558 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\marktplaats-nl.xml
[2009-12-07 17:08:38 | 000,001,111 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\vandale-nl.xml
[2009-12-07 17:08:38 | 000,001,049 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-nl.xml
[2009-12-07 17:08:38 | 000,000,802 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-nl.xml

O1 HOSTS File: ([2010-03-08 01:57:40 | 000,000,185 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 96.168.178.115 secure.antimalwaredefender.com
O1 - Hosts: 96.168.178.115 support.antimalwaredefender.com
O1 - Hosts: 95.168.173.24 secure.antimalware-defender.com
O1 - Hosts: 95.168.173.24 support.antimalware-defender.com
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll File not found
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll File not found
O4 - HKLM..\Run: [27761] C:\DOCUME~1\Geertje\LOCALS~1\Temp\igqjj.exe File not found
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Inc.)
O4 - Startup: C:\Documents and Settings\Geertje\Menu Start\Programma's\Opstarten\dnusax.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1165392383029 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll File not found
O20 - AppInit_DLLs: (app_dll.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Mijn huidige introductiepagina) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003-11-06 16:43:06 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010-03-08 16:04:34 | 000,000,192 | ---- | M] () - K:\autorun.inf -- [ FAT ]
O33 - MountPoints2\{96779104-9506-11da-b473-00110987a636}\Shell\AutoRun\command - "" = K:\RECYCLER\autorun.exe -- [2010-03-08 11:38:34 | 000,108,032 | RHS- | M] ()
O33 - MountPoints2\{96779104-9506-11da-b473-00110987a636}\Shell\open\command - "" = K:\RECYCLER\autorun.exe -- [2010-03-08 11:38:34 | 000,108,032 | RHS- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: AppSecDll - (C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Windows Server\qvxoob.dll) - C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Windows Server\qvxoob.dll ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2005-12-30 14:25:13 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: SSHNAS - File not found

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS - File not found
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010-03-13 19:52:10 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Geertje\Bureaublad\OTL.exe
[2010-03-11 21:22:31 | 000,000,000 | ---D | C] -- C:\Program Files\Runtime Software
[2010-03-11 17:42:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Bureaublad\01-Backup cobian
[2010-03-08 21:14:42 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010-03-08 20:55:59 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010-03-08 20:51:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Local Settings\Application Data\Windows Server
[2010-03-08 13:53:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Application Data\Malwarebytes
[2010-03-08 13:53:45 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010-03-08 13:53:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2010-03-08 13:53:43 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010-03-08 13:53:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010-03-08 13:40:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Bureaublad\Start 2
[2010-03-08 11:18:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Application Data\AVG8
[2010-03-08 11:09:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVG Security Toolbar
[2010-03-08 10:41:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9
[2005-12-30 18:08:02 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2005-12-30 18:08:02 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347scsi.sys
[2005-12-15 21:33:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Webroot
[2004-12-24 21:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004-12-24 21:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2004-12-24 21:54:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2004-12-24 21:54:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010-03-13 19:55:09 | 000,860,672 | ---- | M] () -- C:\WINDOWS\System32\drivers\pkrkegnv.sys
[2010-03-13 19:52:39 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Geertje\Bureaublad\~$L codes.doc
[2010-03-13 19:50:18 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Geertje\Bureaublad\OTL codes.doc
[2010-03-13 19:45:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geertje\Bureaublad\OTL.exe
[2010-03-13 19:39:39 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010-03-13 19:37:37 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010-03-13 19:36:35 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-03-13 19:36:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-03-13 19:36:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-03-13 19:36:21 | 2147,012,608 | -HS- | M] () -- C:\hiberfil.sys
[2010-03-13 19:32:21 | 000,000,188 | -HS- | M] () -- C:\Documents and Settings\Geertje\ntuser.ini
[2010-03-13 19:32:20 | 016,777,216 | -H-- | M] () -- C:\Documents and Settings\Geertje\NTUSER.DAT
[2010-03-13 17:44:54 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Geertje\Bureaublad\Microsoft Office Word 2003.lnk
[2010-03-13 17:13:47 | 000,000,054 | ---- | M] () -- C:\Documents and Settings\Geertje\defogger_reenable
[2010-03-13 17:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010-03-13 16:15:36 | 000,053,760 | ---- | M] () -- C:\Documents and Settings\Geertje\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-03-13 16:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010-03-13 15:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010-03-13 14:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010-03-13 13:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010-03-13 12:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010-03-13 11:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010-03-13 10:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010-03-13 09:37:39 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\Geertje\Bureaublad\Microsoft Office Excel 2003.lnk
[2010-03-12 05:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010-03-12 04:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010-03-12 03:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010-03-12 02:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010-03-12 01:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010-03-12 00:02:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010-03-11 23:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010-03-11 22:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010-03-11 21:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010-03-11 20:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010-03-11 19:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010-03-11 18:21:11 | 000,001,077 | ---- | M] () -- C:\WINDOWS\wincmd.ini
[2010-03-11 18:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010-03-10 18:54:58 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Geertje\Bureaublad\Defogger.exe
[2010-03-09 09:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010-03-09 08:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010-03-09 07:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010-03-09 06:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010-03-08 13:53:47 | 000,000,701 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2010-03-08 10:58:33 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\avhmg.sys
[2010-03-08 10:44:12 | 000,003,144 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\fiosejgfse.dll
[2010-03-05 20:35:31 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-03-13 19:52:39 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Geertje\Bureaublad\~$L codes.doc
[2010-03-13 19:52:06 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Geertje\Bureaublad\OTL codes.doc
[2010-03-13 19:36:21 | 2147,012,608 | -HS- | C] () -- C:\hiberfil.sys
[2010-03-13 17:26:36 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Geertje\Bureaublad\gmer.exe
[2010-03-13 17:13:44 | 000,000,054 | ---- | C] () -- C:\Documents and Settings\Geertje\defogger_reenable
[2010-03-13 14:35:47 | 000,007,415 | ---- | C] () -- C:\Program Files\Nero Log 2010Mar13.txt
[2010-03-11 17:42:16 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Geertje\Bureaublad\Defogger.exe
[2010-03-08 13:53:47 | 000,000,701 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2010-03-08 11:39:39 | 000,860,672 | ---- | C] () -- C:\WINDOWS\System32\drivers\pkrkegnv.sys
[2010-03-08 10:16:19 | 000,003,144 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\fiosejgfse.dll
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010-03-08 01:55:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\avhmg.sys
[2009-04-12 19:48:41 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009-04-12 19:48:40 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009-04-12 18:17:17 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008-07-07 19:13:48 | 002,067,140 | R--- | C] () -- C:\WINDOWS\System32\avcodec.dll
[2006-12-10 10:57:23 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2006-12-10 10:10:20 | 000,000,085 | -HS- | C] () -- C:\Documents and Settings\Geertje\Application Data\.zreglib
[2006-10-11 19:32:44 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI
[2006-09-09 11:55:54 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006-03-18 13:06:16 | 000,000,159 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini
[2006-02-18 13:17:16 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006-02-18 13:17:16 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006-02-18 13:17:16 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006-02-18 13:17:16 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006-02-18 13:17:16 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006-02-18 13:17:16 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006-02-18 13:17:04 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\cddvdint.dll
[2006-01-02 17:23:16 | 000,003,584 | ---- | C] () -- C:\WINDOWS\System32\wmfhotfix.dll
[2005-12-31 11:23:31 | 000,000,379 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005-12-30 21:16:02 | 000,000,721 | ---- | C] () -- C:\WINDOWS\DVDFabGold.INI
[2005-12-30 18:34:15 | 000,001,077 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2005-12-30 15:58:49 | 000,157,184 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005-12-30 15:55:27 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
[2005-12-30 15:48:53 | 000,053,760 | ---- | C] () -- C:\Documents and Settings\Geertje\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005-12-30 15:03:38 | 000,002,740 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2005-12-30 15:03:34 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2003-06-24 15:14:07 | 000,194,048 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
[2002-10-15 23:54:04 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2002-10-06 19:42:57 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002-10-05 00:04:25 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2002-10-05 00:04:24 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002-10-05 00:04:17 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll

========== LOP Check ==========

[2010-03-08 13:39:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVG Security Toolbar
[2010-03-09 19:21:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9
[2009-05-18 19:15:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2010-01-30 15:32:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Zoom Player
[2006-01-07 11:21:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\.ABC
[2005-12-31 11:54:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\.BitTornado
[2006-12-10 10:10:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Elaborate Bytes
[2006-02-18 13:19:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\InterVideo
[2007-11-18 20:29:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Juniper Networks
[2007-02-18 09:02:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Minitab
[2009-05-18 20:37:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\NewsLeecher
[2008-08-27 20:54:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Sports Interactive
[2009-05-18 19:15:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\URSoft
[2008-12-12 15:27:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Vso
[2005-12-30 16:31:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\XnView
[2010-03-12 00:02:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010-03-09 09:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2010-03-13 10:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2010-03-13 11:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2010-03-13 12:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2010-03-13 13:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2010-03-13 14:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2010-03-13 15:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2010-03-13 16:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2010-03-13 17:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2010-03-11 18:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2010-03-12 01:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2010-03-11 19:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2010-03-11 20:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2010-03-11 21:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2010-03-11 22:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2010-03-11 23:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2010-03-12 02:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2010-03-12 03:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2010-03-12 04:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2010-03-12 05:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2010-03-09 06:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2010-03-09 07:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2010-03-09 08:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[2010-03-13 19:39:39 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010-03-13 19:37:37 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004-08-04 13:00:00 | 018,788,859 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008-12-11 16:40:20 | 023,899,725 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008-12-11 16:40:20 | 023,899,725 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008-04-13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008-04-13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004-08-04 13:00:00 | 018,788,859 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008-12-11 16:40:20 | 023,899,725 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008-12-11 16:40:20 | 023,899,725 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008-04-13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008-04-13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008-04-14 18:02:25 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=CA64B9406EEDA4FFA2DAEAE1DABCCE42 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008-04-14 18:02:25 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=CA64B9406EEDA4FFA2DAEAE1DABCCE42 -- C:\WINDOWS\system32\eventlog.dll
[2004-08-04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=F1720914CAB06FDE4BE250E3767713CF -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2004-08-04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=B3FDAC7A518B6B684BEFE792DC1DC560 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008-04-14 18:02:33 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=E6A7071DF6855AB7CCCC220AC3AAD087 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008-04-14 18:02:33 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=E6A7071DF6855AB7CCCC220AC3AAD087 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008-04-14 18:02:39 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=0E3B585761E23C1E35442E972B7E45F9 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008-04-14 18:02:39 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=0E3B585761E23C1E35442E972B7E45F9 -- C:\WINDOWS\system32\scecli.dll
[2004-08-04 13:00:00 | 000,184,832 | ---- | M] (Microsoft Corporation) MD5=5AE934F6837B5A583DED535C4BE5A804 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

< MD5 for: VIAMRAID.SYS >
[2004-07-06 22:45:36 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\DriverDisk\RAID\2003IA32\viamraid.sys
[2004-07-06 22:45:38 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\DriverDisk\RAID\Win2000\viamraid.sys
[2004-07-06 22:45:42 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\DriverDisk\RAID\Winxp\viamraid.sys
[2004-07-06 22:45:36 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\VIARaid\driver\2003IA32\viamraid.sys
[2004-07-06 22:45:38 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\VIARaid\driver\Win2000\viamraid.sys
[2004-07-06 22:45:42 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\VIARaid\driver\Winxp\viamraid.sys
[2004-07-06 22:45:42 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\WINDOWS\system32\drivers\viamraid.sys
[2004-07-06 22:45:40 | 000,067,392 | ---- | M] (VIA Technologies inc,.ltd) MD5=813C738B09E80C4A4E0585FB95A2F897 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\DriverDisk\RAID\Winnt40\viamraid.sys
[2004-07-06 22:45:40 | 000,067,392 | ---- | M] (VIA Technologies inc,.ltd) MD5=813C738B09E80C4A4E0585FB95A2F897 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\VIARaid\driver\Winnt40\viamraid.sys

< %systemroot%\*. /mp /s >
< End of report >




The Extra report


OTL Extras logfile created on: 13-3-2010 19:53:43 - Run 1
OTL by OldTimer - Version 3.1.37.0 Folder = C:\Documents and Settings\Geertje\Bureaublad
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 81,00% Memory free
3,00 Gb Paging File | 3,00 Gb Available in Paging File | 93,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,53 Gb Total Space | 54,83 Gb Free Space | 73,57% Space Free | Partition Type: NTFS
Drive D: | 74,52 Gb Total Space | 1,35 Gb Free Space | 1,81% Space Free | Partition Type: NTFS
Drive E: | 74,52 Gb Total Space | 5,06 Gb Free Space | 6,79% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 279,47 Gb Total Space | 10,11 Gb Free Space | 3,62% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive J: | 465,64 Gb Total Space | 29,24 Gb Free Space | 6,28% Space Free | Partition Type: FAT32
Drive K: | 488,00 Mb Total Space | 23,41 Mb Free Space | 4,80% Space Free | Partition Type: FAT

Computer Name: GEERTJEXP
Current User Name: Geertje
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\totalcmd\TOTALCMD.EXE" = C:\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows -- (C. Ghisler & Co.)
"C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe" = C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:*:Enabled:Football Manager 2008 -- (Sports Interactive)
"C:\Program Files\FTDv3.8\FTDv3.exe" = C:\Program Files\FTDv3.8\FTDv3.exe:*:Enabled:FTDv3.8 -- (FTD)
"C:\Program Files\NewsLeecher\newsLeecher.exe" = C:\Program Files\NewsLeecher\newsLeecher.exe:*:Enabled:NewsLeecher -- ()
"C:\Program Files\Sierra\FEAR\FEAR.exe" = C:\Program Files\Sierra\FEAR\FEAR.exe:*:Disabled:FEAR -- File not found
"C:\Program Files\ABC\abc.exe" = C:\Program Files\ABC\abc.exe:*:Disabled:abc -- File not found
"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" = C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe:*:Disabled:Ad-Aware SE Professional -- File not found
"C:\Program Files\BitTornado\btdownloadgui.exe" = C:\Program Files\BitTornado\btdownloadgui.exe:*:Disabled:btdownloadgui -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes -- (Apple Inc.)
"C:\Program Files\InterVideo\DVD7\WinDVD.exe" = C:\Program Files\InterVideo\DVD7\WinDVD.exe:*:Disabled:WinDVD -- (InterVideo Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 13
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C9413-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}" = iTunes
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{82FD47B3-AEAE-4A3C-81D9-CC1CC9D520E9}" = Promise Disk Controller Manager
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90885A82-9673-49EA-AB39-AF776639C67C}" = InterVideo WinDVD 7
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{CECFDD53-35DB-4235-9363-7964A0C88E0E}" = Samsung PC Studio
"{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66}" = WMFHotFix, MSI Version 1, Hotfix Version 14
"{E9F81423-211E-46B6-9AE0-38568BC5CF6F}" = Alcohol 120%
"{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}" = Samsung PC Studio 3 USB Driver Installer
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CDisplay_is1" = CDisplay 1.8
"CloneDVD.exe_is1" = CloneDVD 3.6
"Combined Community Codec Pack" = Combined Community Codec Pack 2005-12-21 (Remove Only)
"CTDVDAudio Plugin" = Creative DVD Audio Plugin for Audigy Series
"DC-Bass Source" = DC-Bass Source 1.1.1
"DirectVobSub" = DirectVobSub (remove only)
"DVDFab Platinum_is1" = DVDFab Platinum 2.9.8.1
"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
"Football Manager 2008" = Football Manager 2008
"Foxit Reader" = Foxit Reader
"GOM Player" = GOM Player
"GSpot" = GSpot Codec Information Appliance
"HaaliMkx" = Haali Media Splitter
"Heroes of Might and Magic IV" = Heroes of Might and Magic® IV
"ie8" = Windows Internet Explorer 8
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"InstallShield_{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Neat Image_is1" = Neat Image v5.2 Pro+
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NewsLeecher" = NewsLeecher
"NewsLeecher_is1" = NewsLeecher v3.8 Final
"OggDS" = Direct Show Ogg Vorbis Filter (remove only)
"Picasa2" = Picasa 2
"QuickPar" = QuickPar 0.9
"SAMSUNG CDMA Modem" = SAMSUNG CDMA Modem Driver Set
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"SHOUTcast Source" = SHOUTcast Source (remove only)
"Totalcmd" = Total Commander (Remove or Repair)
"VobSub" = VobSub v2.23 (Remove Only)
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XnView_is1" = XnView 1.80.1
"XviD" = XviD Video Codec 24062003-1 (Koepi's developer build)
"ZoomPlayer" = Zoom Player (remove only)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 29-6-2009 19:48:25 | Computer Name = GEERTJEXP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024400e, P2 endsearch, P3 search, P4 1.1.1593.0,
P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL, P10 NIL.

Error - 12-7-2009 10:08:07 | Computer Name = GEERTJEXP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80240016, P2 begininstall, P3 install, P4
1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL,
P10 NIL.

Error - 12-7-2009 10:15:50 | Computer Name = GEERTJEXP | Source = Application Error | ID = 1000
Description = Vastgelopen toepassing: firefox.exe, versie: 1.9.0.3439, vastgelopen
module: xul.dll, versie: 1.9.0.3439, vastgelopen op: 0x000a3a8b.

Error - 15-7-2009 15:27:42 | Computer Name = GEERTJEXP | Source = Application Hang | ID = 1002
Description = Vastgelopen toepassing: winamp.exe, versie: 5.5.5.2419, vastgelopen
module: hungapp, versie: 0.0.0.0, vastgelopen op: 0x00000000.

Error - 16-7-2009 16:06:05 | Computer Name = GEERTJEXP | Source = Application Hang | ID = 1002
Description = Vastgelopen toepassing: FTDv3.exe, versie: 3.8.5.0, vastgelopen module:
hungapp, versie: 0.0.0.0, vastgelopen op: 0x00000000.

Error - 16-7-2009 19:33:48 | Computer Name = GEERTJEXP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80240016, P2 begininstall, P3 install, P4
1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL,
P10 NIL.

Error - 21-7-2009 12:45:08 | Computer Name = GEERTJEXP | Source = Application Hang | ID = 1002
Description = Vastgelopen toepassing: nero.exe, versie: 6.6.0.18, vastgelopen module:
hungapp, versie: 0.0.0.0, vastgelopen op: 0x00000000.

Error - 21-7-2009 12:45:10 | Computer Name = GEERTJEXP | Source = Application Hang | ID = 1002
Description = Vastgelopen toepassing: nero.exe, versie: 6.6.0.18, vastgelopen module:
hungapp, versie: 0.0.0.0, vastgelopen op: 0x00000000.

Error - 24-7-2009 17:24:25 | Computer Name = GEERTJEXP | Source = NormanNPT | ID = 131073
Description =

Error - 24-7-2009 18:24:59 | Computer Name = GEERTJEXP | Source = NormanNPT | ID = 131073
Description =


========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:41 PM

Posted 13 March 2010 - 03:01 PM

Hi,


Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 Raksha

Raksha
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 13 March 2010 - 04:15 PM

Hi there,


I'm running into trouble now. Combifix Program won't run (I've got lovely screencaps, not attached). Hereby the sequence I worked in:

Windows defender: could "close it down" via the all programs>windows defender>Tools tab>Options tab, like described in the link provided.
I don't seem to be able to find the other way (•Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.). No windows defender found by me....

I searched for the Windows Firewall. Yesterday I turned it on - following directions from one of the turorials (Network sections). I was able to turn it on. Now, using the same sequende, there is nothing to be found in "Network sections". I haven't got a clue where it could have gone... There is a message of Windows (didn't writte it down). Only changes from yesterday: I ran defogger, DDS, Gmer (botched), OTL and now "Schrauber" combofix.


After disabling everything I could think of:
Schrauber.exe initialized> shows loading bar> directly popups show up

Schauber.exe Wrong image (?)
nidex.exe Wrong image (?)
iexplore.exe Wrong image (?)
n.pif Wrong image (?)
hidex.exe Wrong image (?)
hidex.exe Wrong image (?)
n.pif Wrong image (?)
etc.

The first try, a windows popup showed up, asking to select the program from a list (I had put combifix on my desktop)> selected "Schrauber" and clicked [OK]

3 load bars of combifix stay in the screen, 3 times warning popup showed together with:
Some files could not be created

Another popup made me break of this operation (and the enless amount of combifix bars fixed on my desktop - none running anymore....

Window's can't find 32788R22FWJFW\n.pif


With all these disappearing (including the Windows firewall all of a sudden), I'm really reluctant to go online (plugging in Internet).


Regards,

I hope I'm not a lost case.....

I forgot another exotic windows message:
nircmd.cfxxe
A complete mystery to me...

Edited by Raksha, 13 March 2010 - 04:17 PM.


#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:41 PM

Posted 13 March 2010 - 05:35 PM

Hi,

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Also please post back with a fresh OTL logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 Raksha

Raksha
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 14 March 2010 - 06:26 AM

Hi there,

I ran into a snag...

The internet connection I left out the previous week isn't working anymore - after re-connecting: the computer didn't want to access the internet (no network card found).

I checked in (rightclick) C> beheer> Apparatuurbeheer> Networkconnections: and verified if there were any drivers missing. Driver (1 could not be found), downloaded and tried to run, but the same thing now claimed that no update was needed... Still no internet.

I was pretty desperate, so now I'm going to run a few rescue CD's:
- AVG: when asking for updating I allowed it to connect to the internet (which worked!!).
- Intend to find something like Kaspersky or F-Secure to run it as well

I will write down all the finds, might help. If I can access the internet after that (without the boot CD's), I would like to continue above.


Unless of course I'm taking the wrong course of actino - please tell me so, or what to do different.
You all put so much efford in this, I don't want to let it go to waste. Any other options/ tips how to get my internet going (on the infected computer) are more than welcome (or telling me off for acting on my own).


Regards,

I'm open to suggestions on all approaches. The mbam run I did with the program from the link provided, returned with one hit - I can post the log here if someone is interested, but I'm affraid it won't result in much information, since the program used to run is slightly "outdated" - not updated from the internet.

#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:41 PM

Posted 14 March 2010 - 12:33 PM

Please do only the stuff I ask you to, and follo the steps above smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 Raksha

Raksha
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 15 March 2010 - 03:04 PM

Hi there,


My appologies for acting on my own and replying this late.. . I didn't read the green print very well, apparently... So missed the mbam-rules update for running the latest Mbam.

I have run Mbam and OTL, results below (incl virus scans).


After noticing that my Windows account (Administrator) wasn't able to connect to the internet (even with internet connected) a "chronologic" recount of actions taken by me:
scan with AVG 9.0 (updated on the internet, after booting the rescue CD)
Scan found 60+ infected files - a short display below (I typed them, so typo's included) - maybe someone is able to make sense out of them (apart from "your PC is messy")

mnt/sdb1/Documents and Settings/Geertje/Local Settings/Temp/xdotucn.exe (Virus identified worm/ Generic.BAJW
mnt/sdb1/Documents and Settings/Geertje/Local Settings/Temp/ktloywla.exe (Trojan Horse dropper agent QUM)
mnt/sdb1/Documents and Settings/Geertje/Local Settings/Temp/IXP000.TMP/lsass.exe (Trojan Horse Patched.c C2A)
mnt/sdb1/Documents and Settings/Geertje/Local Settings/Temporary internet files/ContentIE5/number[1].dat (Adware. Generic) (and 5 more of such)
mnt/sdb1/Documents and Settings/Geertje/Menu start/Programma's/Opstarten/dnusax.exe (Trojan Horse patched.c.CZA.dropper)

Local Service.NT Authority/Cookies/3 x tracking cookie
sdb1/Windows/System32/Drivers/pkrkegnv.sys (Trojan Horse Rootkit-Agent.EG)
mnt/sdb1/windows/Temp/Ddg.exe
Ddh.exe
ddi.exe
ddi.exe (and 40 or so more)
all Trojan Horse fake AV.AAW and/ or Trojan Horse SHeur3.CRA



Scan with F-Secure (recount with typo's)
hda1/Documents and Settings/Geertje/Local Settings/Temp/641.exe
hda1/Documents and Settings/Geertje/Local Settings/Temp/956.exe
hda1/Documents and Settings/Geertje/Local Settings/Temp/981.exe
hda1/Documents and Settings/Geertje/Local Settings/Temp/IXP000./r.
hda1/Documents and Settings/Geertje/Local Settings/Temp/793.exe
hda1/System Volume Information/_restore{0BE3A996-8557-4343-A09C-9COB72-DAAE80}IRP0/A0000009.dll (Infected, Backdoor:W32/ TDSS.EM Krypt.22
hda1/Windows/Temp/nsa6DB.tmp/e4u.exe
hda1/Windows/Temp/nsa6F7.tmp/e4u.exe
hda1/Windows/Temp/nsf6CF.tmp/e4u.exe
hda1/Windows/Temp/nsl6B8.tmp/e4u.exe
hda1/Windows/Temp/nsj6FF.tmp/e4u.exe
hda1/Windows/Temp/nsj700.tmp/e4u.exe
hda1/Windows/Temp/nsk71C.tmp/e4u.exe
hda1/Windows/Temp/nsk71O.tmp/e4u.exe
hda1/Windows/Temp/nsk71E.tmp/e4u.exe
hda1/Windows/Temp/nsm709.tmp/e4u.exe
hda1/Windows/Temp/nsz6F1.tmp/e4u.exe
hda1/Windows/Temp/nsz704.tmp/e4u.exe
hda1/Windows/Temp/nsp6CE.tmp/e4u.exe
hda1/Windows/Temp/nsq6F8.tmp/e4u.exe
hda1/Windows/Temp/nss6D1.tmp/e4u.exe


After restarting my computer, still "window" popups with "wrong image" notices etc (already quoted elsewhere in this post)


Hereby the Mbam scan result
Malwarebytes' Anti-Malware 1.44
Database versie: 3861
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

15-3-2010 20:32:04
mbam-log-2010-03-15 (20-32-00).txt

Scan type: Snelle Scan
Objecten gescand: 181026
Verstreken tijd: 2 minute(s), 59 second(s)

Geheugenprocessen geďnfecteerd: 0
Geheugenmodulen geďnfecteerd: 0
Registersleutels geďnfecteerd: 1
Registerwaarden geďnfecteerd: 1
Registerdata bestanden geďnfecteerd: 0
Mappen geďnfecteerd: 0
Bestanden geďnfecteerd: 18

Geheugenprocessen geďnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geďnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geďnfecteerd:
HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> No action taken.

Registerwaarden geďnfecteerd:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> No action taken.

Registerdata bestanden geďnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geďnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geďnfecteerd:
C:\WINDOWS\Temp\nsa6DB.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsa6F7.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsf6CF.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsi6B8.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsj6FF.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsj700.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsk71C.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsk71D.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsk71E.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsm709.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsz6F1.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsz704.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsp6CE.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nsq6F8.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\nss6D1.tmp\e4u.exe.virus (Malware.Packer.Gen) -> No action taken.
C:\Documents and Settings\Geertje\Local Settings\Application Data\Windows Server\qvxoob.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Windows Server\qvxoob.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Windows Server\qvxoob.dll (Trojan.Agent) -> No action taken.


Guess what: after restarting the computer - no window messages popups anymore!!! Woot, I'm already less depressed!!!



The OTL scan results
TL logfile created on: 15-3-2010 20:43:08 - Run 2
OTL by OldTimer - Version 3.1.37.1 Folder = C:\Documents and Settings\Geertje\Bureaublad
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 82,00% Memory free
3,00 Gb Paging File | 3,00 Gb Available in Paging File | 94,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,53 Gb Total Space | 54,75 Gb Free Space | 73,46% Space Free | Partition Type: NTFS
Drive D: | 74,52 Gb Total Space | 1,35 Gb Free Space | 1,81% Space Free | Partition Type: NTFS
Drive E: | 74,52 Gb Total Space | 5,06 Gb Free Space | 6,79% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 279,47 Gb Total Space | 10,11 Gb Free Space | 3,62% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive K: | 488,00 Mb Total Space | 18,97 Mb Free Space | 3,89% Space Free | Partition Type: FAT

Computer Name: GEERTJEXP
Current User Name: Geertje
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010-03-14 10:16:46 | 000,555,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geertje\Bureaublad\OTL.exe
PRC - [2008-04-14 18:02:58 | 001,037,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006-11-03 18:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006-11-03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2005-06-14 05:35:46 | 000,278,528 | ---- | M] (InterVideo Inc.) -- C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
PRC - [2004-04-02 13:57:02 | 000,217,088 | ---- | M] (Promise Technology Inc.) -- C:\Program Files\Promise\Promise Disk Controller Manager\MsgAgt.exe


========== Modules (SafeList) ==========

MOD - [2010-03-14 10:16:46 | 000,555,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geertje\Bureaublad\OTL.exe
MOD - [2009-07-12 01:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2009-07-12 01:09:20 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
MOD - [2008-04-13 18:37:57 | 000,208,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsaenh.dll
MOD - [2006-11-03 18:20:00 | 000,083,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpShHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (Scheduler)
SRV - File not found [Auto | Stopped] -- -- (NVOY)
SRV - File not found [On_Demand | Stopped] -- -- (nvcoas)
SRV - File not found [On_Demand | Stopped] -- -- (nsesvc)
SRV - File not found [Auto | Stopped] -- -- (NPROSECSVC)
SRV - File not found [Auto | Stopped] -- -- (Norman ZANDA)
SRV - File not found [On_Demand | Stopped] -- -- (Norman NJeeves)
SRV - File not found [Auto | Stopped] -- -- (eLoggerSvc6)
SRV - File not found [Auto | Stopped] -- -- (avg9wd)
SRV - [2006-11-03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2004-04-02 13:57:02 | 000,217,088 | ---- | M] (Promise Technology Inc.) [Auto | Running] -- C:\Program Files\Promise\Promise Disk Controller Manager\MsgAgt.exe -- (UtMsgSvc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:nl:official"
FF - prefs.js..extensions.enabledItems: betteryoutube@ginatrapani.org:0.4.3
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19
FF - prefs.js..extensions.enabledItems: de-DE@dictionaries.addons.mozilla.org:2.0.1
FF - prefs.js..extensions.enabledItems: fr@dictionaries.addons.mozilla.org:3.5
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100211.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: nl-NL@dictionaries.addons.mozilla.org:2.2.0

FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009-12-07 17:08:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009-12-07 17:08:57 | 000,000,000 | ---D | M]

[2008-12-11 16:35:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Extensions
[2010-03-11 17:56:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions
[2010-02-24 05:34:34 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2008-08-01 04:42:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\betteryoutube@ginatrapani.org
[2010-02-24 05:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\de-DE@dictionaries.addons.mozilla.org
[2008-03-01 11:31:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\de-DE-alt@dictionaries.addons.mozilla.org
[2008-03-01 11:31:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2010-02-24 05:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\fr@dictionaries.addons.mozilla.org
[2009-12-08 16:08:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\nl-NL@dictionaries.addons.mozilla.org
[2010-03-11 17:56:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009-12-07 17:08:38 | 000,001,892 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bolcom-nl.xml
[2009-12-07 17:08:38 | 000,004,558 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\marktplaats-nl.xml
[2009-12-07 17:08:38 | 000,001,111 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\vandale-nl.xml
[2009-12-07 17:08:38 | 000,001,049 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-nl.xml
[2009-12-07 17:08:38 | 000,000,802 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-nl.xml

O1 HOSTS File: ([2010-03-08 01:57:40 | 000,000,185 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 96.168.178.115 secure.antimalwaredefender.com
O1 - Hosts: 96.168.178.115 support.antimalwaredefender.com
O1 - Hosts: 95.168.173.24 secure.antimalware-defender.com
O1 - Hosts: 95.168.173.24 support.antimalware-defender.com
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll File not found
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll File not found
O4 - HKLM..\Run: [27761] C:\DOCUME~1\Geertje\LOCALS~1\Temp\igqjj.exe File not found
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1165392383029 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll File not found
O20 - AppInit_DLLs: (app_dll.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Mijn huidige introductiepagina) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003-11-06 16:43:06 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2005-12-30 14:25:13 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: SSHNAS - File not found

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - Service
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS - File not found
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PEVSystemStart - Service
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: procexp90.Sys - Driver
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010-03-14 11:28:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\windows-rtlnic_618_
[2010-03-14 10:34:54 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010-03-14 10:34:52 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010-03-14 10:25:39 | 000,555,008 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Geertje\Bureaublad\OTL.exe
[2010-03-14 10:25:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Bureaublad\14Mar10
[2010-03-14 10:19:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Bureaublad\Combofix
[2010-03-13 22:23:55 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010-03-11 21:22:31 | 000,000,000 | ---D | C] -- C:\Program Files\Runtime Software
[2010-03-08 21:14:42 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010-03-08 20:55:59 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010-03-08 20:51:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Local Settings\Application Data\Windows Server
[2010-03-08 13:53:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Application Data\Malwarebytes
[2010-03-08 13:53:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2010-03-08 13:53:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010-03-08 13:40:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Bureaublad\Start 2
[2010-03-08 11:18:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Application Data\AVG8
[2010-03-08 11:09:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVG Security Toolbar
[2010-03-08 10:41:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9
[2005-12-30 18:08:02 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2005-12-30 18:08:02 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347scsi.sys
[2005-12-15 21:33:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Webroot
[2004-12-24 21:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004-12-24 21:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2004-12-24 21:54:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2004-12-24 21:54:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010-03-15 20:37:40 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010-03-15 20:34:35 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010-03-15 20:34:33 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-03-15 20:34:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-03-15 20:34:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-03-15 20:34:25 | 2147,012,608 | -HS- | M] () -- C:\hiberfil.sys
[2010-03-15 20:33:33 | 016,777,216 | -H-- | M] () -- C:\Documents and Settings\Geertje\NTUSER.DAT
[2010-03-15 20:33:33 | 000,000,188 | -HS- | M] () -- C:\Documents and Settings\Geertje\ntuser.ini
[2010-03-15 20:32:35 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Geertje\Bureaublad\Microsoft Office Word 2003.lnk
[2010-03-15 20:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010-03-15 19:55:09 | 000,000,701 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2010-03-14 12:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010-03-14 11:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010-03-14 10:17:34 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Geertje\Bureaublad\OTL file 14Mar10.doc
[2010-03-14 10:16:46 | 000,555,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geertje\Bureaublad\OTL.exe
[2010-03-14 10:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010-03-14 09:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010-03-14 08:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010-03-14 07:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010-03-14 06:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010-03-14 05:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010-03-14 04:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010-03-14 03:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010-03-14 02:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010-03-14 01:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010-03-14 00:02:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010-03-13 22:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010-03-13 21:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010-03-13 17:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010-03-13 16:15:36 | 000,053,760 | ---- | M] () -- C:\Documents and Settings\Geertje\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-03-13 16:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010-03-13 15:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010-03-13 14:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010-03-13 13:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010-03-13 09:37:39 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\Geertje\Bureaublad\Microsoft Office Excel 2003.lnk
[2010-03-11 23:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010-03-11 19:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010-03-11 18:21:11 | 000,001,077 | ---- | M] () -- C:\WINDOWS\wincmd.ini
[2010-03-11 18:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010-03-08 10:58:33 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\avhmg.sys
[2010-03-08 10:44:12 | 000,003,144 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\fiosejgfse.dll
[2010-03-05 20:35:31 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-03-14 10:34:56 | 000,000,701 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2010-03-14 10:25:39 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Geertje\Bureaublad\OTL file 14Mar10.doc
[2010-03-13 19:36:21 | 2147,012,608 | -HS- | C] () -- C:\hiberfil.sys
[2010-03-13 14:35:47 | 000,007,415 | ---- | C] () -- C:\Program Files\Nero Log 2010Mar13.txt
[2010-03-08 10:16:19 | 000,003,144 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\fiosejgfse.dll
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010-03-08 08:56:47 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010-03-08 08:56:46 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010-03-08 01:55:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\avhmg.sys
[2009-04-12 19:48:41 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009-04-12 19:48:40 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009-04-12 18:17:17 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008-07-07 19:13:48 | 002,067,140 | R--- | C] () -- C:\WINDOWS\System32\avcodec.dll
[2006-12-10 10:57:23 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2006-12-10 10:10:20 | 000,000,085 | -HS- | C] () -- C:\Documents and Settings\Geertje\Application Data\.zreglib
[2006-10-11 19:32:44 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI
[2006-09-09 11:55:54 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006-03-18 13:06:16 | 000,000,159 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini
[2006-02-18 13:17:16 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006-02-18 13:17:16 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006-02-18 13:17:16 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006-02-18 13:17:16 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006-02-18 13:17:16 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006-02-18 13:17:16 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006-02-18 13:17:04 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\cddvdint.dll
[2006-01-02 17:23:16 | 000,003,584 | ---- | C] () -- C:\WINDOWS\System32\wmfhotfix.dll
[2005-12-31 11:23:31 | 000,000,379 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005-12-30 21:16:02 | 000,000,721 | ---- | C] () -- C:\WINDOWS\DVDFabGold.INI
[2005-12-30 18:34:15 | 000,001,077 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2005-12-30 15:58:49 | 000,157,184 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005-12-30 15:55:27 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
[2005-12-30 15:48:53 | 000,053,760 | ---- | C] () -- C:\Documents and Settings\Geertje\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005-12-30 15:03:38 | 000,002,740 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2005-12-30 15:03:34 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2004-08-04 13:00:00 | 000,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2003-06-24 15:14:07 | 000,194,048 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
[2002-10-15 23:54:04 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2002-10-06 19:42:57 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002-10-05 00:04:25 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2002-10-05 00:04:24 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002-10-05 00:04:17 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll

========== LOP Check ==========

[2010-03-08 13:39:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVG Security Toolbar
[2010-03-09 19:21:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9
[2009-05-18 19:15:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2010-01-30 15:32:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Zoom Player
[2006-01-07 11:21:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\.ABC
[2005-12-31 11:54:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\.BitTornado
[2006-12-10 10:10:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Elaborate Bytes
[2006-02-18 13:19:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\InterVideo
[2007-11-18 20:29:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Juniper Networks
[2007-02-18 09:02:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Minitab
[2009-05-18 20:37:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\NewsLeecher
[2008-08-27 20:54:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Sports Interactive
[2009-05-18 19:15:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\URSoft
[2008-12-12 15:27:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Vso
[2005-12-30 16:31:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\XnView
[2010-03-14 00:02:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010-03-14 09:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2010-03-14 10:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2010-03-14 11:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2010-03-14 12:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2010-03-13 13:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2010-03-13 14:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2010-03-13 15:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2010-03-13 16:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2010-03-13 17:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2010-03-11 18:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2010-03-14 01:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2010-03-11 19:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2010-03-15 20:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2010-03-13 21:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2010-03-13 22:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2010-03-11 23:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2010-03-14 02:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2010-03-14 03:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2010-03-14 04:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2010-03-14 05:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2010-03-14 06:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2010-03-14 07:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2010-03-14 08:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[2010-03-15 20:37:40 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010-03-15 20:34:35 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004-08-04 13:00:00 | 018,788,859 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008-12-11 16:40:20 | 023,899,725 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008-12-11 16:40:20 | 023,899,725 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008-04-13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008-04-13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004-08-04 13:00:00 | 018,788,859 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008-12-11 16:40:20 | 023,899,725 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008-12-11 16:40:20 | 023,899,725 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008-04-13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008-04-13 19:40:30 | 000,096,512 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008-04-14 18:02:25 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=CA64B9406EEDA4FFA2DAEAE1DABCCE42 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008-04-14 18:02:25 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=CA64B9406EEDA4FFA2DAEAE1DABCCE42 -- C:\WINDOWS\system32\eventlog.dll
[2004-08-04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=F1720914CAB06FDE4BE250E3767713CF -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2004-08-04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=B3FDAC7A518B6B684BEFE792DC1DC560 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008-04-14 18:02:33 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=E6A7071DF6855AB7CCCC220AC3AAD087 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008-04-14 18:02:33 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=E6A7071DF6855AB7CCCC220AC3AAD087 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008-04-14 18:02:39 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=0E3B585761E23C1E35442E972B7E45F9 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008-04-14 18:02:39 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=0E3B585761E23C1E35442E972B7E45F9 -- C:\WINDOWS\system32\scecli.dll
[2004-08-04 13:00:00 | 000,184,832 | ---- | M] (Microsoft Corporation) MD5=5AE934F6837B5A583DED535C4BE5A804 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

< MD5 for: VIAMRAID.SYS >
[2004-07-06 22:45:36 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\DriverDisk\RAID\2003IA32\viamraid.sys
[2004-07-06 22:45:38 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\DriverDisk\RAID\Win2000\viamraid.sys
[2004-07-06 22:45:42 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\DriverDisk\RAID\Winxp\viamraid.sys
[2004-07-06 22:45:36 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\VIARaid\driver\2003IA32\viamraid.sys
[2004-07-06 22:45:38 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\VIARaid\driver\Win2000\viamraid.sys
[2004-07-06 22:45:42 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\VIARaid\driver\Winxp\viamraid.sys
[2004-07-06 22:45:42 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\WINDOWS\system32\drivers\viamraid.sys
[2004-07-06 22:45:40 | 000,067,392 | ---- | M] (VIA Technologies inc,.ltd) MD5=813C738B09E80C4A4E0585FB95A2F897 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\DriverDisk\RAID\Winnt40\viamraid.sys
[2004-07-06 22:45:40 | 000,067,392 | ---- | M] (VIA Technologies inc,.ltd) MD5=813C738B09E80C4A4E0585FB95A2F897 -- C:\software\driver\moederbord\MSI-k8t800\VIA_RAID_OM74\VIARAID_OM74\VIARaid\driver\Winnt40\viamraid.sys

< %systemroot%\*. /mp /s >
< End of report >



So far, so good - I'm still not able to access the internet on my computer (or find back the windows firewall....)
I'll stay away from the virus scanners.

Regards

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:41 PM

Posted 15 March 2010 - 04:36 PM

Hi,


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :OTL
    IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
    IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll File not found
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
    O4 - HKLM..\Run: [27761] C:\DOCUME~1\Geertje\LOCALS~1\Temp\igqjj.exe File not found
    [2010-03-08 10:44:12 | 000,003,144 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\fiosejgfse.dll

    :files
    C:\WINDOWS\tasks\At*.job
    C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\ServicePackFiles\i386\atapi.sys /replace
    :Commands
    [emptytemp]
    [resethosts]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 Raksha

Raksha
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 16 March 2010 - 02:09 PM

Hi! Back again

Hereby the 1st log
All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\*{CFBFAE00-17A6-11D0-99CB-00C04FD64497} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\27761 deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\fiosejgfse.dll moved successfully.
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
File C:\WINDOWS\system32\drivers\atapi.sys successfully replaced with C:\WINDOWS\ServicePackFiles\i386\atapi.sys
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 1162742 bytes
->Temporary Internet Files folder emptied: 7802573 bytes
->Flash cache emptied: 300 bytes

User: Administrator.GEERTJEXP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: All Users.WINDOWS

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Geert.GEERTJEXP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Geert.GEERTJEXP.000
->Temp folder emptied: 361625 bytes
->Temporary Internet Files folder emptied: 38619 bytes

User: Geertje
->Temp folder emptied: 1770979369 bytes
->Temporary Internet Files folder emptied: 34881416 bytes
->Java cache emptied: 74990242 bytes
->FireFox cache emptied: 40825018 bytes
->Flash cache emptied: 56444 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 37264672 bytes
->Temporary Internet Files folder emptied: 436875 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 1618194 bytes
->Temporary Internet Files folder emptied: 6406201 bytes
->Flash cache emptied: 681 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2133809 bytes
%systemroot%\System32 .tmp files removed: 1262877 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 47163409 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 3285 bytes

Total Files Cleaned = 1.934,00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.1.37.1 log created on 03162010_194653

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TBPB96NH\[CO] Robotech not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXGBKNMJ\[CO] Robotech not found!
File\Folder C:\Documents and Settings\Geertje\Local Settings\Temporary Internet Files\Content.IE5\WHC9ERG5\gUAAAAAAAIAAgAAAAAAAeLJPCcBAAAAAAAAAAAAANc-YAAAAAAAAAIAAAAAAADgVqgAAAAAAAAAAAAAAAAAfAMZoT0AAAA=,,http%3A%2F%2Fad.seeknet2[1].com%2Fgoad%2F%3Faff_id%3D15812,;ord=5617454499366390 not found!
File\Folder C:\Documents and Settings\Geertje\Local Settings\Temporary Internet Files\Content.IE5\I1GLMJO7\QAAAAAAAIAAwAAAAAAZR7WPCcBAAAAAAAAAAASe9c-YAAAAAAAAAIAAAAAAADgVqgAAAAAAAAAAAAAAAAAfAPZ8T0AAAA=,,http%3A%2F%2Fad.questmedianet[1].com%2Fadserv%2F%3Faff_id%3D15803,;ord=1268036017 not found!
File\Folder C:\Documents and Settings\Geertje\Local Settings\Temporary Internet Files\Content.IE5\DXB72W2T\QAAAAAAAIAAwAAAAAAbWTXPCcBAAAAAAAAAAD769c-YAAAAAAAAAIAAAAAAADgVqgAAAAAAAAAAAAAAAAAfAO5WTMAAAA=,,http%3A%2F%2Fad.questmedianet[1].com%2Fadserv%2F%3Faff_id%3D15803,;ord=1268036101 not found!
File\Folder C:\Documents and Settings\Geertje\Local Settings\Temporary Internet Files\Content.IE5\AHWTODA7\gQAAAAAAAIAAwAAAAAA6avKPCcBAAAAAAAAAABhgtc-YAAAAAAAAAIAAAAAAADgVqgAAAAAAAAAAAAAAAAAfAMpxDUAAAA=,,http%3A%2F%2Fad.questmedianet[1].com%2Fadserv%2F%3Faff_id%3D8917,;ord=1268035267 not found!

Registry entries deleted on Reboot...


After reboot the following OTL scan generated this file:

OTL logfile created on: 16-3-2010 19:55:10 - Run 3
OTL by OldTimer - Version 3.1.37.1 Folder = C:\Documents and Settings\Geertje\Bureaublad
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 83,00% Memory free
3,00 Gb Paging File | 3,00 Gb Available in Paging File | 94,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,53 Gb Total Space | 56,61 Gb Free Space | 75,96% Space Free | Partition Type: NTFS
Drive D: | 74,52 Gb Total Space | 1,35 Gb Free Space | 1,81% Space Free | Partition Type: NTFS
Drive E: | 74,52 Gb Total Space | 5,06 Gb Free Space | 6,79% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 279,47 Gb Total Space | 10,11 Gb Free Space | 3,62% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive K: | 488,00 Mb Total Space | 24,44 Mb Free Space | 5,01% Space Free | Partition Type: FAT

Computer Name: GEERTJEXP
Current User Name: Geertje
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Geertje\Bureaublad\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Inc.)
PRC - C:\Program Files\Promise\Promise Disk Controller Manager\MsgAgt.exe (Promise Technology Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Geertje\Bureaublad\OTL.exe (OldTimer Tools)


========== Win32 Services (SafeList) ==========

SRV - (Scheduler) -- File not found
SRV - (NVOY) -- File not found
SRV - (nvcoas) -- File not found
SRV - (nsesvc) -- File not found
SRV - (NPROSECSVC) -- File not found
SRV - (Norman ZANDA) -- File not found
SRV - (Norman NJeeves) -- File not found
SRV - (eLoggerSvc6) -- File not found
SRV - (avg9wd) -- File not found
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SRV - (UtMsgSvc) -- C:\Program Files\Promise\Promise Disk Controller Manager\MsgAgt.exe (Promise Technology Inc.)


========== Driver Services (SafeList) ==========

DRV - (avhmg) -- C:\WINDOWS\system32\drivers\avhmg.sys ()
DRV - (NvcMFlt) -- C:\WINDOWS\system32\drivers\nvcw32mf.sys (Norman ASA)
DRV - (Tcpip6) -- C:\WINDOWS\system32\drivers\tcpip6.sys (Microsoft Corporation)
DRV - (atapi) -- C:\WINDOWS\system32\DRIVERS\atapi.sys ()
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (rtl8139) NT-stuurprogramma voor Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (a347bus) -- C:\WINDOWS\system32\DRIVERS\a347bus.sys ( )
DRV - (a347scsi) -- C:\WINDOWS\System32\Drivers\a347scsi.sys ( )
DRV - (ftsata2) -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys (Promise Technology, Inc.)
DRV - (bb-run) -- C:\WINDOWS\system32\DRIVERS\bb-run.sys (Promise Technology, Inc.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:nl:official"
FF - prefs.js..extensions.enabledItems: betteryoutube@ginatrapani.org:0.4.3
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19
FF - prefs.js..extensions.enabledItems: de-DE@dictionaries.addons.mozilla.org:2.0.1
FF - prefs.js..extensions.enabledItems: fr@dictionaries.addons.mozilla.org:3.5
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100211.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: nl-NL@dictionaries.addons.mozilla.org:2.2.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008-12-11 16:46:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009-12-07 17:08:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009-12-07 17:08:57 | 000,000,000 | ---D | M]

[2008-12-11 16:35:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Extensions
[2008-12-11 16:35:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010-03-11 17:56:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions
[2010-02-24 05:34:34 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2008-08-01 04:42:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\betteryoutube@ginatrapani.org
[2010-02-24 05:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\de-DE@dictionaries.addons.mozilla.org
[2008-03-01 11:31:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\de-DE-alt@dictionaries.addons.mozilla.org
[2008-03-01 11:31:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2010-02-24 05:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\fr@dictionaries.addons.mozilla.org
[2009-12-08 16:08:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geertje\Application Data\Mozilla\Firefox\Profiles\56vx7pwm.default\extensions\nl-NL@dictionaries.addons.mozilla.org
[2010-03-11 17:56:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009-12-07 17:08:56 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008-07-08 19:34:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008-12-11 16:47:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009-07-07 11:14:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009-12-07 17:07:54 | 000,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009-12-07 17:07:55 | 000,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009-03-09 04:19:09 | 000,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2006-12-12 10:48:22 | 001,440,560 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
[2009-12-07 17:08:27 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2007-03-22 18:23:30 | 000,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
[2008-04-10 20:18:04 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2008-04-10 20:18:04 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2008-04-10 20:18:04 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2008-04-10 20:18:04 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2008-04-10 20:18:04 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2008-04-10 20:18:04 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2008-04-10 20:18:04 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2009-10-16 01:42:28 | 000,002,295 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml
[2009-12-07 17:08:38 | 000,001,892 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bolcom-nl.xml
[2009-12-07 17:08:38 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009-12-07 17:08:38 | 000,004,558 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\marktplaats-nl.xml
[2009-12-07 17:08:38 | 000,001,111 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\vandale-nl.xml
[2009-12-07 17:08:38 | 000,001,049 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-nl.xml
[2009-12-07 17:08:38 | 000,000,802 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-nl.xml

O1 HOSTS File: ([2010-03-16 19:48:15 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found.
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (&Adres) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Adres) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Koppelingen) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1165392383029 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll File not found
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (app_dll.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Preloader van browseui - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Cache-daemon voor onderdeelcategorieën - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (Mijn huidige introductiepagina) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003-11-06 16:43:06 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010-03-16 19:46:53 | 000,000,000 | ---D | C] -- C:\_OTL
[2010-03-15 21:44:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Bureaublad\ta8lan_24753
[2010-03-15 21:22:50 | 000,000,000 | ---D | C] -- C:\drivers
[2010-03-14 11:28:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\windows-rtlnic_618_
[2010-03-14 10:34:54 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010-03-14 10:34:52 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010-03-14 10:25:39 | 000,555,008 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Geertje\Bureaublad\OTL.exe
[2010-03-14 10:25:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Bureaublad\14Mar10
[2010-03-14 10:19:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Bureaublad\Combofix
[2010-03-13 22:23:55 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010-03-11 21:22:31 | 000,000,000 | ---D | C] -- C:\Program Files\Runtime Software
[2010-03-08 21:14:42 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010-03-08 20:55:59 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010-03-08 20:51:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Local Settings\Application Data\Windows Server
[2010-03-08 13:53:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Application Data\Malwarebytes
[2010-03-08 13:53:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2010-03-08 13:53:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010-03-08 13:40:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Bureaublad\Start 2
[2010-03-08 11:18:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geertje\Application Data\AVG8
[2010-03-08 11:09:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVG Security Toolbar
[2010-03-08 10:41:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9
[2005-12-30 18:08:02 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2005-12-30 18:08:02 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347scsi.sys
[2005-12-15 21:33:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Webroot
[2004-12-24 21:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004-12-24 21:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2004-12-24 21:54:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2004-12-24 21:54:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010-03-16 19:52:38 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010-03-16 19:49:43 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010-03-16 19:49:33 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-03-16 19:49:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-03-16 19:49:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-03-16 19:49:25 | 2147,012,608 | -HS- | M] () -- C:\hiberfil.sys
[2010-03-16 19:48:25 | 016,777,216 | -H-- | M] () -- C:\Documents and Settings\Geertje\NTUSER.DAT
[2010-03-16 19:48:25 | 000,000,188 | -HS- | M] () -- C:\Documents and Settings\Geertje\ntuser.ini
[2010-03-16 19:48:15 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010-03-15 20:32:35 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Geertje\Bureaublad\Microsoft Office Word 2003.lnk
[2010-03-15 19:55:09 | 000,000,701 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2010-03-14 10:16:46 | 000,555,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geertje\Bureaublad\OTL.exe
[2010-03-13 16:15:36 | 000,053,760 | ---- | M] () -- C:\Documents and Settings\Geertje\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-03-13 09:37:39 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\Geertje\Bureaublad\Microsoft Office Excel 2003.lnk
[2010-03-11 18:21:11 | 000,001,077 | ---- | M] () -- C:\WINDOWS\wincmd.ini
[2010-03-08 10:58:33 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\avhmg.sys
[2010-03-05 20:35:31 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010-02-24 09:16:06 | 000,181,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010-02-24 03:00:47 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

========== Files Created - No Company Name ==========

[2010-03-14 10:34:56 | 000,000,701 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2010-03-13 19:36:21 | 2147,012,608 | -HS- | C] () -- C:\hiberfil.sys
[2010-03-13 14:35:47 | 000,007,415 | ---- | C] () -- C:\Program Files\Nero Log 2010Mar13.txt
[2010-03-08 01:55:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\avhmg.sys
[2009-04-12 19:48:41 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009-04-12 19:48:40 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009-04-12 18:17:17 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008-07-07 19:13:48 | 002,067,140 | R--- | C] () -- C:\WINDOWS\System32\avcodec.dll
[2006-12-10 10:57:23 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2006-12-10 10:10:20 | 000,000,085 | -HS- | C] () -- C:\Documents and Settings\Geertje\Application Data\.zreglib
[2006-10-11 19:32:44 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI
[2006-09-09 11:55:54 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006-03-18 13:06:16 | 000,000,159 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini
[2006-02-18 13:17:16 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006-02-18 13:17:16 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006-02-18 13:17:16 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006-02-18 13:17:16 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006-02-18 13:17:16 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006-02-18 13:17:16 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006-02-18 13:17:04 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\cddvdint.dll
[2006-01-02 17:23:16 | 000,003,584 | ---- | C] () -- C:\WINDOWS\System32\wmfhotfix.dll
[2005-12-31 11:23:31 | 000,000,379 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005-12-30 21:16:02 | 000,000,721 | ---- | C] () -- C:\WINDOWS\DVDFabGold.INI
[2005-12-30 18:34:15 | 000,001,077 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2005-12-30 15:58:49 | 000,157,184 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005-12-30 15:55:27 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
[2005-12-30 15:48:53 | 000,053,760 | ---- | C] () -- C:\Documents and Settings\Geertje\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005-12-30 15:03:38 | 000,002,740 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2005-12-30 15:03:34 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2004-08-04 13:00:00 | 000,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2003-06-24 15:14:07 | 000,194,048 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
[2002-10-15 23:54:04 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2002-10-06 19:42:57 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002-10-05 00:04:25 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2002-10-05 00:04:24 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002-10-05 00:04:17 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
< End of report >


Thank you for taking care of me/ my computer. (I'm curious what the results will be)


Regards,

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:41 PM

Posted 17 March 2010 - 01:22 PM

Hi,

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users