Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Searches are redirected, Random popups, & Unable to update software


  • This topic is locked This topic is locked
23 replies to this topic

#1 superstickytape

superstickytape

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 25 March 2010 - 07:12 PM

All of my searches in Yahoo or Google gets redirected to another site. Mock websites of the ones i had originally wanted to visit, etc etc. I figured i caught some infection and tried updating my Antivirus software (kasperskys) and no luck. It just stayed at 0%. Ive also been getting random popups too. Here is the DDS file posted below, and also the "attach" file as an attachment as directed. I've tried doing the "gmer" program, first time displaying the blue screen after 3 hours of scanning wanting to dump physical memory. The second time i tried using that program, it ended not responding and freezing the computer..

Any help would be greatly appreciated!



DDS (Ver_10-03-17.01) - NTFSx86
Run by Phillip at 21:12:31.26 on Wed 03/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.261 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
svchost.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Phillip\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avp] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~2\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phillip\applic~1\mozilla\firefox\profiles\tdyv4m3c.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - component: c:\documents and settings\phillip\application data\mozilla\firefox\profiles\tdyv4m3c.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-6-15 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-23 64288]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-3-20 296976]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-7-3 303376]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-19 24652]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys --> c:\windows\system32\drivers\ANDROIDUSB.sys [?]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 31760]

=============== Created Last 30 ================

2010-03-24 04:34:32 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-24 04:30:44 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-24 04:28:38 0 d-----w- c:\program files\Lavasoft
2010-03-10 12:52:11 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2009-03-20 02:28:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009031920090320\index.dat
2009-09-05 20:09:28 3971104 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-05 20:09:28 802848 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-09-05 20:11:56 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-03-20 22:39:59 32768 --sha-w- c:\windows\temp\cookies\index.dat
2009-03-20 22:39:59 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-03-20 22:39:59 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:13:27.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:41 AM

Posted 29 March 2010 - 09:03 PM

Hey superstickytape,

Welcome to Bleepingcomputer! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. smile.gif
  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. ;)
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Bleepingcomputer and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:41 AM

Posted 30 March 2010 - 09:36 AM

Hey superstickytape,

I don't seem much in your logs, but there must be something hiding in there. Let's run some scans as a start. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Kaspersky Anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run RootRepeal

Download RootRepeal from one of the following locations and save it to your desktop:
  • Double click to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
    Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
Next reply (please include in your post):

ComboFix.txt
RootRepeal.txt (attached)

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#4 superstickytape

superstickytape
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 31 March 2010 - 06:04 AM

Thanks Ltangelic for taking time to look at my problem.

Below is the combofix log as requested and I've attached the rootrepeal also.
Sorry for the delay


ComboFix 10-03-29.04 - Phillip 03/30/2010 18:26:19.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.116 [GMT -5:00]
Running from: c:\documents and settings\Phillip\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\jestertb.dll
c:\windows\system32\drivers\1028_DELL_XPS_MXC061 .MRK
c:\windows\system32\drivers\DELL_XPS_MXC061 .MRK

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-25 22:54 . 2010-03-25 22:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-03-24 04:34 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-24 04:30 . 2010-03-24 04:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-24 04:28 . 2010-03-24 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-24 04:28 . 2010-03-24 04:31 -------- d-----w- c:\program files\Lavasoft
2010-03-10 12:52 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 23:36 . 2009-03-21 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-26 07:50 . 2009-03-21 02:39 -------- d-----w- c:\documents and settings\Phillip\Application Data\BitTorrent
2010-03-25 22:54 . 2010-03-25 22:54 20846064 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-22 23:20 . 2010-03-03 01:19 439816 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\setup.exe
2010-03-11 00:50 . 2010-03-11 00:49 8405312 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-11 00:49 . 2010-03-11 00:49 149000 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-11 00:49 . 2010-03-11 00:49 10309448 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-03 12:20 . 2010-03-03 12:20 283280 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-03 12:20 . 2010-03-03 12:20 181768 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-03 12:20 . 2010-03-03 12:20 79368 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-03 12:20 . 2010-03-03 12:20 64000 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-03 12:20 . 2010-03-03 12:20 52288 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-03 12:20 . 2010-03-03 12:20 50688 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-03 12:20 . 2010-03-03 12:20 49152 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-03 12:20 . 2010-03-03 12:20 118784 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-02-21 09:08 . 2010-02-21 09:06 -------- d-----w- c:\program files\iTunes
2010-02-21 09:07 . 2010-02-21 09:07 -------- d-----w- c:\program files\iPod
2010-02-21 09:07 . 2009-03-21 14:42 -------- d-----w- c:\program files\Common Files\Apple
2010-02-21 08:59 . 2010-02-21 08:58 -------- d-----w- c:\program files\QuickTime
2010-02-21 08:49 . 2010-02-21 08:49 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-16 00:53 . 2010-02-16 00:53 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-09 05:04 . 2010-02-09 05:04 -------- d-----w- c:\program files\AC3Filter
2010-02-04 15:53 . 2010-03-24 04:30 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-01-27 17:46 . 2010-02-08 23:48 57344 ----a-w- c:\documents and settings\Phillip\Application Data\Mozilla\Firefox\Profiles\tdyv4m3c.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
2010-01-01 06:21 . 2010-01-01 06:21 20 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\apu\ForDiff\apu0001.dat.drv
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-09-05 20:09 . 2009-03-21 02:16 3971104 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-05 20:09 . 2009-03-21 02:16 802848 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-09-05 20:11 . 2009-09-05 20:11 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-23 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-04-06 1032192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-29 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-07-03 303376]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-29 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/23/2010 11:34 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1228208]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/19/2009 9:03 PM 24652]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys --> c:\windows\system32\Drivers\ANDROIDUSB.sys [?]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 31760]
.
Contents of the 'Scheduled Tasks' folder

2010-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:52]

2010-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Phillip\Application Data\Mozilla\Firefox\Profiles\tdyv4m3c.default\
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - component: c:\documents and settings\Phillip\Application Data\Mozilla\Firefox\Profiles\tdyv4m3c.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-30 18:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1957994488-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4084E2D3-608A-3C8F-F35B-99DE0F77DEAE}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaahdgeommkpammefb"=hex:6a,61,70,6a,6a,66,67,6a,6f,6b,65,6c,6e,61,6a,70,69,63,
67,6e,00,f1
"haogbmfejiigbkhd"=hex:6a,61,70,6a,6a,66,67,6a,6f,6b,65,6c,6e,61,6a,70,69,63,
67,6e,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1228)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Real\RealPlayer\RealPlay.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-30 18:44:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-30 23:44

Pre-Run: 2,760,761,344 bytes free
Post-Run: 5,711,671,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E334AB4C33E26F495A67D29F7B556C14

Attached Files



#5 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:41 AM

Posted 02 April 2010 - 07:34 AM

Hey superstickytape,

Thank you for the logs. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Kaspersky Anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run CFScript

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000

RegLockDel::
[HKEY_USERS\S-1-5-21-73586283-1957994488-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4084E2D3-608A-3C8F-F35B-99DE0F77DEAE}*]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt .

2) Optional Removals

From your log, you seem to have Viewpoint Media Player and BitTorrent installed.

Viewpoint is not malware, but it is considered froistware that is installed without your permission. While it is not harmful in itself, it can bring about unnecessary security risks to your computer as well as collecting private information about your browsing habit. BitTorrent is a peer-to-peer (p2p) software that can bring security risks to your computer as it allows you to share all kinds of files across the Internet. Please look at the article(s) below:

http://en.wikipedia.org/wiki/Viewpoint_Media_Player
http://www.microsoft.com/protect/data/down...ilesharing.aspx

Due to the dubious nature of these programs, it is highly recommended that you remove the programs via Add or Remove Programs in Control Panel and refrain from downloading these programs in the future. If you have made a decision to remove these programs, please do the following:

Please go to Add or Remove Programs and remove the following (if present):

Viewpoint Media Player
BitTorrent


Then use Windows Explorer and remove the following (if present):

C:\Program Files\Viewpoint
C:\Program Files\BitTorrent


Reboot your computer.

3) Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next reply (please include in your post):

OTS.txt (Run quick scan with OTS)
ComboFix.txt
MBAM scan log

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#6 superstickytape

superstickytape
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 02 April 2010 - 08:14 PM

Unless i've missed something, i'm not sure how to get an OTS.txt log.

But below are the new updated combofix.txt log and the mbam log respectively

Still unable to update my kaspersky and my searches are still being redirected

Thanks for taking a look at my problem. =]


COMBOFIX


ComboFix 10-04-01.02 - Phillip 04/02/2010 12:43:36.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.347 [GMT -5:00]
Running from: c:\documents and settings\Phillip\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Phillip\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\AcAdProc.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 )))))))))))))))))))))))))))))))
.

2010-03-25 22:54 . 2010-03-25 22:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-03-24 04:34 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-24 04:30 . 2010-03-24 04:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-24 04:28 . 2010-03-24 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-24 04:28 . 2010-03-24 04:31 -------- d-----w- c:\program files\Lavasoft
2010-03-10 12:52 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-02 18:20 . 2009-03-21 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-02 17:53 . 2009-03-21 02:39 -------- d-----w- c:\documents and settings\Phillip\Application Data\BitTorrent
2010-03-25 22:54 . 2010-03-25 22:54 20846064 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-22 23:20 . 2010-03-03 01:19 439816 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\setup.exe
2010-03-11 00:50 . 2010-03-11 00:49 8405312 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-11 00:49 . 2010-03-11 00:49 149000 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-11 00:49 . 2010-03-11 00:49 10309448 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-03 12:20 . 2010-03-03 12:20 283280 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-03 12:20 . 2010-03-03 12:20 181768 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-03 12:20 . 2010-03-03 12:20 79368 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-03 12:20 . 2010-03-03 12:20 64000 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-03 12:20 . 2010-03-03 12:20 52288 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-03 12:20 . 2010-03-03 12:20 50688 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-03 12:20 . 2010-03-03 12:20 49152 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-03 12:20 . 2010-03-03 12:20 118784 ----a-w- c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-02-21 09:08 . 2010-02-21 09:06 -------- d-----w- c:\program files\iTunes
2010-02-21 09:07 . 2010-02-21 09:07 -------- d-----w- c:\program files\iPod
2010-02-21 09:07 . 2009-03-21 14:42 -------- d-----w- c:\program files\Common Files\Apple
2010-02-21 08:59 . 2010-02-21 08:58 -------- d-----w- c:\program files\QuickTime
2010-02-21 08:49 . 2010-02-21 08:49 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-16 00:53 . 2010-02-16 00:53 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-09 05:04 . 2010-02-09 05:04 -------- d-----w- c:\program files\AC3Filter
2010-02-04 15:53 . 2010-03-24 04:30 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-01-27 17:46 . 2010-02-08 23:48 57344 ----a-w- c:\documents and settings\Phillip\Application Data\Mozilla\Firefox\Profiles\tdyv4m3c.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-09-05 20:09 . 2009-03-21 02:16 3971104 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-05 20:09 . 2009-03-21 02:16 802848 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-09-05 20:11 . 2009-09-05 20:11 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-23 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-04-06 1032192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-29 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-07-03 303376]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-29 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/23/2010 11:34 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1228208]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/19/2009 9:03 PM 24652]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys --> c:\windows\system32\Drivers\ANDROIDUSB.sys [?]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 31760]
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:52]

2010-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Phillip\Application Data\Mozilla\Firefox\Profiles\tdyv4m3c.default\
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - component: c:\documents and settings\Phillip\Application Data\Mozilla\Firefox\Profiles\tdyv4m3c.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-02 13:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1957994488-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4084E2D3-608A-3C8F-F35B-99DE0F77DEAE}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaahdgeommkpammefb"=hex:6a,61,70,6a,6a,66,67,6a,6f,6b,65,6c,6e,61,6a,70,69,63,
67,6e,00,f1
"haogbmfejiigbkhd"=hex:6a,61,70,6a,6a,66,67,6a,6f,6b,65,6c,6e,61,6a,70,69,63,
67,6e,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(3712)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-04-02 13:25:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-02 18:25

Pre-Run: 4,051,898,368 bytes free
Post-Run: 4,092,846,080 bytes free

- - End Of File - - 8A01F91B6D39096DAFCA0ECEBEE7674A


MBAM LOG


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3947

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/2/2010 4:44:07 PM
mbam-log-2010-04-02 (16-44-07).txt

Scan type: Quick scan
Objects scanned: 99971
Time elapsed: 7 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fe669b65-0379-4a62-97b1-4652e8881720}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






#7 superstickytape

superstickytape
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 02 April 2010 - 08:15 PM

oh and just fyi.

the links that you've provided for the mbam software are broken, i had to download it from another source.

#8 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:41 AM

Posted 03 April 2010 - 05:18 AM

Hey superstickytape,

Seems like we have hidden baddies in there.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

1) Run The Avenger

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the Avenger folder to your desktop
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

CODE
Begin copying here:

Registry keys to delete:
[HKEY_USERS\S-1-5-21-73586283-1957994488-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4084E2D3-608A-3C8F-F35B-99DE0F77DEAE}*]


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

2) Optional Removal

From your log, you seem to have Viewpoint Media Player installed.

Viewpoint is not malware, but it is considered froistware that is installed without your permission. While it is not harmful in itself, it can bring about unnecessary security risks to your computer as well as collecting private information about your browsing habit. Please look at the article(s) below:

en.wikipedia.org/wiki/Viewpoint_Media_Player

Due to the dubious nature of these programs, it is highly recommended that you remove the programs via Add or Remove Programs in Control Panel and refrain from downloading these programs in the future. If you have made a decision to remove these programs, please do the following:

Please go to Add or Remove Programs and remove the following (if present):

Viewpoint Media Player

Then use Windows Explorer and remove the following (if present):

C:\Program Files\Viewpoint

Reboot your computer.

3) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post

4) Run MBR and Rooter

Please download MBR.exe to your desktop. Double-click on it and it will produce a log on desktop (mbr.log). Please post the log in your next reply.

THEN

Please download Rooter.exe and save it to your desktop
  • Double-click it to start the tool. If you are using Vista, please right-click and choose Run As Administrator...
  • Alow it to run when you get a Security Warning.
  • At the main control page, please click the green button.
  • It will now begin to scan, please be paitent. The scan should not take more than 3 minutes
  • A Notepad file containing the report will open soon. It can also be foun/d at %systemdrive%\Rooter$\Rooter_1.txt
  • Now push the button to close Rooter.
  • Please post the contents of that log file here in your next reply.

Next reply (please include in your post):

OTS.txt (attached)
Avenger.txt
MBR.txt
Rooter_1.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#9 superstickytape

superstickytape
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 03 April 2010 - 11:42 AM

Both the viewpoint media and bittorrent were uninstalled and removed immediately after your previous post. I'm not sure why it had shown up again.

And when attemping to run the Avenger, it showed an error, im not sure if this is normal but im sure you'll see what i mean when i post the log.

As directed, ill post the logs below
OTS.txt (attached)
Avenger.txt
MBR.txt
Rooter_1.txt

respectively.

Thanks again for taking time to help me out.


AVENGER

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sat Apr 03 11:08:20 2010

11:08:17: Error: Invalid registry syntax in command:
"[HKEY_USERS\S-1-5-21-73586283-1957994488-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4084E2D3-608A-3C8F-F35B-99DE0F77DEAE}*]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
11:08:20: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sat Apr 03 11:13:58 2010

11:13:55: Error: Invalid registry syntax in command:
"[HKEY_USERS\S-1-5-21-73586283-1957994488-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4084E2D3-608A-3C8F-F35B-99DE0F77DEAE}*]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.


MBR

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


ROOTER_1

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 14 Stepping 8, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.6.3 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:91 Go - Free:5 Go )
D:\ [CD_Rom]
.
Scan : 11:36.34
Path : C:\Documents and Settings\Phillip\Desktop\Rooter.exe
User : Phillip ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (792)
______ \??\C:\WINDOWS\system32\csrss.exe (844)
______ \??\C:\WINDOWS\system32\winlogon.exe (868)
______ C:\WINDOWS\system32\services.exe (912)
______ C:\WINDOWS\system32\lsass.exe (932)
______ C:\WINDOWS\system32\svchost.exe (1096)
______ C:\WINDOWS\system32\svchost.exe (1164)
______ C:\WINDOWS\System32\svchost.exe (1204)
______ C:\WINDOWS\system32\svchost.exe (1248)
______ C:\WINDOWS\system32\svchost.exe (1372)
______ C:\WINDOWS\System32\WLTRYSVC.EXE (1580)
______ C:\WINDOWS\System32\bcmwltry.exe (1616)
______ C:\WINDOWS\system32\spoolsv.exe (1704)
______ C:\WINDOWS\system32\svchost.exe (1784)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1820)
Locked avp.exe (1832)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1852)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1888)
______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (1908)
______ C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (1972)
______ C:\Program Files\Dell Support Center\bin\sprtsvc.exe (2028)
______ C:\WINDOWS\system32\svchost.exe (136)
______ C:\WINDOWS\system32\SearchIndexer.exe (204)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (816)
______ C:\WINDOWS\System32\alg.exe (1556)
______ C:\WINDOWS\system32\wscntfy.exe (2692)
______ C:\WINDOWS\Explorer.EXE (2732)
______ C:\WINDOWS\stsystra.exe (3012)
______ C:\WINDOWS\system32\WLTRAY.exe (3040)
______ C:\Program Files\Dell Support Center\bin\sprtcmd.exe (3140)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (3168)
______ C:\Program Files\Dell\QuickSet\Quickset.exe (3176)
______ C:\WINDOWS\system32\hkcmd.exe (3252)
______ C:\WINDOWS\system32\igfxpers.exe (3316)
______ C:\WINDOWS\system32\igfxsrvc.exe (3332)
Locked avp.exe (3408)
______ C:\Program Files\Common Files\Real\Update_OB\realsched.exe (3480)
______ C:\Program Files\Java\jre6\bin\jusched.exe (3500)
______ C:\Program Files\iTunes\iTunesHelper.exe (3764)
______ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (3828)
______ C:\WINDOWS\system32\ctfmon.exe (3864)
______ C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (3896)
______ C:\Program Files\Windows Desktop Search\WindowsSearch.exe (3952)
______ C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (3992)
______ C:\Program Files\iPod\bin\iPodService.exe (1304)
______ C:\Program Files\Mozilla Firefox\firefox.exe (2720)
______ C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe (3352)
______ C:\WINDOWS\system32\SearchProtocolHost.exe (1480)
______ C:\WINDOWS\system32\SearchFilterHost.exe (3104)
______ C:\Documents and Settings\Phillip\Desktop\Rooter.exe (4072)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:98514146304)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 11:37.01
.
C:\Rooter$\Rooter_1.txt - (03/04/2010 | 11:37.01)

Attached Files

  • Attached File  OTS.Txt   112.94KB   2 downloads


#10 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:41 AM

Posted 04 April 2010 - 03:03 AM

Hey superstickytape,

Thank you for your logs. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Kaspersky Anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Upload file for analysis

To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and close My Computer.
  • Now your computer is configured to show all hidden files.
NEXT

Please visit the online Jotti Virus Scanner <--link
  • Copy and paste the following filepath in the box:

    c:\documents and settings\Phillip\Application Data\Real\Update\setup3.10\RUP\vista.exe

  • Click on the button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.
2) Uninstall ComboFix
  • Click START then RUN
  • Now type ComboFix /uninstall in the runbox and click OK. Note the space between the x and the /, it needs to be there.
3) Run DrWeb CureIt

Download Dr.Web CureIt to the desktop.
  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.
NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Next reply (please include in your post):

Tell me how your computer is doing
Virscan report
Dr Web scan log

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#11 superstickytape

superstickytape
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 04 April 2010 - 11:26 AM

The link to the jotti virus scanner does not work.

Would you be able to provide another link please?

#12 superstickytape

superstickytape
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 05 April 2010 - 05:28 PM

Nevermind my last post, the website decided to work today..

For filename vista.exe = Found Nothing!

Scanners
[ArcaVir]
2010-04-04 Found nothing
[F-Secure Anti-Virus]
2010-04-05 Found nothing
[A-Squared]
2010-04-05 Found nothing
[G DATA]
2010-04-05 Found nothing
[Avast! antivirus]
2010-04-05 Found nothing
[Ikarus]
2010-04-05 Found nothing
[Grisoft AVG Anti-Virus]
2010-04-05 Found nothing
[Kaspersky Anti-Virus]
2010-04-05 Found nothing
[Avira AntiVir]
2010-04-05 Found nothing
[ESET NOD32]
2010-04-05 Found nothing
[Softwin BitDefender]
2010-04-05 Found nothing
[Panda Antivirus]
2010-04-05 Found nothing
[ClamAV]
2010-04-05 Found nothing
[Quick Heal]
2010-04-05 Found nothing
[CPsecure]
2010-04-02 Found nothing
[Sophos]
2010-04-05 Found nothing
[Dr.Web]
2010-04-05 Found nothing
[VirusBlokAda VBA32]
2010-04-04 Found nothing
[Frisk F-Prot Antivirus]
2010-04-05 Found nothing
[VirusBuster]
2010-04-05 Found nothing



In my next post, ill include the rest of the test

#13 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:41 AM

Posted 06 April 2010 - 09:19 AM

Hi,

Sincere apologies for the late reply. I will be unavailable from today and a fellow colleague will take over and help you instead. Please be patient in waiting for a reply, thank you. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:41 AM

Posted 06 April 2010 - 11:10 AM

Hello, superstickytape
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

I will review the topic now, in the meantime, please tell me how the system is running and run this tool:

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 superstickytape

superstickytape
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 06 April 2010 - 08:32 PM

Whats up Tom.

My computer is still acting up, same as before. The symptoms haven't gotten any better. I am unable to update my antivirus software, my searches still get redirected, and I get occassional popups.

As directed, below are the logs

OTL.txt and Extras.txt


Did you still want me to post the Dr.Web log? It wasn't your instruction but I didn't know if you wanted to see that or not.


OTL.txt

OTL logfile created on: 4/6/2010 8:14:20 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Phillip\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 442.00 Mb Available Physical Memory | 44.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): c:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 91.75 Gb Total Space | 7.29 Gb Free Space | 7.94% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-0EC38E917E
Current User Name: Phillip
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/06 19:51:35 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phillip\Desktop\OTL.exe
PRC - [2010/04/02 16:09:51 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/15 19:06:56 | 010,358,056 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe
PRC - [2009/10/28 19:06:58 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/07/03 15:45:24 | 000,207,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
PRC - [2009/01/30 00:50:06 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/01/30 00:50:06 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/27 19:04:00 | 001,213,736 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PRC - [2007/06/27 19:03:40 | 000,152,872 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2006/04/06 14:58:52 | 001,032,192 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2006/04/06 14:57:54 | 000,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2006/03/24 18:30:44 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe


========== Modules (SafeList) ==========

MOD - [2010/04/06 19:51:35 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phillip\Desktop\OTL.exe
MOD - [2007/03/30 19:59:08 | 000,102,400 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hccutils.dll
MOD - [2006/04/06 14:59:08 | 000,073,728 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Nero BackItUp Scheduler 4.0)
SRV - [2009/07/03 15:56:14 | 000,303,376 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe -- (AVP)
SRV - [2009/06/02 10:10:08 | 000,637,952 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/01/30 00:50:06 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2006/04/06 14:57:54 | 000,380,928 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: check4change-owner@mozdev.org:1.7
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.463
FF - prefs.js..extensions.enabledItems: {FCAB6FDD-5585-425b-95C1-5ED856F3FD08}:5.7
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315
FF - prefs.js..keyword.URL: "http://search.myheritage.com/?orig=ds&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 16:10:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 16:10:17 | 000,000,000 | ---D | M]

[2009/03/20 17:58:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phillip\Application Data\Mozilla\Extensions
[2010/04/04 11:30:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phillip\Application Data\Mozilla\Firefox\Profiles\tdyv4m3c.default\extensions
[2009/06/25 21:27:53 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Phillip\Application Data\Mozilla\Firefox\Profiles\tdyv4m3c.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/13 20:37:30 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Phillip\Application Data\Mozilla\Firefox\Profiles\tdyv4m3c.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/02/08 18:48:24 | 000,000,000 | ---D | M] (Sothink Web Video Downloader for Firefox) -- C:\Documents and Settings\Phillip\Application Data\Mozilla\Firefox\Profiles\tdyv4m3c.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}
[2010/03/13 20:37:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phillip\Application Data\Mozilla\Firefox\Profiles\tdyv4m3c.default\extensions\check4change-owner@mozdev.org
[2010/04/04 11:30:45 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/09/05 15:02:48 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2010/01/30 23:41:25 | 000,003,803 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\MyHeritage.xml

O1 HOSTS File: ([2010/04/02 13:19:25 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll (Kaspersky Lab)
O4 - HKLM..\Run: [avp] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll (Kaspersky Lab)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/E/3.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 93.188.161.105 93.188.166.105 1.2.3.4
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/17 22:09:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/03/17 22:48:13 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 14 Days ==========

[2010/04/06 19:51:34 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Phillip\Desktop\OTL.exe
[2010/04/05 17:30:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phillip\DoctorWeb
[2010/04/05 17:24:31 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/04/03 11:37:01 | 000,000,000 | ---D | C] -- C:\Rooter$
[2010/04/03 11:35:52 | 000,173,119 | ---- | C] (Eric_71) -- C:\Documents and Settings\Phillip\Desktop\Rooter.exe
[2010/04/03 11:09:53 | 000,638,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Phillip\Desktop\OTS.exe
[2010/04/02 16:30:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phillip\Application Data\Malwarebytes
[2010/04/02 16:29:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/02 16:29:45 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/02 16:29:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/02 16:29:44 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/02 13:25:32 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/30 18:22:13 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/30 18:19:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/30 18:18:24 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Phillip\Desktop\RootRepeal.exe
[2010/03/25 17:54:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2010/03/23 23:28:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/10/28 19:10:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/10/28 19:10:15 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/10/23 15:48:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ServiceTest
[2009/03/20 20:16:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/03/19 22:48:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
[2009/03/17 22:12:52 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/03/17 22:12:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2049/12/31 16:00:00 | 000,156,451 | ---- | M] () -- C:\Documents and Settings\Phillip\Desktop\Kankles.jpg
[2010/04/06 19:58:18 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/06 19:55:07 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/06 19:55:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/06 19:54:17 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\Phillip\NTUSER.DAT
[2010/04/06 19:53:55 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Phillip\ntuser.ini
[2010/04/06 19:51:35 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phillip\Desktop\OTL.exe
[2010/04/06 05:32:52 | 000,000,328 | ---- | M] () -- C:\Documents and Settings\Phillip\Desktop\DrWeb.csv
[2010/04/05 21:28:33 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/05 17:26:34 | 036,489,840 | ---- | M] () -- C:\Documents and Settings\Phillip\Desktop\drweb-cureit.exe
[2010/04/03 11:35:52 | 000,173,119 | ---- | M] (Eric_71) -- C:\Documents and Settings\Phillip\Desktop\Rooter.exe
[2010/04/03 11:34:55 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Phillip\Desktop\mbr.exe
[2010/04/03 11:09:53 | 000,638,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phillip\Desktop\OTS.exe
[2010/04/03 11:03:11 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/03 10:55:58 | 000,724,952 | ---- | M] () -- C:\Documents and Settings\Phillip\Desktop\avenger.zip
[2010/04/02 16:29:53 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/02 13:32:53 | 000,129,024 | ---- | M] () -- C:\Documents and Settings\Phillip\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/02 13:19:41 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/02 13:19:25 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/30 18:48:10 | 000,000,015 | ---- | M] () -- C:\Documents and Settings\Phillip\Desktop\settings.dat
[2010/03/30 18:22:37 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/03/30 18:18:25 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Phillip\Desktop\RootRepeal.exe
[2010/03/30 18:05:39 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/25 17:58:04 | 000,462,736 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/25 17:58:04 | 000,078,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/25 17:58:00 | 000,551,164 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/25 17:54:18 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/24 23:09:15 | 1063,743,488 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010/03/24 21:06:17 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Phillip\Desktop\dds.scr
[2010/03/24 20:58:02 | 000,318,067 | ---- | M] () -- C:\Documents and Settings\Phillip\Desktop\HijackThis.zip
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/06 05:32:52 | 000,000,328 | ---- | C] () -- C:\Documents and Settings\Phillip\Desktop\DrWeb.csv
[2010/04/05 17:24:39 | 036,489,840 | ---- | C] () -- C:\Documents and Settings\Phillip\Desktop\drweb-cureit.exe
[2010/04/03 11:34:54 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\Phillip\Desktop\mbr.exe
[2010/04/03 10:56:42 | 000,731,136 | ---- | C] () -- C:\Documents and Settings\Phillip\Desktop\avenger.exe
[2010/04/03 10:55:56 | 000,724,952 | ---- | C] () -- C:\Documents and Settings\Phillip\Desktop\avenger.zip
[2010/04/02 16:29:53 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/30 18:47:40 | 000,000,015 | ---- | C] () -- C:\Documents and Settings\Phillip\Desktop\settings.dat
[2010/03/30 18:22:37 | 000,000,213 | ---- | C] () -- C:\Boot.bak
[2010/03/30 18:22:21 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/24 21:15:17 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Phillip\Desktop\gmer.exe
[2010/03/24 21:06:17 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Phillip\Desktop\dds.scr
[2010/03/24 20:58:00 | 000,318,067 | ---- | C] () -- C:\Documents and Settings\Phillip\Desktop\HijackThis.zip
[2010/03/23 23:39:17 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/10/28 19:09:50 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/10/25 22:00:03 | 000,000,142 | ---- | C] () -- C:\Documents and Settings\Phillip\default.pls
[2009/10/19 19:54:20 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/08 13:56:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DbgOut.INI
[2009/05/11 20:56:39 | 000,000,039 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009/03/24 18:43:10 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/03/22 14:48:25 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/03/22 14:48:25 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/03/21 08:51:45 | 000,129,024 | ---- | C] () -- C:\Documents and Settings\Phillip\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/19 22:26:26 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2009/03/19 21:14:19 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2009/03/17 22:41:42 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/03/17 22:41:40 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/03/17 22:14:08 | 000,024,576 | -H-- | C] () -- C:\Documents and Settings\Phillip\ntuser.dat.LOG
[2009/03/17 22:14:08 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Phillip\ntuser.ini
[2009/03/17 22:14:07 | 005,767,168 | -H-- | C] () -- C:\Documents and Settings\Phillip\NTUSER.DAT
[2009/02/21 08:25:20 | 000,691,592 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/03/19 21:03:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/07/06 19:58:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2009/07/06 19:56:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2009/03/20 18:12:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2009/03/20 18:12:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2009/03/20 18:13:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/04/02 13:28:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/21 09:44:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/09/14 00:39:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/18 10:08:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/03/19 21:04:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phillip\Application Data\acccore
[2009/07/06 20:09:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phillip\Application Data\Nokia
[2009/03/24 20:06:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phillip\Application Data\OfficeUpdate12
[2009/07/06 19:57:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phillip\Application Data\PC Suite
[2009/06/26 20:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phillip\Application Data\Roni Music
[2009/04/28 19:36:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phillip\Application Data\SystemRequirementsLab
[2009/10/01 18:56:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phillip\Application Data\Teleca
[2009/03/20 18:16:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phillip\Application Data\Windows Desktop Search
[2009/03/20 20:19:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phillip\Application Data\Windows Search
[2010/04/03 11:03:11 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/03/19 21:03:11 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/03/19 21:03:11 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 05:00:00 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/03/19 21:03:11 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/03/19 21:03:11 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2006/02/21 17:44:30 | 000,250,368 | ---- | M] (Intel Corporation) MD5=88B1943ECFF661F765228099138CF6AB -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2006/03/16 19:51:32 | 000,099,840 | ---- | M] (NVIDIA Corporation) MD5=B7FB72492B753930EC70A0F49D04F12F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys
[2006/03/16 19:51:32 | 000,099,840 | ---- | M] (NVIDIA Corporation) MD5=B7FB72492B753930EC70A0F49D04F12F -- C:\WINDOWS\system32\drivers\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SYMMPI.SYS >
[2005/11/17 13:58:16 | 000,092,672 | ---- | M] (LSI Logic) MD5=1FD5249D5103125D2DA63F68D7BE1D35 -- C:\WINDOWS\dell\symmpi\symmpi.sys
[2005/11/17 13:58:16 | 000,092,672 | ---- | M] (LSI Logic) MD5=1FD5249D5103125D2DA63F68D7BE1D35 -- C:\WINDOWS\system32\drivers\symmpi.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 19:12:00 | 001,384,479 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/03/17 16:39:05 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/03/17 22:24:47 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2009/03/17 16:39:05 | 009,175,040 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/03/17 16:39:05 | 003,407,872 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\igxpdx32.dll:SummaryInformation
< End of report >


Extras.txt

OTL Extras logfile created on: 4/6/2010 8:14:20 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Phillip\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 442.00 Mb Available Physical Memory | 44.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): c:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 91.75 Gb Total Space | 7.29 Gb Free Space | 7.94% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-0EC38E917E
Current User Name: Phillip
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- File not found
"C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe" = C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe:*:Enabled:PlayOnline Viewer -- (SQUARE ENIX CO., LTD.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C973594-7DDF-4BD0-84ED-3517F7622037}" = PC Connectivity Solution
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 17
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C0619B4-4A2C-4244-8077-488E420DF907}" = FINAL FANTASY XI: Chains of Promathia
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{47004155-7376-403E-89E9-4C9F44AAF0D0}" = PlayOnline Viewer & Tetra Master
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5B037ED7-0755-48D4-9554-808E5AF50F17}" = FINAL FANTASY XI: Wings of the Goddess
"{5C1DA723-24FC-48AD-93BA-925695C3EF26}" = Logitech Gaming Software
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{678F6475-D227-432A-94FF-806178A34520}" = FINAL FANTASY XI
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F30B469-5ED7-4734-8252-B9BC962A2AB3}" = PCIxx20
"{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}" = FINAL FANTASY XI: Rise of the Zilart
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{943B6738-4801-4982-90EC-0442EF7AEB16}" = Kaspersky Anti-Virus 2010
"{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}" = Broadcom 440x 10/100 Integrated Controller
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A606C6FF-12E7-40BE-B777-D8F360FF00CD}" = FINAL FANTASY XI: Treasures of Aht Urhgan
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF097717-F174-4144-954A-FBC4BF301033}" = Nero 7 Ultra Edition
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E40CE517-0D42-4198-96B4-C8232B257EB5}" = Data Lifeguard Diagnostic for Windows
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"2DA959FE3D6F0F5BC313481E72071D510DD786FB" = Windows Driver Package - Intel (w29n51) net (12/19/2007 9.0.4.39)
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"AC3Filter" = AC3Filter (remove only)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AIM_6" = AIM 6
"Amazing Slow Downer" = Amazing Slow Downer (remove only)
"ASIO4ALL" = ASIO4ALL
"Audacity_is1" = Audacity 1.2.6
"AudioConverter Studio_is1" = AudioConverter Studio 6.0
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"cayahooantispy" = CA Yahoo! Anti-Spy (remove only)
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Collab" = Collab
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DVD Shrink_is1" = DVD Shrink 3.2
"EA92D36B2621B412A14375F1D39FCB7FBC2C84D4" = Windows Driver Package - Intel (NETw5x32) net (11/17/2008 12.2.0.11)
"Guitar Pro 5_is1" = Guitar Pro 5.2
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{3C0619B4-4A2C-4244-8077-488E420DF907}" = FINAL FANTASY XI: Chains of Promathia
"InstallShield_{47004155-7376-403E-89E9-4C9F44AAF0D0}" = PlayOnline Viewer & Tetra Master
"InstallShield_{5B037ED7-0755-48D4-9554-808E5AF50F17}" = FINAL FANTASY XI: Wings of the Goddess
"InstallShield_{678F6475-D227-432A-94FF-806178A34520}" = FINAL FANTASY XI
"InstallShield_{6F30B469-5ED7-4734-8252-B9BC962A2AB3}" = Texas Instruments PCIxx20 drivers.
"InstallShield_{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}" = FINAL FANTASY XI: Rise of the Zilart
"InstallShield_{A606C6FF-12E7-40BE-B777-D8F360FF00CD}" = FINAL FANTASY XI: Treasures of Aht Urhgan
"InstallWIX_{943B6738-4801-4982-90EC-0442EF7AEB16}" = Kaspersky Anti-Virus 2010
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"RealPlayer 12.0" = RealPlayer
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SystemRequirementsLab" = System Requirements Lab
"TabIt for Windows_is1" = TabIt version 2.03 (Trial)
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"Xvid_is1" = Xvid 1.1.3 final uninstall

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/26/2009 11:12:07 PM | Computer Name = HOME-0EC38E917E | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 11.0.5721.5145, faulting
module unknown, version 0.0.0.0, fault address 0x00ee0eb2.

Error - 7/1/2009 9:31:22 PM | Computer Name = HOME-0EC38E917E | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x6d91520a.

Error - 7/8/2009 9:32:59 PM | Computer Name = HOME-0EC38E917E | Source = Application Error | ID = 1000
Description = Faulting application divx player.exe, version 7.2.0.19, faulting module
divx player.exe, version 7.2.0.19, fault address 0x00126110.

Error - 8/2/2009 4:13:25 PM | Computer Name = HOME-0EC38E917E | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3474, faulting module
jvm.dll, version 11.3.0.2, fault address 0x000a96e6.

Error - 8/8/2009 2:55:24 PM | Computer Name = HOME-0EC38E917E | Source = MsiInstaller | ID = 1013
Description = Product: HTC Sync -- Setup has detected that a newer version is installed.
You must uninstall it before you can continue with the installation. Click OK to
close this setup.

Error - 9/30/2009 8:35:55 PM | Computer Name = HOME-0EC38E917E | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 11.0.5721.5145, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00011689.

Error - 10/1/2009 9:08:11 PM | Computer Name = HOME-0EC38E917E | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 11.0.5721.5145, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00011689.

Error - 10/1/2009 9:08:48 PM | Computer Name = HOME-0EC38E917E | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 11.0.5721.5145, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00011689.

Error - 10/25/2009 10:14:28 PM | Computer Name = HOME-0EC38E917E | Source = MsiInstaller | ID = 1013
Description = Product: Adobe Reader 9.2 -- A process is running that cannot be shut
down by Setup. Please either close all applications and run Setup again, or restart
your computer and run Setup again.

Error - 10/26/2009 7:33:45 AM | Computer Name = HOME-0EC38E917E | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\PHILLIP\MY DOCUMENTS\MY MUSIC\THE
FALL OF TROY\THUMBS.DB> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

[ System Events ]
Error - 4/3/2010 12:07:25 PM | Computer Name = HOME-0EC38E917E | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/3/2010 12:15:25 PM | Computer Name = HOME-0EC38E917E | Source = Service Control Manager | ID = 7000
Description = The Nero BackItUp Scheduler 4.0 service failed to start due to the
following error: %%2

Error - 4/3/2010 7:07:03 PM | Computer Name = HOME-0EC38E917E | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 4/4/2010 3:15:35 AM | Computer Name = HOME-0EC38E917E | Source = PSched | ID = 14103
Description = QoS [Adapter {FE669B65-0379-4A62-97B1-4652E8881720}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.

Error - 4/4/2010 3:15:36 AM | Computer Name = HOME-0EC38E917E | Source = NETw5x32 | ID = 262187
Description =

Error - 4/4/2010 4:25:29 AM | Computer Name = HOME-0EC38E917E | Source = NETw5x32 | ID = 262187
Description =

Error - 4/4/2010 4:25:29 AM | Computer Name = HOME-0EC38E917E | Source = PSched | ID = 14103
Description = QoS [Adapter {FE669B65-0379-4A62-97B1-4652E8881720}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.

Error - 4/4/2010 12:18:12 PM | Computer Name = HOME-0EC38E917E | Source = Service Control Manager | ID = 7000
Description = The Nero BackItUp Scheduler 4.0 service failed to start due to the
following error: %%2

Error - 4/5/2010 7:07:04 PM | Computer Name = HOME-0EC38E917E | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 4/6/2010 8:55:22 PM | Computer Name = HOME-0EC38E917E | Source = Service Control Manager | ID = 7000
Description = The Nero BackItUp Scheduler 4.0 service failed to start due to the
following error: %%2


< End of report >





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users