Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with XP Security 2010


  • This topic is locked This topic is locked
14 replies to this topic

#1 luupy

luupy

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 10 April 2010 - 04:07 AM

Greetings,
Earlier this week I managed to get my computer infected with the above virus. It took me 2/3 days following instructions from various sites and running several anti virus programs to finally get it under control - or so I thought.
Finally yesterday (friday) morning, all programs were reporting no malware found after scanning - these included malwarebytes anti-malware, spybot sd and ccleaner. But I still felt something was wrong - it was often taking 2 or 3 attempts to get these programs running - they would just die on me after double clicking the first couple times, and my browser, firefox, was frequently redirecting to unwanted sites, particularly when I used google.
In desperation I downloaded and ran combofix and it picked up a few files that I was suspicious of and deleted them - all seemed well, firefox appeared to be working normally and programs were running first time, the only odd thing was that an internet explorer icon had appeared on the desktop, a program I rarely use. Anyway, I was tired so I breathed a sigh of relief and got some sleep.
However, upon switching on this morning I was soon made aware of further problems - within 10 minutes th

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 12 April 2010 - 09:05 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 luupy

luupy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 13 April 2010 - 02:47 AM

Hi EB,
many thanks for your offer to help.
Not sure what happened to the end of my post, which included the DDs report, but had a message that the server had reset when i tried to post so something to do with that I guess.
The infected machine is currently disconnected from the internet as my ISP is threatening to cut us off after getting reports of email spamming originating from my IP address. No new reports since 07/04 so I think my original attempts to eliminate the virus got rid of that aspect, but I'm not taking any chances until I'm pretty sure the machine is clean again. So I will communicate via my games machine.
Last time it was switched on for any length of time (saturday) - I got a message to say the firewall had been switched off and I was unable to get to the security page to switch back on again - the xp security 2010 bogus page came up and shortly afterwards started spamming my maching with the usual bogus messages.
Also, whenever I tried to use firefox I was being redirected to various unwanted pages and was unable to access the page I wanted unless I typed it into the address bar manually.
Later that morning I ran malwarebytes's anti-malware which picked up a load of new files (27) and quarantined/deleted them - but I had seen this before several times and they just come back again the next day. When avira ran its scheduled scan later it picked up 2 files in the registry which over-rode the firewall and virus protection, once again they were deleted. The other problem that concerns me is that when I try to open any window, like the security centre or the add/remove windows page, it takes several attempts to get the page to load properly.
The machine has been switched on now for over an hour without any problems but as I said, it is disconnected from the internet except for a few mins each day to retrieve email, so I suspect the problem may lay primarily within the browser.

DDS report:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 6:41:00.23 on 13/04/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1660 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185971789906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3kahiane.default\
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-9 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-9 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-9 60936]
S0 eckurhph;eckurhph; [x]
S3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;c:\windows\system32\drivers\BUSB2902.sys [2007-12-25 110272]

=============== Created Last 30 ================

2010-04-11 19:05:42 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-11 11:59:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-11 11:59:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 08:45:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-11 08:45:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-10 13:43:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-10 13:43:26 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-09 22:38:17 0 d-sha-r- C:\cmdcons
2010-04-09 22:36:31 98816 ----a-w- c:\windows\sed.exe
2010-04-09 22:36:31 77312 ----a-w- c:\windows\MBR.exe
2010-04-09 22:36:31 261632 ----a-w- c:\windows\PEV.exe
2010-04-09 22:36:31 161792 ----a-w- c:\windows\SWREG.exe
2010-04-09 16:00:35 0 d-----w- c:\docume~1\owner\applic~1\Avira
2010-04-09 15:57:31 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-09 15:57:30 0 d-----w- c:\program files\Avira
2010-04-09 15:57:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-04-09 08:15:24 0 d-----w- c:\program files\CCleaner
2010-04-09 06:47:19 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-09 06:47:19 1409 ----a-w- c:\windows\QTFont.for
2010-04-08 17:23:51 44544 ---ha-w- c:\windows\system32\caclpgds.dll
2010-04-08 08:19:05 0 d-----w- c:\program files\Trend Micro
2010-04-07 16:29:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-06 15:11:54 0 d-----w- c:\program files\AVG
2010-04-06 13:50:31 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-04-06 13:29:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-06 13:01:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 11:08:33 2976 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-04-06 11:08:09 2592 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-04-06 11:00:51 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-04-06 10:59:50 0 d-----w- c:\program files\common files\iS3
2010-04-06 10:59:50 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-04-06 10:24:09 23162 ----a-w- c:\windows\system32\enb
2010-04-06 10:04:30 0 d--h--w- c:\windows\system32\GroupPolicy
2010-04-06 08:20:40 120 ----a-w- c:\windows\Ojirevi.dat
2010-04-06 08:20:40 0 ----a-w- c:\windows\Sfabo.bin

==================== Find3M ====================

2010-03-11 12:38:54 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2008-08-19 10:39:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 6:42:26.04 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 13 April 2010 - 03:51 PM

Ouch, that seems like quite a bit of things. I'll help you out though and see if we can deal with this.

You shouldn't of ran Combofix on your own, but since you already did I would like to see the report it created previously. It can be found in the root of your C:\ drive.

Then, I would like you to do the following so I can take a look...

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  6. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    mouclass.sys
    atapi.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  7. Push
  8. A report will open. Copy and Paste that report in your next reply.
  9. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Therefore in your next reply I would like to see:
-The previous Comobfix log
-OTL log
-Extra log

Also, please from now on refrain from doing too much changes to your system including fixing anything until we're done, so we can try to get your computer fixed efficently and effectively.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 luupy

luupy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 13 April 2010 - 04:54 PM

Thanks for the speedy reply EB. Am pretty much leaving the machine alone till I'm sure its fairly clean - though I have to say that its not removing my firewall or spamming the screen with bogus virus alerts since I disconnected from the net.
Anyway - logs as requested:

ComboFix 10-04-09.03 - Owner 10/04/2010 6:49.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1579 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.

2010-04-09 16:00 . 2010-04-09 16:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
2010-04-09 15:57 . 2010-03-01 08:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-09 15:57 . 2010-02-16 12:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-09 15:57 . 2009-05-11 10:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-09 15:57 . 2009-05-11 10:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-09 15:57 . 2010-04-09 15:57 -------- d-----w- c:\program files\Avira
2010-04-09 15:57 . 2010-04-09 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-09 08:15 . 2010-04-09 08:15 -------- d-----w- c:\program files\CCleaner
2010-04-08 17:23 . 2010-04-08 17:23 44544 ---ha-w- c:\windows\system32\caclpgds.dll
2010-04-08 08:19 . 2010-04-08 08:19 -------- d-----w- c:\program files\Trend Micro
2010-04-07 16:29 . 2010-04-10 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 16:29 . 2010-04-07 16:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 11:45 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 11:45 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 10:55 . 2010-04-07 10:55 16416 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 10:55 . 2010-04-08 17:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 15:11 . 2010-04-06 15:11 -------- d-----w- c:\program files\AVG
2010-04-06 13:50 . 2010-04-06 13:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-06 13:29 . 2010-04-06 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-06 13:01 . 2010-04-07 11:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 11:00 . 2010-04-06 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-04-06 10:59 . 2010-04-06 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-04-06 10:59 . 2010-04-06 10:59 -------- d-----w- c:\program files\Common Files\iS3
2010-04-06 10:04 . 2010-04-06 10:04 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-06 08:20 . 2010-04-07 14:58 120 ----a-w- c:\windows\Ojirevi.dat
2010-04-06 08:20 . 2010-04-07 06:25 0 ----a-w- c:\windows\Sfabo.bin
2010-03-11 06:49 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-09 06:33 . 2007-08-04 09:29 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-06 13:34 . 2010-04-06 11:08 2976 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-04-06 12:58 . 2010-04-06 11:08 2592 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-04-06 07:23 . 2007-08-03 20:36 -------- d-----w- c:\program files\PokerStars
2010-04-04 10:33 . 2007-08-04 14:35 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-04-03 16:53 . 2007-08-05 07:45 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-03-11 12:38 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-10 14:42 . 2009-10-11 08:40 -------- d-----w- c:\program files\Nexus Radio
2010-02-15 16:59 . 2010-02-15 16:59 -------- d-----w- c:\program files\Xvid
2010-02-15 16:49 . 2008-03-17 11:45 -------- d-----w- c:\program files\AllToAVI
2010-01-27 22:11 . 2010-01-27 22:11 126976 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{01B8CDED-16D4-4106-935C-2A9AA236BF1A}\NewShortcut3_3578F861852C40E8B00D3E8FBA99B79A.exe
2010-01-27 22:11 . 2010-01-27 22:11 126976 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{01B8CDED-16D4-4106-935C-2A9AA236BF1A}\NewShortcut1_3578F861852C40E8B00D3E8FBA99B79A.exe
2010-01-27 22:11 . 2010-01-27 22:11 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{01B8CDED-16D4-4106-935C-2A9AA236BF1A}\ARPPRODUCTICON.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2010-03-29 1654584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 10:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:45 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvLsnr]
2003-05-08 10:34 69632 ------w- c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus D92 Series]
2006-09-27 03:00 139264 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIBZE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2007-03-05 12:57 1103480 ----a-w- c:\program files\IGN\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-05-18 10:29 49152 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nexus Radio]
2009-11-18 11:53 4745216 ----a-w- c:\program files\Nexus Radio\Nexus Radio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-02-09 13:18 13680640 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-02-09 13:18 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-02-09 13:18 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-04-27 08:41 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-12-07 21:57 30208 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2003-05-05 07:57 143360 ----a-w- c:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-08-18 15:49 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-05-14 22:22 35328 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
drivclip REG_SZ c:\windows\system32\caclpgds.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AudioLabel\\AudioLabel.exe"=
"d:\\bt downloads\\utorrent.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [09/04/2010 16:57 135336]
S0 eckurhph;eckurhph; [x]
S3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;c:\windows\system32\drivers\BUSB2902.sys [25/12/2007 23:42 110272]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3kahiane.default\
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 07:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A0D4AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: 3Com 3C920B-EMB Integrated Fast Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf743bb0a
PacketIndicateHandler -> NDIS.sys @ 0xf7446a21
SendHandler -> NDIS.sys @ 0xf743b949
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-261903793-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e6,ac,34,52,0c,26,52,0f,9e,c9,6b,5a,c6,0a,ef,77,ac,04,bd,09,45,98,66,
d8,21,f9,ea,6a,50,46,5e,dc,2c,aa,4a,f7,39,76,4a,f3,55,be,14,5c,c4,7a,f2,8a,\
"??"=hex:9e,bf,03,6d,ff,8b,0f,3a,06,69,d5,05,8b,64,85,4e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(584)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1564)
c:\windows\system32\WININET.dll
c:\windows\system32\caclpgds.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\bgsvcgen.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
.
**************************************************************************
.
Completion time: 2010-04-10 07:11:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-10 06:11
ComboFix2.txt 2010-04-09 22:51

Pre-Run: 12,192,624,640 bytes free
Post-Run: 12,161,269,760 bytes free

- - End Of File - - 92334C74DD4998BFA4670A2B531AAEA5


OTL logfile created on: 13/04/2010 22:21:30 - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 83.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 3070 3070 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 11.22 Gb Free Space | 30.12% Space Free | Partition Type: NTFS
Drive D: | 233.76 Gb Total Space | 10.46 Gb Free Space | 4.47% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 74.56 Gb Total Space | 7.72 Gb Free Space | 10.35% Space Free | Partition Type: NTFS
Drive G: | 7.46 Gb Total Space | 2.35 Gb Free Space | 31.48% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-F7B826DD2
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/13 22:07:32 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/03/16 15:36:32 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/02 10:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/04 14:39:42 | 000,118,784 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\system32\bgsvcgen.exe
PRC - [2006/04/18 04:00:00 | 000,102,400 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
PRC - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/04/13 22:07:32 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2010/04/08 18:23:51 | 000,044,544 | -H-- | M] () -- C:\WINDOWS\system32\caclpgds.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/16 15:36:32 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/04/04 14:39:42 | 000,118,784 | ---- | M] (B.H.A Corporation) [Auto | Running] -- C:\WINDOWS\System32\bgsvcgen.exe -- (bgsvcgen)
SRV - [2006/04/18 04:00:00 | 000,102,400 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2010/03/01 09:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 13:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/02/09 14:18:00 | 006,307,328 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/13 19:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/04 14:39:43 | 000,033,408 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\CDRBSDRV.SYS -- (cdrbsdrv)
DRV - [2006/07/03 12:34:51 | 000,110,272 | R--- | M] (BEHRINGER) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BUSB2902.sys -- (BEHRINGER_2902)
DRV - [2003/03/19 15:51:00 | 000,018,688 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2002/08/13 21:27:22 | 000,074,338 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90Xbc5.SYS -- (EL90Xbc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-343818398-261903793-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-343818398-261903793-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..keyword.URL: "http://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p="

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/10 11:28:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/11 09:45:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/17 07:59:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2008/08/26 16:41:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/04/12 06:57:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3kahiane.default\extensions
[2009/08/10 07:32:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3kahiane.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/02/09 11:45:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3kahiane.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2010/04/12 06:57:09 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/21 17:19:20 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/01/21 17:19:20 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/01/21 17:19:20 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/01/21 17:19:20 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/04/10 07:03:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKU\S-1-5-21-343818398-261903793-725345543-1003\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKU\S-1-5-21-343818398-261903793-725345543-1003..\Run: [ccleaner] C:\Program Files\CCleaner\CCleaner.exe (Piriform Ltd)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-343818398-261903793-725345543-1003\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-343818398-261903793-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-343818398-261903793-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-343818398-261903793-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1185971789906 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/24 13:33:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: drivclip - (C:\WINDOWS\system32\caclpgds.dll) - C:\WINDOWS\system32\caclpgds.dll ()
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/07/24 13:32:11 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe - (Adobe Systems Incorporated)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe - (Adobe Systems Incorporated)
MsConfig - StartUpFolder: C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe - ()
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: DrvLsnr - hkey= - key= - C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)
MsConfig - StartUpReg: EPSON Stylus D92 Series - hkey= - key= - File not found
MsConfig - StartUpReg: igndlm.exe - hkey= - key= - C:\Program Files\IGN\Download Manager\dlm.exe (IGN Entertainment)
MsConfig - StartUpReg: KernelFaultCheck - hkey= - key= - File not found
MsConfig - StartUpReg: LanguageShortcut - hkey= - key= - C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - File not found
MsConfig - StartUpReg: Nexus Radio - hkey= - key= - C:\Program Files\Nexus Radio\Nexus Radio.exe (Egisca Corporation)
MsConfig - StartUpReg: NvCplDaemon - hkey= - key= - File not found
MsConfig - StartUpReg: NvMediaCenter - hkey= - key= - File not found
MsConfig - StartUpReg: nwiz - hkey= - key= - File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: RemoteControl - hkey= - key= - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
MsConfig - StartUpReg: Smapp - hkey= - key= - C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
MsConfig - StartUpReg: WinampAgent - hkey= - key= - C:\Program Files\Winamp\winampa.exe ()
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: MIDI1 - C:\WINDOWS\System32\Syncor11.dll (SoundMAX)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.VIFP - C:\WINDOWS\System32\VFCodec.dll ()
Drivers32: vidc.VSPX - C:\WINDOWS\System32\vspxvfw.dll ()
Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (7050485169127424)

========== Files/Folders - Created Within 30 Days ==========

[2010/04/13 22:10:19 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/04/13 06:23:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2010/04/11 20:05:42 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/11 12:59:10 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/11 12:59:07 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/11 09:45:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/11 09:45:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/11 09:45:02 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/11 09:45:02 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/11 09:45:02 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/11 09:45:02 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/11 09:45:02 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/11 08:52:46 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/04/10 08:12:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\gmer
[2010/04/10 07:11:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/10 07:04:34 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/09 23:38:17 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/09 23:36:31 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/09 23:36:31 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/09 23:36:31 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/09 23:36:31 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/09 23:36:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/09 23:34:36 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/09 17:00:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Avira
[2010/04/09 16:57:32 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/04/09 16:57:31 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/04/09 16:57:31 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/04/09 16:57:31 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/04/09 16:57:31 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/04/09 16:57:30 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/04/09 16:57:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/04/09 09:15:24 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/04/08 18:24:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/08 17:36:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\antivirus stuff
[2010/04/08 09:19:05 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/07 17:29:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/07 12:37:12 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/04/07 12:37:12 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/04/07 11:55:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/07 07:37:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/06 16:11:54 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/04/06 15:54:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/06 14:50:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/04/06 14:29:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/06 14:01:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/06 13:57:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/06 12:00:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/04/06 11:59:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/04/06 11:59:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2010/04/06 11:04:30 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/04/06 09:22:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/04 11:36:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\recipes
[2008/08/19 11:39:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[15 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/13 22:09:29 | 000,201,916 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/04/13 22:09:18 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/13 22:07:32 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/04/13 22:07:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/13 22:07:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/13 22:07:28 | 2147,012,608 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/13 19:01:25 | 008,912,896 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/04/13 17:43:29 | 000,144,384 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/13 17:43:29 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/12 06:28:15 | 000,000,516 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/12 06:28:15 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/12 06:28:15 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/11 20:05:49 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/04/11 12:59:13 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/11 09:44:44 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/11 09:44:44 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/11 09:44:44 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/11 09:44:44 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/11 09:44:43 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/11 07:07:49 | 000,011,346 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\3534162100
[2010/04/11 07:07:07 | 000,012,250 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\f6GO5G
[2010/04/11 07:07:07 | 000,012,250 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2093768676
[2010/04/11 07:07:05 | 000,012,138 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3534162100
[2010/04/11 07:07:05 | 000,012,138 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\2093768676
[2010/04/11 07:05:34 | 000,011,618 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\f6GO5G
[2010/04/10 14:43:26 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/10 14:43:26 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/10 08:03:41 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/04/10 07:03:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/10 06:46:26 | 003,911,347 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/04/09 17:13:05 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/04/09 16:57:49 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/04/09 09:15:26 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2010/04/09 07:47:19 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/04/09 07:47:19 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/04/08 21:48:45 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100409-104616.backup
[2010/04/08 18:23:51 | 000,044,544 | -H-- | M] () -- C:\WINDOWS\System32\caclpgds.dll
[2010/04/08 15:52:43 | 000,014,880 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\QsAgA3xk6
[2010/04/08 15:52:43 | 000,014,880 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\QsAgA3xk6
[2010/04/07 18:12:30 | 000,000,206 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/04/07 15:58:30 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ojirevi.dat
[2010/04/07 15:26:44 | 000,013,952 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\R8x4CECgW
[2010/04/07 13:29:20 | 000,013,946 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\R8x4CECgW
[2010/04/07 07:25:20 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Sfabo.bin
[2010/04/06 16:06:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/04/06 16:05:42 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/06 14:34:34 | 000,002,976 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpfr2.cfg
[2010/04/06 13:58:55 | 000,002,592 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/04/06 12:27:49 | 000,001,156 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\aPH03i
[2010/04/06 12:27:49 | 000,000,000 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\aPH03i
[2010/04/06 11:56:20 | 000,012,944 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GbW53PfLB
[2010/04/06 11:56:20 | 000,012,944 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\GbW53PfLB
[2010/04/06 11:27:32 | 000,023,162 | ---- | M] () -- C:\WINDOWS\System32\enb
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 09:27:52 | 000,521,942 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/28 09:27:52 | 000,441,432 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/28 09:27:52 | 000,071,176 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[15 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/11 20:05:49 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/04/11 12:59:13 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/11 07:06:05 | 000,011,346 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\3534162100
[2010/04/11 07:05:09 | 000,012,138 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3534162100
[2010/04/11 07:05:09 | 000,012,138 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\2093768676
[2010/04/11 07:04:55 | 000,012,250 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\f6GO5G
[2010/04/11 07:04:55 | 000,012,250 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2093768676
[2010/04/11 07:03:31 | 000,011,618 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\f6GO5G
[2010/04/11 07:03:31 | 000,011,618 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\f6GO5G
[2010/04/10 14:43:26 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/10 14:43:26 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/10 08:03:40 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/04/09 23:38:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/09 23:38:19 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/09 23:36:31 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/09 23:36:31 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/09 23:36:31 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/09 23:36:31 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/09 23:36:31 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/09 23:33:13 | 003,911,347 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/04/09 16:57:49 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/04/09 09:15:26 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2010/04/09 07:47:19 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/04/09 07:47:19 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/04/08 18:23:51 | 000,044,544 | -H-- | C] () -- C:\WINDOWS\System32\caclpgds.dll
[2010/04/08 14:52:09 | 000,014,880 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\QsAgA3xk6
[2010/04/08 14:52:09 | 000,014,880 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\QsAgA3xk6
[2010/04/07 12:29:12 | 000,013,946 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\R8x4CECgW
[2010/04/07 11:55:16 | 000,013,952 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\R8x4CECgW
[2010/04/07 11:55:16 | 000,013,952 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\R8x4CECgW
[2010/04/06 12:27:49 | 000,001,156 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\aPH03i
[2010/04/06 12:27:49 | 000,000,000 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\aPH03i
[2010/04/06 12:08:33 | 000,002,976 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpfr2.cfg
[2010/04/06 12:08:09 | 000,002,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/04/06 11:24:09 | 000,023,162 | ---- | C] () -- C:\WINDOWS\System32\enb
[2010/04/06 09:20:40 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ojirevi.dat
[2010/04/06 09:20:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Sfabo.bin
[2010/04/06 09:17:15 | 000,012,944 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GbW53PfLB
[2010/04/06 09:17:15 | 000,012,944 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\GbW53PfLB
[2010/02/15 17:59:13 | 000,819,200 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/02/15 17:59:13 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/10/10 20:45:52 | 000,000,860 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/03/10 11:01:47 | 000,482,816 | ---- | C] () -- C:\WINDOWS\System32\VFCodec.dll
[2007/08/21 07:53:43 | 008,912,896 | ---- | C] () -- C:\Documents and Settings\Owner\ntuser.dat
[2007/08/15 15:38:49 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2007/08/12 14:23:14 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2007/08/12 14:08:53 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2007/08/12 14:05:32 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDED92Euro.ini
[2007/08/03 20:46:16 | 000,000,206 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/08/03 19:36:09 | 000,000,103 | ---- | C] () -- C:\Documents and Settings\Owner\default.pls
[2007/08/03 19:30:18 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/08/03 19:30:11 | 000,144,384 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/01 13:22:14 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2007/08/01 13:21:27 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/08/01 13:21:26 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/08/01 13:21:26 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/08/01 13:21:26 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/07/24 14:00:01 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Owner\ntuser.ini
[2007/07/24 14:00:00 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Owner\ntuser.dat.LOG
[2006/10/22 12:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 12:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/03/18 14:16:04 | 000,540,178 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2005/10/20 23:58:52 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\vspxvfw.dll
[2005/09/01 15:20:46 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\vspxcore.dll
[2001/07/13 08:04:00 | 000,373,248 | ---- | C] () -- C:\WINDOWS\EyeCand3.INI

========== LOP Check ==========

[2007/08/12 14:07:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2010/04/06 12:00:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/04/06 14:38:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2009/08/13 22:00:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/08/12 14:12:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2007/08/12 14:23:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\EPSON
[2008/08/15 06:41:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\gtk-2.0
[2008/03/10 10:27:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LEAPS
[2008/04/04 14:45:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Pegasys Inc
[2007/08/04 10:35:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Thunderbird
[2010/04/03 17:53:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\uTorrent

========== Purity Check ==========



========== Custom Scans ==========


< %ALLUSERSPROFILE%\Application Data\*. >
[2009/10/25 07:13:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2007/08/01 13:49:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ahead
[2007/08/01 13:46:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/04/09 16:57:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avira
[2007/08/04 21:57:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2009/07/01 11:50:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2007/08/12 14:07:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2010/04/06 14:29:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2007/08/03 16:34:48 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2007/08/12 19:23:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NVIDIA
[2007/08/21 09:37:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2010/04/06 12:00:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/04/12 06:27:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/06 14:38:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/04/11 09:45:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sun
[2009/08/13 22:00:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/08/12 14:12:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2007/08/01 13:57:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2006/04/18 04:00:00 | 000,102,400 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE

< %APPDATA%\*. >
[2008/02/02 07:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Adobe
[2009/01/27 21:51:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Ahead
[2010/04/09 17:00:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Avira
[2007/08/06 12:53:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\CyberLink
[2009/12/16 08:35:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\dvdcss
[2007/08/12 14:23:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\EPSON
[2008/08/12 07:27:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Google
[2008/08/15 06:41:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\gtk-2.0
[2007/08/04 13:38:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Help
[2007/07/24 14:00:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Identities
[2008/06/17 10:08:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\IGN_DLM
[2008/03/10 10:27:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LEAPS
[2007/08/03 18:51:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Macromedia
[2010/04/06 14:50:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/04/07 12:37:12 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Owner\Application Data\Microsoft
[2007/08/03 21:11:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2010/04/04 11:33:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
[2008/04/04 14:45:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Pegasys Inc
[2007/08/18 16:51:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Real
[2007/08/07 19:20:05 | 000,000,000 | R--D | M] -- C:\Documents and Settings\Owner\Application Data\SecuROM
[2007/08/01 13:42:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sun
[2007/08/03 20:52:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Talkback
[2007/08/04 10:35:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Thunderbird
[2010/04/03 17:53:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\uTorrent
[2007/08/04 15:11:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\vlc

< %APPDATA%\*.exe /s >
[2010/01/27 23:11:16 | 000,010,134 | R--- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{01B8CDED-16D4-4106-935C-2A9AA236BF1A}\ARPPRODUCTICON.exe
[2010/01/27 23:11:16 | 000,126,976 | R--- | M] (Macrovision Corporation) -- C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{01B8CDED-16D4-4106-935C-2A9AA236BF1A}\NewShortcut1_3578F861852C40E8B00D3E8FBA99B79A.exe
[2010/01/27 23:11:16 | 000,126,976 | R--- | M] (Macrovision Corporation) -- C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{01B8CDED-16D4-4106-935C-2A9AA236BF1A}\NewShortcut3_3578F861852C40E8B00D3E8FBA99B79A.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/19 08:49:23 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/08/19 08:49:23 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 13:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: MOUCLASS.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:mouclass.sys
[2008/08/19 08:49:23 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:mouclass.sys
[2008/08/19 08:49:23 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:mouclass.sys
[2004/08/04 13:00:00 | 000,023,040 | ---- | M] (Microsoft Corporation) MD5=34E1F0031153E491910E12551400192C -- C:\WINDOWS\$NtServicePackUninstall$\mouclass.sys
[2008/04/13 19:39:47 | 000,023,040 | ---- | M] (Microsoft Corporation) MD5=35C9E97194C8CFB8430125F8DBC34D04 -- C:\WINDOWS\ServicePackFiles\i386\mouclass.sys
[2008/04/13 19:39:47 | 000,023,040 | ---- | M] (Microsoft Corporation) MD5=35C9E97194C8CFB8430125F8DBC34D04 -- C:\WINDOWS\system32\drivers\mouclass.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[15 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

========== Alternate Data Streams ==========

@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:364682BC
< End of report >


OTL Extras logfile created on: 13/04/2010 22:21:30 - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 83.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 3070 3070 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 11.22 Gb Free Space | 30.12% Space Free | Partition Type: NTFS
Drive D: | 233.76 Gb Total Space | 10.46 Gb Free Space | 4.47% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 74.56 Gb Total Space | 7.72 Gb Free Space | 10.35% Space Free | Partition Type: NTFS
Drive G: | 7.46 Gb Total Space | 2.35 Gb Free Space | 31.48% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-F7B826DD2
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe File not found

[HKEY_USERS\S-1-5-21-343818398-261903793-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AudioLabel\AudioLabel.exe" = C:\Program Files\AudioLabel\AudioLabel.exe:*:Enabled:AudioLabel -- (Cripple Creek Software )
"D:\bt downloads\utorrent.exe" = D:\bt downloads\utorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\eMule\emule.exe" = C:\Program Files\eMule\emule.exe:*:Enabled:eMule -- (http://www.emule-project.net)
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Disabled:SopCast Adver -- (www.sopcast.com)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01B8CDED-16D4-4106-935C-2A9AA236BF1A}" = Nexus Radio
"{08094E03-AFE4-4853-9D31-6D0743DF5328}" = QuickTime
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 19
"{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}" = EPSON Scan Assistant
"{2EB81825-E9EE-44F4-8F51-1240C3898DC6}" = EPSON File Manager
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}" = EPSON Web-To-Page
"{8186E1B9-DDC6-45B6-B9EB-C28947CBC4CF}" = Adobe Flash Player 9 ActiveX
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8D4942F1-D5EB-40A7-9D7B-07F8ED1B71E9}" = TMPGEnc DVD Author 3 with DivX Authoring
"{8DAC1AE4-33D1-4A78-8A42-00E09EDECC3E}" = Camera RAW Plug-In for EPSON Creativity Suite
"{A1C8D94A-4303-4489-B585-4B6E6CD408CB}" = OpenOffice.org 2.2
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.7
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B66E665A-DF96-4C38-9422-C7F74BC1B4E5}" = EPSON Easy Photo Print
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 Anniversary Edition
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AllToAVI" = AllToAVI v4 r5394
"Audacity_is1" = Audacity 1.2.6
"AudioLabel" = AudioLabel
"Avidemux 2.4" = Avidemux 2.4
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"DVD Shrink_is1" = DVD Shrink 3.2
"DVD-lab PRO_is1" = DVD-lab PRO 1.00
"eMule" = eMule
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Stylus C90_91_D92 User’s Guide" = EPSON Stylus C90_91_D92 Manual
"EZ Vinyl/Tape Converter by MixMeister_is1" = EZ Vinyl/Tape Converter 4.0 by MixMeister
"Feurio" = Feurio! CD-Writer
"gename_AoC_Edition_1.0" = gename AoC Edition 1.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IGN Download Manager" = IGN Download Manager 2.3.0
"InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"Native Instruments Guitar Combos Behringer Edition" = Native Instruments Guitar Combos Behringer Edition
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PartyPoker" = PartyPoker
"PokerStars" = PokerStars
"RealPlayer 6.0" = RealPlayer
"USB_AUDIO_DEusb-audio.deBehringer2902" = BEHRINGER USB AUDIO DRIVER
"Video Strip Poker Supreme" = Video Strip Poker Supreme
"VLC media player" = VideoLAN VLC media player 0.8.6c
"WIC" = Windows Imaging Component
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Xvid_is1" = Xvid 1.2.2 final uninstall

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 02/01/2009 03:00:50 | Computer Name = OWNER-F7B826DD2 | Source = Application Error | ID = 1000
Description = Faulting application nerostartsmart.exe, version 2.1.0.1, faulting
module unknown, version 0.0.0.0, fault address 0x02cd787e.

Error - 27/01/2009 15:42:29 | Computer Name = OWNER-F7B826DD2 | Source = Application Hang | ID = 1002
Description = Hanging application PowerDVD.exe, version 7.0.1813.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 07/02/2009 07:23:58 | Computer Name = OWNER-F7B826DD2 | Source = Application Hang | ID = 1002
Description = Hanging application PhotoSnapViewer.exe, version 1.1.0.6, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 28/02/2009 04:25:04 | Computer Name = OWNER-F7B826DD2 | Source = Application Error | ID = 1000
Description = Faulting application vlc.exe, version 0.8.6.0, faulting module ntdll.dll,
version 5.1.2600.5512, fault address 0x000369aa.

Error - 05/04/2009 04:27:05 | Computer Name = OWNER-F7B826DD2 | Source = Application Error | ID = 1000
Description = Faulting application vghd.exe, version 1.0.1.1, faulting module vghd.exe,
version 1.0.1.1, fault address 0x00004056.

Error - 19/04/2009 13:32:00 | Computer Name = OWNER-F7B826DD2 | Source = Application Error | ID = 1000
Description = Faulting application vlc.exe, version 0.8.6.0, faulting module libvlc.dll,
version 0.0.0.0, fault address 0x0007b0c2.

Error - 03/05/2009 03:35:18 | Computer Name = OWNER-F7B826DD2 | Source = Application Error | ID = 1000
Description = Faulting application vghd.exe, version 1.0.1.1, faulting module vghd.exe,
version 1.0.1.1, fault address 0x00004056.

Error - 11/05/2009 11:55:53 | Computer Name = OWNER-F7B826DD2 | Source = Application Error | ID = 1000
Description = Faulting application vlc.exe, version 0.8.6.0, faulting module msvcrt.dll,
version 7.0.2600.5512, fault address 0x000378c0.

Error - 17/05/2009 19:26:07 | Computer Name = OWNER-F7B826DD2 | Source = Application Hang | ID = 1002
Description = Hanging application vlc.exe, version 0.8.6.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 29/06/2009 07:06:14 | Computer Name = OWNER-F7B826DD2 | Source = Application Hang | ID = 1002
Description = Hanging application E_FARNBZE.EXE, version 4.0.3.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/04/2010 03:53:33 | Computer Name = OWNER-F7B826DD2 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 11/04/2010 03:53:33 | Computer Name = OWNER-F7B826DD2 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 11/04/2010 07:56:44 | Computer Name = OWNER-F7B826DD2 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 11/04/2010 07:56:44 | Computer Name = OWNER-F7B826DD2 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/04/2010 01:26:39 | Computer Name = OWNER-F7B826DD2 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/04/2010 01:26:39 | Computer Name = OWNER-F7B826DD2 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 13/04/2010 01:23:04 | Computer Name = OWNER-F7B826DD2 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 13/04/2010 01:23:04 | Computer Name = OWNER-F7B826DD2 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 13/04/2010 17:07:56 | Computer Name = OWNER-F7B826DD2 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 13/04/2010 17:07:56 | Computer Name = OWNER-F7B826DD2 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >


Regards
Luupy

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 13 April 2010 - 06:14 PM

Hi again Luupy,

Good idea on disabling the internet for now. smile.gif

One of the infection you have here is the TDL3 rootkit, more information here: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

If you wish to continue with removing this, let's begin...

One of the few thigns Combofix removed previously deals with an infection that steals sensitive information. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

---
The previous log shows you have Windows Recovery Console installed through Combofix, we are going to use that to deal with this infection.

Please restart your computer. Then at the loading screen you have only 2 seconds to select the Operating System. Choose the Windows Recovery Console by using your arrow keys and pressing enter on your keyboard.

The Recovery Console, will now load, follow the prompts.
Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
At the C:\Windows prompt type in the following codes below in bold and press enter after typing each line.

cd c:\windows\system32\drivers
ren mouclass.sys mouclass.old
copy C:\WINDOWS\ServicePackFiles\i386\mouclass.sys c:\windows\system32\drivers


You should see a message '1 file copied'. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths.

Type exit and press 'Enter'. Your computer should reboot.

--

Delete the Combofix.exe if you still have it.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 luupy

luupy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 14 April 2010 - 06:04 AM

Hi again EB,
Thanks for persevering with this and thanks for the heads up regarding the stealing of sensitive info. Don't bank online and have no sensitive info on computer but do buy stuff, mostly games, online so am currently checking those sites for any recent transactions and changing the passwords. Nothing suspicious so far and have not bought anything this month so hopefully I've got away with that one.
Just want to mention that when I went into recovery console and changed that file, when it rebooted afterwards the windows screen was covered with rows of hypens and staggered wavy flags made out of equals signs - had to reboot and all seemed well - hopefully just a graphical glitch.
Have run combofix and report follows:


ComboFix 10-04-13.02 - Owner 14/04/2010 8:05.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1645 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 )))))))))))))))))))))))))))))))
.

2010-04-11 19:05 . 2010-04-11 19:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-11 11:59 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-11 11:59 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 08:45 . 2010-04-11 08:45 -------- d-----w- c:\program files\Common Files\Java
2010-04-11 08:45 . 2010-04-11 08:45 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4491a7b4-n\msvcp71.dll
2010-04-11 08:45 . 2010-04-11 08:45 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4491a7b4-n\jmc.dll
2010-04-11 08:45 . 2010-04-11 08:45 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4491a7b4-n\msvcr71.dll
2010-04-11 08:45 . 2010-04-11 08:45 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-43f4bfac-n\decora-sse.dll
2010-04-11 08:45 . 2010-04-11 08:45 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-43f4bfac-n\decora-d3d.dll
2010-04-11 08:45 . 2010-04-11 08:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-10 13:43 . 2010-04-10 13:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-10 13:43 . 2010-04-10 13:43 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-09 16:00 . 2010-04-09 16:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
2010-04-09 15:57 . 2010-03-01 08:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-09 15:57 . 2010-02-16 12:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-09 15:57 . 2009-05-11 10:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-09 15:57 . 2009-05-11 10:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-09 15:57 . 2010-04-09 15:57 -------- d-----w- c:\program files\Avira
2010-04-09 15:57 . 2010-04-09 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-09 08:15 . 2010-04-09 08:15 -------- d-----w- c:\program files\CCleaner
2010-04-08 17:23 . 2010-04-08 17:23 44544 ---ha-w- c:\windows\system32\caclpgds.dll
2010-04-08 08:19 . 2010-04-08 08:19 -------- d-----w- c:\program files\Trend Micro
2010-04-07 16:29 . 2010-04-12 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 10:55 . 2010-04-07 10:55 16416 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 10:55 . 2010-04-08 17:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 15:11 . 2010-04-06 15:11 -------- d-----w- c:\program files\AVG
2010-04-06 13:50 . 2010-04-06 13:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-06 13:29 . 2010-04-06 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-06 13:01 . 2010-04-11 11:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 11:00 . 2010-04-06 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-04-06 10:59 . 2010-04-06 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-04-06 10:59 . 2010-04-06 10:59 -------- d-----w- c:\program files\Common Files\iS3
2010-04-06 10:04 . 2010-04-06 10:04 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-06 08:20 . 2010-04-07 14:58 120 ----a-w- c:\windows\Ojirevi.dat
2010-04-06 08:20 . 2010-04-07 06:25 0 ----a-w- c:\windows\Sfabo.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 06:00 . 2007-08-04 09:29 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-11 08:44 . 2007-08-01 12:42 -------- d-----w- c:\program files\Java
2010-04-06 13:34 . 2010-04-06 11:08 2976 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-04-06 12:58 . 2010-04-06 11:08 2592 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-04-06 07:23 . 2007-08-03 20:36 -------- d-----w- c:\program files\PokerStars
2010-04-04 10:33 . 2007-08-04 14:35 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-04-03 16:53 . 2007-08-05 07:45 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-03-11 12:38 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-10 14:42 . 2009-10-11 08:40 -------- d-----w- c:\program files\Nexus Radio
2010-02-15 16:59 . 2010-02-15 16:59 -------- d-----w- c:\program files\Xvid
2010-02-15 16:49 . 2008-03-17 11:45 -------- d-----w- c:\program files\AllToAVI
2010-01-27 22:11 . 2010-01-27 22:11 126976 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{01B8CDED-16D4-4106-935C-2A9AA236BF1A}\NewShortcut3_3578F861852C40E8B00D3E8FBA99B79A.exe
2010-01-27 22:11 . 2010-01-27 22:11 126976 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{01B8CDED-16D4-4106-935C-2A9AA236BF1A}\NewShortcut1_3578F861852C40E8B00D3E8FBA99B79A.exe
2010-01-27 22:11 . 2010-01-27 22:11 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{01B8CDED-16D4-4106-935C-2A9AA236BF1A}\ARPPRODUCTICON.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-09_22.47.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-14 06:59 . 2010-04-14 06:59 16384 c:\windows\temp\Perflib_Perfdata_514.dat
+ 2007-08-01 13:30 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2007-08-01 13:30 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2008-08-19 07:10 . 2008-04-13 18:39 23040 c:\windows\system32\drivers\mouclass.sys
- 2004-08-03 22:58 . 2008-04-13 18:39 23040 c:\windows\system32\drivers\mouclass.sys
+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 c:\windows\system32\dllcache\cabview.dll
+ 2007-07-24 12:37 . 2010-04-11 06:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-24 12:37 . 2010-04-09 06:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-24 12:37 . 2010-04-09 06:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-07-24 12:37 . 2010-04-11 06:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-10 13:43 . 2010-04-11 06:12 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-07-24 12:37 . 2010-04-09 06:23 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2010-01-13 14:01 86016 c:\windows\system32\cabview.dll
+ 2004-08-04 12:00 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll
+ 2010-04-11 08:45 . 2010-04-11 08:44 153376 c:\windows\system32\javaws.exe
+ 2010-04-11 08:45 . 2010-04-11 08:44 145184 c:\windows\system32\javaw.exe
+ 2010-04-11 08:45 . 2010-04-11 08:44 145184 c:\windows\system32\java.exe
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2010-04-11 08:45 . 2010-04-11 08:45 180224 c:\windows\Installer\2c50e8.msi
+ 2010-04-11 08:44 . 2010-04-11 08:44 577536 c:\windows\Installer\2c50e1.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2010-03-29 1654584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 10:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:45 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvLsnr]
2003-05-08 10:34 69632 ------w- c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus D92 Series]
2006-09-27 03:00 139264 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIBZE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2007-03-05 12:57 1103480 ----a-w- c:\program files\IGN\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-05-18 10:29 49152 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nexus Radio]
2009-11-18 11:53 4745216 ----a-w- c:\program files\Nexus Radio\Nexus Radio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-02-09 13:18 13680640 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-02-09 13:18 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-02-09 13:18 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-04-27 08:41 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-12-07 21:57 30208 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2003-05-05 07:57 143360 ----a-w- c:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 10:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-08-18 15:49 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-05-14 22:22 35328 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
drivclip REG_SZ c:\windows\system32\caclpgds.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AudioLabel\\AudioLabel.exe"=
"d:\\bt downloads\\utorrent.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [09/04/2010 16:57 135336]
S0 eckurhph;eckurhph; [x]
S3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;c:\windows\system32\drivers\BUSB2902.sys [25/12/2007 23:42 110272]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3kahiane.default\
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-14 08:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-261903793-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e6,ac,34,52,0c,26,52,0f,9e,c9,6b,5a,c6,0a,ef,77,ac,04,bd,09,45,98,66,
d8,21,f9,ea,6a,50,46,5e,dc,2c,aa,4a,f7,39,76,4a,f3,55,be,14,5c,c4,7a,f2,8a,\
"??"=hex:9e,bf,03,6d,ff,8b,0f,3a,06,69,d5,05,8b,64,85,4e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3368)
c:\windows\system32\WININET.dll
c:\windows\system32\caclpgds.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-14 08:13:03
ComboFix-quarantined-files.txt 2010-04-14 07:13
ComboFix2.txt 2010-04-09 22:51

Pre-Run: 12,005,711,872 bytes free
Post-Run: 11,972,812,800 bytes free

- - End Of File - - ECAECCC87FDB539E38F286F2AF41CB1A


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 16 April 2010 - 02:44 PM

Hello again.

Sorry for the delay. I had some things I needed to do and could not respond. Back now, so let's get back to work.

---
Great, the logs are looking better and the driver was dealt with successfully from the last post. Not exactly sure what happened of that problem you mentioned, but if it doesn't occur anymore, I wouldn't worry about it.

Some leftover work...

Download and Run OTM
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :services
    eckurhph
    :files
    c:\windows\Ojirevi.dat
    c:\windows\Sfabo.bin
    :commands
    [CREATERESTOREPOINT]
    [resethosts]
    [emptytemp]
  4. Click the large button.
  5. If OTM requires are reboot, please allow it to do so.
  6. Copy/Paste the contents under the line here in your next reply.
Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 luupy

luupy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 17 April 2010 - 05:17 AM

Hi EB,
No problem with the delay, I understand you have other stuff to do, a life to lead etc and am just grateful that someone is helping me out with this. Its the first problem I haven't been able to solve myself in 10 years of messing about with computers.
Have run OTM which has got rid of a couple more of the little horrors. Malwarebytes anti-malware found nothing and the computer seems to be running quite sweetly at the moment - fingers crossed that things stay that way.
Thank you so much for all your help with this, I am truly grateful. Will leave the machine switched on and connected to the net but looking good so far.

Logs as requested:

All processes killed
========== SERVICES/DRIVERS ==========
Service eckurhph stopped successfully!
Service eckurhph deleted successfully!
========== FILES ==========
c:\windows\Ojirevi.dat moved successfully.
c:\windows\Sfabo.bin moved successfully.
========== COMMANDS ==========
Restore point Set: OTM Restore Point (64424509440)
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 229510 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 43760 bytes
->Flash cache emptied: 7906 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 464 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 17170385 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 116988 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 19.00 mb


OTM by OldTimer - Version 3.1.10.1 log created on 04162010_232118

Files moved on Reboot...

Registry entries deleted on Reboot...

--------------------------

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3999

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

16/04/2010 23:34:05
mbam-log-2010-04-16 (23-34-05).txt

Scan type: Quick scan
Objects scanned: 100334
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------------------


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 23:43:36.57 on 16/04/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1695 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185971789906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3kahiane.default\
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-9 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-9 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-9 60936]
S3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;c:\windows\system32\drivers\BUSB2902.sys [2007-12-25 110272]

=============== Created Last 30 ================

2010-04-16 22:21:18 0 d-----w- C:\_OTM
2010-04-15 06:07:09 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-11 19:05:42 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-11 11:59:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-11 11:59:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 08:45:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-11 08:45:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-10 13:43:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-10 13:43:26 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-09 22:38:17 0 d-sha-r- C:\cmdcons
2010-04-09 22:36:31 98816 ----a-w- c:\windows\sed.exe
2010-04-09 22:36:31 77312 ----a-w- c:\windows\MBR.exe
2010-04-09 22:36:31 261632 ----a-w- c:\windows\PEV.exe
2010-04-09 22:36:31 161792 ----a-w- c:\windows\SWREG.exe
2010-04-09 16:00:35 0 d-----w- c:\docume~1\owner\applic~1\Avira
2010-04-09 15:57:31 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-09 15:57:30 0 d-----w- c:\program files\Avira
2010-04-09 15:57:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-04-09 08:15:24 0 d-----w- c:\program files\CCleaner
2010-04-09 06:47:19 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-09 06:47:19 1409 ----a-w- c:\windows\QTFont.for
2010-04-08 17:23:51 44544 ---ha-w- c:\windows\system32\caclpgds.dll
2010-04-08 08:19:05 0 d-----w- c:\program files\Trend Micro
2010-04-07 16:29:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-06 15:11:54 0 d-----w- c:\program files\AVG
2010-04-06 13:50:31 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-04-06 13:29:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-06 13:01:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 11:08:33 2976 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-04-06 11:08:09 2592 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-04-06 11:00:51 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-04-06 10:59:50 0 d-----w- c:\program files\common files\iS3
2010-04-06 10:59:50 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-04-06 10:24:09 23162 ----a-w- c:\windows\system32\enb
2010-04-06 10:04:30 0 d--h--w- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2010-03-11 12:38:54 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 08:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2008-08-19 10:39:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 23:44:22.46 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 24/07/2007 13:36:41
System Uptime: 16/04/2010 23:22:06 (0 hours ago)

Motherboard: Hewlett-Packard | | 0830h
Processor: AMD Athlon™ XP 2800+ | XU1 PROCESSOR | 2079/333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 10.985 GiB free.
D: is FIXED (NTFS) - 234 GiB total, 10.457 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 75 GiB total, 7.716 GiB free.
G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&13C095&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&13C095&0
Service: i8042prt

==== System Restore Points ===================

RP3: 09/04/2010 09:13:15 - System Checkpoint
RP4: 10/04/2010 10:50:59 - System Checkpoint
RP5: 11/04/2010 09:41:16 - Removed Java™ 6 Update 2
RP6: 11/04/2010 09:42:36 - Removed Java™ SE Runtime Environment 6
RP7: 11/04/2010 09:44:37 - Installed Java™ 6 Update 19
RP8: 13/04/2010 07:04:55 - System Checkpoint
RP9: 13/04/2010 22:21:53 - OTL Restore Point
RP10: 14/04/2010 07:27:28 - Software Distribution Service 3.0
RP11: 15/04/2010 07:07:32 - Software Distribution Service 3.0
RP12: 16/04/2010 06:58:50 - Software Distribution Service 3.0
RP13: 16/04/2010 23:21:24 - OTM Restore Point

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.7
AllToAVI v4 r5394
Audacity 1.2.6
AudioLabel
Avidemux 2.4
Avira AntiVir Personal - Free Antivirus
BEHRINGER USB AUDIO DRIVER
Camera RAW Plug-In for EPSON Creativity Suite
CCleaner
Critical Update for Windows Media Player 11 (KB959772)
DVD-lab PRO 1.00
DVD Shrink 3.2
eMule
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan Assistant
EPSON Stylus C90_91_D92 Manual
EPSON Web-To-Page
EZ Vinyl/Tape Converter 4.0 by MixMeister
Feurio! CD-Writer
gename AoC Edition 1.0
Google Earth
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
IGN Download Manager 2.3.0
Java Auto Updater
Java™ 6 Update 19
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.9)
Mozilla Thunderbird (2.0.0.24)
MSN
MSXML 6.0 Parser (KB933579)
Native Instruments Guitar Combos Behringer Edition
Nero Suite
Nexus Radio
NVIDIA Drivers
OpenOffice.org 2.2
Paint Shop Pro 7 Anniversary Edition
PartyPoker
PokerStars
PowerDVD
QuickTime
RealPlayer
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SoundMAX
Spybot - Search & Destroy
TMPGEnc DVD Author 3 with DivX Authoring
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Video Strip Poker Supreme
VideoLAN VLC media player 0.8.6c
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.2 final uninstall

==== Event Viewer Messages From Past Week ========

16/04/2010 23:21:19, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s).
16/04/2010 23:21:19, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
16/04/2010 23:21:19, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
16/04/2010 23:21:19, error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).
16/04/2010 23:21:19, error: Service Control Manager [7034] - The B's Recorder GOLD Library General Service service terminated unexpectedly. It has done this 1 time(s).
15/04/2010 07:12:32, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 000A5E2D0E5D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
09/04/2010 17:09:02, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
09/04/2010 17:09:02, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
09/04/2010 16:53:46, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
09/04/2010 16:53:46, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
09/04/2010 16:53:46, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
09/04/2010 10:57:44, error: Service Control Manager [7034] - The EPSON V3 Service4(01) service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 17 April 2010 - 02:52 PM

You're welcome.

I'm glad I could help too.

--

The logs are looking good. Let's just get one online scan just to make sure all is good and one final look. If all is right, then we can cleanup and off you go. smile.gif

Run ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 luupy

luupy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 18 April 2010 - 01:32 AM

Hi EB
Had some problems trying to get the ESET scan to run, usually use firefox and downloaded the install file but although it showed the terms and conditions it did not give any box to tick to accept - seemed to only partially load the page - tried several times but had to give up and run it from internet explorer in the end. Had similar problems there too at first - page not loading properly - but eventually got it to run and scan. It found and deleted 2 files as you will see.
Prior to that the only problem I had with the computer was that when I double clicked a couple of icons in the control panel, namely the security centre and firewall icons, they would only partially load or would just not initiate the programs - I could only open them by right clicking and selecting open. But that seems fine now since the scan so all seems to be good here.

Scans as requested:

Eset scan:
C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip a variant of Win32/Kryptik.DMN trojan deleted - quarantined
C:\WINDOWS\system32\caclpgds.dll a variant of Win32/Kryptik.DQM trojan cleaned by deleting (after the next restart) - quarantined



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 6:59:24.75 on 18/04/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1658 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185971789906
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3kahiane.default\
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-9 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-9 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-9 60936]
S3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;c:\windows\system32\drivers\BUSB2902.sys [2007-12-25 110272]

=============== Created Last 30 ================

2010-04-17 20:22:08 0 d-----w- c:\program files\ESET
2010-04-16 22:21:18 0 d-----w- C:\_OTM
2010-04-15 06:07:09 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-11 11:59:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-11 11:59:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 08:45:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-11 08:45:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-10 13:43:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-10 13:43:26 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-09 22:38:17 0 d-sha-r- C:\cmdcons
2010-04-09 22:36:31 98816 ----a-w- c:\windows\sed.exe
2010-04-09 22:36:31 77312 ----a-w- c:\windows\MBR.exe
2010-04-09 22:36:31 261632 ----a-w- c:\windows\PEV.exe
2010-04-09 22:36:31 161792 ----a-w- c:\windows\SWREG.exe
2010-04-09 16:00:35 0 d-----w- c:\docume~1\owner\applic~1\Avira
2010-04-09 15:57:31 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-09 15:57:30 0 d-----w- c:\program files\Avira
2010-04-09 15:57:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-04-09 08:15:24 0 d-----w- c:\program files\CCleaner
2010-04-09 06:47:19 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-09 06:47:19 1409 ----a-w- c:\windows\QTFont.for
2010-04-08 08:19:05 0 d-----w- c:\program files\Trend Micro
2010-04-07 16:29:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-06 15:11:54 0 d-----w- c:\program files\AVG
2010-04-06 13:50:31 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-04-06 13:29:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-06 13:01:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 11:08:33 2976 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-04-06 11:08:09 2592 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-04-06 11:00:51 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-04-06 10:59:50 0 d-----w- c:\program files\common files\iS3
2010-04-06 10:59:50 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-04-06 10:24:09 23162 ----a-w- c:\windows\system32\enb
2010-04-06 10:04:30 0 d--h--w- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2010-03-11 12:38:54 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 08:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2008-08-19 10:39:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 7:00:12.17 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 24/07/2007 13:36:41
System Uptime: 18/04/2010 06:49:57 (1 hours ago)

Motherboard: Hewlett-Packard | | 0830h
Processor: AMD Athlon™ XP 2800+ | XU1 PROCESSOR | 2079/333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 8.161 GiB free.
D: is FIXED (NTFS) - 234 GiB total, 10.457 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 75 GiB total, 6.691 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&13C095&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&13C095&0
Service: i8042prt

==== System Restore Points ===================

RP3: 09/04/2010 09:13:15 - System Checkpoint
RP4: 10/04/2010 10:50:59 - System Checkpoint
RP5: 11/04/2010 09:41:16 - Removed Java™ 6 Update 2
RP6: 11/04/2010 09:42:36 - Removed Java™ SE Runtime Environment 6
RP7: 11/04/2010 09:44:37 - Installed Java™ 6 Update 19
RP8: 13/04/2010 07:04:55 - System Checkpoint
RP9: 13/04/2010 22:21:53 - OTL Restore Point
RP10: 14/04/2010 07:27:28 - Software Distribution Service 3.0
RP11: 15/04/2010 07:07:32 - Software Distribution Service 3.0
RP12: 16/04/2010 06:58:50 - Software Distribution Service 3.0
RP13: 16/04/2010 23:21:24 - OTM Restore Point

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.7
AllToAVI v4 r5394
Audacity 1.2.6
AudioLabel
Avidemux 2.4
Avira AntiVir Personal - Free Antivirus
BEHRINGER USB AUDIO DRIVER
Camera RAW Plug-In for EPSON Creativity Suite
CCleaner
Critical Update for Windows Media Player 11 (KB959772)
DVD-lab PRO 1.00
DVD Shrink 3.2
eMule
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan Assistant
EPSON Stylus C90_91_D92 Manual
EPSON Web-To-Page
ESET Online Scanner v3
EZ Vinyl/Tape Converter 4.0 by MixMeister
Feurio! CD-Writer
gename AoC Edition 1.0
Google Earth
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
IGN Download Manager 2.3.0
Java Auto Updater
Java™ 6 Update 19
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.9)
Mozilla Thunderbird (2.0.0.24)
MSN
MSXML 6.0 Parser (KB933579)
Native Instruments Guitar Combos Behringer Edition
Nero Suite
Nexus Radio
NVIDIA Drivers
OpenOffice.org 2.2
Paint Shop Pro 7 Anniversary Edition
PartyPoker
PokerStars
PowerDVD
QuickTime
RealPlayer
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SoundMAX
TMPGEnc DVD Author 3 with DivX Authoring
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Video Strip Poker Supreme
VideoLAN VLC media player 0.8.6c
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.2 final uninstall

==== Event Viewer Messages From Past Week ========

16/04/2010 23:21:19, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s).
16/04/2010 23:21:19, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
16/04/2010 23:21:19, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
16/04/2010 23:21:19, error: Service Control Manager [7034] - The EPSON V3 Service4(01) service terminated unexpectedly. It has done this 1 time(s).
16/04/2010 23:21:19, error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).
16/04/2010 23:21:19, error: Service Control Manager [7034] - The B's Recorder GOLD Library General Service service terminated unexpectedly. It has done this 1 time(s).
15/04/2010 07:12:32, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 000A5E2D0E5D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
14/04/2010 06:59:23, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
14/04/2010 06:59:23, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================


Regards
Luupy


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 18 April 2010 - 11:11 AM

Hello.

That's good. The ESET scan is just deleting one infected file and one that was already quarantined by Combofix.

The logs look clean so we can wrap up now. Just one thing to warn about is the poker programs you have installed, if you don't use them I suggest you uninstall them as most are bundled with adware/malware.

Please follow/read the steps below to remove the tools we used and for some more information. smile.gif


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips below.

Preventing Infections in the Future


Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Some of the main things you should consider to perform/read are:
  • Disabling Autorun/Play on Flash-Drive/Removable Drives
  • Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
  • Keep Windows Updated through going to Windows Updates
  • Updating Non-Microsoft Programs
  • Keeping Security softwares updated

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck thumbup2.gif


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks smile.gif

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 luupy

luupy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 18 April 2010 - 03:13 PM

Hi

I have no more questions, comments or problems , everything running sweetly here so feel free to close off the topic.
Once again, many thanks for your help - you are a star.

Kind regards
Luupy

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 18 April 2010 - 05:10 PM

You're welcome. smile.gif

It was a pleasure to help you.

Kind Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 08 May 2010 - 11:48 AM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users