Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mebroot on windows 2000


  • This topic is locked This topic is locked
21 replies to this topic

#1 accuno

accuno

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 14 April 2010 - 08:09 PM

After posting my problem in the "Am I Infected?" forum I was directed to this forum for more help. Here is the link to my original post:

http://www.bleepingcomputer.com/forums/t/308678/possible-mebroothelpassistant-virus-but-not-sure/

In short, it seems I have a mebroot infection and, because I am using Windows 2000, removal may be a bit complicated. In that post I
mentioned that I was reluctant to try the "fixmbr" command from the recovery console, but I am now fairly confident that the drive that
my OS is installed on was partitioned using Windows, it is the other drives that I am unsure of, and I don't know if they could possibly
be affected or not.

I have run the DDS script, here is the log:

[codebox]

DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 19:08:56.32 on Wed 04/14/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.585 [GMT -5:00]


============== Running Processes ===============

J:\WINNT\system32\Ati2evxx.exe
J:\WINNT\system32\spoolsv.exe
J:\Program Files\AVG\AVG9\avgwdsvc.exe
J:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
J:\Program Files\AMD\Cool'n'Quiet\gemback.exe
J:\Program Files\Java\jre6\bin\jqs.exe
J:\WINNT\system32\regsvc.exe
J:\WINNT\system32\MSTask.exe
J:\WINNT\system32\tcpsvcs.exe
J:\WINNT\System32\WBEM\WinMgmt.exe
J:\Program Files\AVG\AVG9\avgchsvx.exe
J:\WINNT\system32\Ati2evxx.exe
J:\Program Files\AVG\AVG9\avgemc.exe
J:\WINNT\Explorer.EXE
J:\Program Files\AVG\AVG9\avgnsx.exe
J:\Program Files\AVG\AVG9\avgrsx.exe
J:\Program Files\AVG\AVG9\avgcsrvx.exe
J:\Program Files\AVG\AVG9\avgcsrvx.exe
J:\WINNT\SOUNDMAN.EXE
J:\Program Files\Microsoft IntelliType Pro\itype.exe
J:\Program Files\Microsoft IntelliPoint\ipoint.exe
J:\PROGRA~1\AVG\AVG9\avgtray.exe
J:\Programs\AutoHotkey\AutoHotkey.exe
J:\WINNT\system32\wuauclt.exe
J:\Program Files\GhostWall\ghostwall.exe
J:\Program Files\Mozilla Firefox\firefox.exe
J:\WINNT\explorer.exe
J:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie?hl={SUB_RFC1766}
mSearchAssistant = hxxp://www.google.com/ie?hl={SUB_RFC1766}
mCustomizeSearch = hxxp://www.google.com/preferences?hl={SUB_RFC1766}
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - j:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - j:\program files\avg\avg9\avgssie.dll
BHO: IeCatch2 Class: {a5366673-e8ca-11d3-9cd9-0090271d075b} - j:\progra~1\flashget\jccatch.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - j:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - j:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [itype] "j:\program files\microsoft intellitype pro\itype.exe"
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [IntelliPoint] "j:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG9_TRAY] j:\progra~1\avg\avg9\avgtray.exe
mRun: [GhostWall] "j:\program files\ghostwall\ghostwall.exe" -minimize
dRunOnce: [^SetupICWDesktop] j:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: j:\documents and settings\user\start menu\programs\startup\autoload.ahk
IE: Download All by FlashGet - j:\program files\flashget\jc_all.htm
IE: Download using FlashGet - j:\program files\flashget\jc_link.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - j:\progra~1\flashget\flashget.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253384984671
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - j:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - j:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - j:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - j:\docume~1\user\applic~1\mozilla\firefox\profiles\wol6rvg8.default\
FF - component: j:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: j:\documents and settings\user\application data\mozilla\firefox\profiles\wol6rvg8.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: j:\documents and settings\user\application data\mozilla\firefox\profiles\wol6rvg8.default\extensions\gametapplayer@gametap.com\plugins\npGameTapWebPlayer.dll

---- FIREFOX POLICIES ----
j:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
j:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
j:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
j:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
j:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
j:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
j:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
j:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
j:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
j:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
j:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
j:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
j:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
j:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
j:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
j:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
j:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
j:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
j:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
j:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
j:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
j:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
j:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
j:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
j:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
j:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
j:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
j:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
j:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
j:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
j:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
j:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
j:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
j:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
j:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
j:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
j:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;j:\winnt\system32\drivers\avgldx86.sys [2009-9-19 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;j:\winnt\system32\drivers\avgmfx86.sys [2009-9-19 29512]
R1 AvgTdiX;AVG Free Network Redirector;j:\winnt\system32\drivers\avgtdix.sys [2009-9-19 242696]
R1 gemwdm;AMD PowerNow! ™ Technology;j:\winnt\system32\drivers\gemwdm.sys [2009-9-19 11776]
R1 SASDIFSV;SASDIFSV;j:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;j:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg9emc;AVG Free E-mail Scanner;j:\program files\avg\avg9\avgemc.exe [2010-4-12 916760]
R2 avg9wd;AVG Free WatchDog;j:\program files\avg\avg9\avgwdsvc.exe [2010-4-12 308064]
R2 ghstwall;ghstwall;j:\winnt\system32\drivers\ghstwall.sys [2010-4-14 6520]
R2 Iprip;RIP Listener;j:\winnt\system32\svchost.exe -k netsvcs [1999-12-7 7952]
R3 openhci;Microsoft USB Open Host Controller Driver;j:\winnt\system32\drivers\openhci.sys [2003-6-19 24784]
R3 usbhub20;USB 2.0 Root Hub Support;j:\winnt\system32\drivers\usbhub20.sys [2009-9-19 49776]
S3 AMDMSRIO;AMDMSRIO;\??\j:\docume~1\user\locals~1\temp\{55638dd9-d5a9-11d3-b74b-204c4f4f5020}\amdmsrio.sys --> j:\docume~1\user\locals~1\temp\{55638dd9-d5a9-11d3-b74b-204c4f4f5020}\AMDMSRIO.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\j:\docume~1\user\locals~1\temp\nbgd2.tmp --> j:\docume~1\user\locals~1\temp\NBGD2.tmp [?]
S3 SASENUM;SASENUM;j:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-04-15 00:01:17 6520 ----a-w- j:\winnt\system32\drivers\ghstwall.sys
2010-04-15 00:01:17 1600 ----a-w- j:\winnt\system32\ghstwall.fir
2010-04-15 00:01:15 0 d-----w- j:\program files\GhostWall
2010-04-14 23:28:43 16384 ----atw- j:\winnt\system32\Perflib_Perfdata_388.dat
2010-04-14 23:27:42 16384 ----atw- j:\winnt\system32\Perflib_Perfdata_2bc.dat
2010-04-14 23:25:06 20 ----a-w- j:\documents and settings\user\defogger_reenable
2010-04-12 23:34:57 0 d--h--w- J:\$AVG
2010-04-12 23:32:00 0 d---a-w- j:\docume~1\alluse~1\applic~1\avg9
2010-04-08 00:00:49 0 d-----w- j:\program files\VideoLAN
2010-04-07 23:25:09 0 d-----w- j:\docume~1\user\applic~1\StreamTorrent
2010-04-07 23:25:03 0 d-----w- j:\program files\StreamTorrent 1.0
2010-04-07 23:17:00 0 d-----w- j:\program files\TVAnts
2010-04-07 22:38:56 16384 ----atw- j:\winnt\system32\Perflib_Perfdata_2f0.dat
2010-04-07 02:43:05 11632 -c--a-w- j:\winnt\system32\dllcache\mouhid.sys
2010-04-07 02:43:05 11632 ----a-w- j:\winnt\system32\drivers\mouhid.sys
2010-04-07 02:43:04 27784 ----a-w- j:\winnt\system32\drivers\point32.sys
2010-04-07 02:43:04 21776 -c--a-w- j:\winnt\system32\dllcache\mouclass.sys
2010-04-07 02:43:04 21776 ----a-w- j:\winnt\system32\drivers\mouclass.sys
2010-04-07 02:42:39 0 d-----w- j:\program files\Microsoft IntelliPoint
2010-04-03 22:52:25 0 d-----w- j:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-03 22:52:21 0 d-----w- j:\program files\SUPERAntiSpyware
2010-04-03 22:52:21 0 d-----w- j:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-04-02 06:59:28 939172 ---h--w- j:\winnt\ShellIconCache
2010-03-28 08:16:42 77312 ----a-w- J:\mbr.exe
2010-03-28 06:34:43 0 d-----w- j:\docume~1\user\applic~1\Malwarebytes
2010-03-28 06:34:39 38224 ----a-w- j:\winnt\system32\drivers\mbamswissarmy.sys
2010-03-28 06:34:38 0 d-----w- j:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-28 06:34:37 19160 ----a-w- j:\winnt\system32\drivers\mbam.sys
2010-03-28 06:34:37 0 d-----w- j:\program files\Malwarebytes' Anti-Malware
2010-03-28 00:52:05 0 d-----w- j:\program files\ESET
2010-03-28 00:39:59 86288 -c--a-w- j:\winnt\system32\dllcache\tp4mon.exe
2010-03-28 00:38:57 97808 -c--a-w- j:\winnt\system32\dllcache\sgiulnt5.sys
2010-03-28 00:37:57 77072 -c--a-w- j:\winnt\system32\dllcache\philcam1.sys
2010-03-28 00:34:44 7440 -c--a-w- j:\winnt\system32\dllcache\af450.dll
2010-03-28 00:34:44 42192 -c--a-w- j:\winnt\system32\dllcache\atibt829.sys
2010-03-28 00:34:44 39680 -c--a-w- j:\winnt\system32\dllcache\cb325.sys
2010-03-28 00:34:44 31888 -c--a-w- j:\winnt\system32\dllcache\brzwlan.sys
2010-03-28 00:34:44 17168 -c--a-w- j:\winnt\system32\dllcache\amb8002.sys
2010-03-28 00:34:44 16976 -c--a-w- j:\winnt\system32\dllcache\atitvsnd.sys
2010-03-28 00:33:39 91920 -c--a-w- j:\winnt\system32\dllcache\acq32.dll
2010-03-28 00:33:39 801072 -c--a-w- j:\winnt\system32\dllcache\3cpciadi.sys
2010-03-28 00:33:39 774928 -c--a-w- j:\winnt\system32\dllcache\3cisati.sys
2010-03-28 00:33:39 38320 -c--a-w- j:\winnt\system32\dllcache\8514a.dll
2010-03-28 00:33:39 10928 -c--a-w- j:\winnt\system32\dllcache\4mmdat.sys
2010-03-28 00:33:38 792176 -c--a-w- j:\winnt\system32\dllcache\3cisaadi.sys
2010-03-28 00:33:38 763024 -c--a-w- j:\winnt\system32\dllcache\3cwmcru.sys
2010-03-28 00:33:38 22992 -c--a-w- j:\winnt\system32\dllcache\15_16wdm.sys
2010-03-28 00:28:04 16384 ----atw- j:\winnt\system32\Perflib_Perfdata_494.dat
2010-03-27 22:10:45 16384 ----atw- j:\winnt\system32\Perflib_Perfdata_928.dat
2010-03-27 22:10:05 16384 ----atw- j:\winnt\system32\Perflib_Perfdata_8bc.dat
2010-03-27 21:37:18 16384 ----atw- j:\winnt\system32\Perflib_Perfdata_4b8.dat
2010-03-27 21:36:55 16384 ----atw- j:\winnt\system32\Perflib_Perfdata_3dc.dat
2010-03-27 21:35:10 0 d-----w- j:\winnt\system32\LogFiles
2010-03-27 19:45:32 16384 ----atw- j:\winnt\system32\Perflib_Perfdata_3e8.dat
2010-03-27 00:06:07 16384 ----atw- j:\winnt\system32\Perflib_Perfdata_3d4.dat
2010-03-20 21:11:50 16384 ----atw- j:\winnt\system32\Perflib_Perfdata_280.dat

==================== Find3M ====================

2010-04-12 23:34:52 12464 ----a-w- j:\winnt\system32\avgrsstx.dll
2010-04-12 23:34:51 242696 ----a-w- j:\winnt\system32\drivers\avgtdix.sys
2010-04-12 23:34:49 216200 ----a-w- j:\winnt\system32\drivers\avgldx86.sys
2010-02-25 16:32:02 576512 ----a-w- j:\winnt\system32\WININET.DLL
2009-09-19 17:29:38 271 ---h--w- j:\program files\desktop.ini
2009-09-19 17:29:38 21952 ---h--w- j:\program files\folder.htt
1999-12-07 12:00:00 32528 ----a-w- j:\winnt\inf\wbfirdma.sys

============= FINISH: 19:09:25.12 ===============

[/codebox]

If the "Created Last 30" section is important, I'm afraid the original infection would likely have come longer than 30 days ago.

I also have the other log and the GMER log that I will attach to this post. I've tried to keep this post brief, so I hope I'm not leaving out
anything important. As before, I would really appreciate any help, thanks.

Attached Files


Edited by accuno, 14 April 2010 - 08:13 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:29 PM

Posted 19 April 2010 - 10:30 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 accuno

accuno
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 19 April 2010 - 07:40 PM

Hello myrti, thanks for responding to my post. Since I first posted I have not done anything to this computer, I haven't even installed
any of the recent windows updates. I do start the computer disconnect from the network so the HelpAssistant account isn't created, I
don't know if that would make a difference in any of the scans. Also, before I had made my original post at this forum, I had run this
program once before. Again, I don't know if this makes a difference, I just thought I should mention it.

Here are the contents of the OTL file:

[codebox]OTL logfile created on: 4/19/2010 7:10:23 PM - Run 2
OTL by OldTimer - Version 3.2.1.3 Folder = J:\Documents and Settings\user\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 534.00 Mb Available Physical Memory | 52.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): J:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = J: | %SystemRoot% = J:\WINNT | %ProgramFiles% = J:\Program Files
C: Drive not present or media not loaded
Drive D: | 97.66 Gb Total Space | 0.67 Gb Free Space | 0.68% Space Free | Partition Type: NTFS
Drive E: | 79.47 Gb Total Space | 0.02 Gb Free Space | 0.03% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 494.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 14.12 Gb Total Space | 0.40 Gb Free Space | 2.83% Space Free | Partition Type: NTFS
Drive K: | 48.83 Gb Total Space | 4.95 Gb Free Space | 10.14% Space Free | Partition Type: NTFS
Drive L: | 50.11 Gb Total Space | 14.37 Gb Free Space | 28.67% Space Free | Partition Type: NTFS
Drive M: | 50.05 Gb Total Space | 0.34 Gb Free Space | 0.68% Space Free | Partition Type: NTFS
Drive Q: | 9.77 Gb Total Space | 0.01 Gb Free Space | 0.15% Space Free | Partition Type: NTFS
Drive V: | 9.77 Gb Total Space | 0.53 Gb Free Space | 5.38% Space Free | Partition Type: NTFS

Computer Name: FLOYD
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/19 18:29:48 | 000,562,176 | ---- | M] (OldTimer Tools) -- J:\Documents and Settings\user\Desktop\OTL.exe
PRC - [2010/04/14 22:56:00 | 002,064,224 | ---- | M] (AVG Technologies CZ, s.r.o.) -- J:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/04/14 22:55:52 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- J:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/04/12 18:34:17 | 000,617,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- J:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/04/12 18:34:16 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- J:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/04/12 18:34:14 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- J:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/04/12 18:33:39 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- J:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/04/12 18:33:35 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- J:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/04/03 16:27:15 | 000,910,296 | ---- | M] (Mozilla Corporation) -- J:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/05/03 13:28:20 | 000,244,736 | ---- | M] () -- J:\Programs\AutoHotkey\AutoHotkey.exe
PRC - [2009/01/07 18:45:20 | 001,496,968 | ---- | M] (Microsoft Corporation) -- J:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2005/09/29 16:28:22 | 000,217,088 | ---- | M] () -- J:\Program Files\GhostWall\ghostwall.exe
PRC - [2004/09/07 10:59:06 | 000,122,128 | ---- | M] (Microsoft Corporation) -- J:\WINNT\system32\mstask.exe
PRC - [2004/02/26 03:53:30 | 000,065,024 | ---- | M] (Realtek Semiconductor Corp.) -- J:\WINNT\SOUNDMAN.EXE
PRC - [2003/09/10 09:46:44 | 000,042,496 | ---- | M] (Advanced Micro Devices) -- J:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
PRC - [2003/09/10 09:46:40 | 000,142,848 | ---- | M] (Advanced Micro Devices) -- J:\Program Files\AMD\Cool'n'Quiet\gemback.exe
PRC - [2003/06/19 14:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) -- J:\WINNT\explorer.exe
PRC - [2003/06/19 14:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) -- J:\WINNT\system32\wbem\winmgmt.exe
PRC - [2003/06/19 14:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) -- J:\WINNT\system32\regsvc.exe
PRC - [1999/12/07 07:00:00 | 000,025,360 | ---- | M] (Microsoft Corporation) -- J:\WINNT\system32\tcpsvcs.exe


========== Modules (SafeList) ==========

MOD - [2010/04/19 18:29:48 | 000,562,176 | ---- | M] (OldTimer Tools) -- J:\Documents and Settings\user\Desktop\OTL.exe
MOD - [2008/05/13 11:13:36 | 000,077,824 | ---- | M] (SuperAdBlocker.com) -- J:\Program Files\SUPERAntiSpyware\SASSEH.DLL
MOD - [2007/04/05 02:17:39 | 002,854,400 | ---- | M] (Microsoft Corporation) -- J:\WINNT\system32\msi.dll
MOD - [2005/01/12 14:39:46 | 000,056,080 | ---- | M] (Microsoft Corporation) -- J:\WINNT\system32\cabinet.dll
MOD - [2003/06/19 14:05:04 | 000,021,776 | ---- | M] (Microsoft Corporation) -- J:\WINNT\system32\wsock32.dll
MOD - [2003/06/19 14:05:04 | 000,010,000 | ---- | M] (Microsoft Corporation) -- J:\WINNT\system32\lz32.dll
MOD - [1999/12/07 07:00:00 | 000,011,536 | ---- | M] (Microsoft Corporation) -- J:\WINNT\system32\netrap.dll
MOD - [1999/11/05 08:38:34 | 000,561,210 | ---- | M] () -- J:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL


========== Win32 Services (SafeList) ==========

SRV - [2010/04/12 18:33:39 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- J:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/04/12 18:33:35 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- J:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/09/23 16:37:30 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- J:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2004/09/07 10:59:06 | 000,122,128 | ---- | M] (Microsoft Corporation) [Auto | Running] -- J:\WINNT\system32\mstask.exe -- (Schedule)
SRV - [2003/09/10 09:46:44 | 000,042,496 | ---- | M] (Advanced Micro Devices) [Auto | Running] -- J:\Program Files\AMD\Cool'n'Quiet\GemServ.exe -- (GemServ) AMD PowerNow! ™
SRV - [2003/06/19 14:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- J:\WINNT\system32\wbem\winmgmt.exe -- (WinMgmt)
SRV - [2003/06/19 14:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- J:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/19 14:05:04 | 000,094,992 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- J:\WINNT\system32\faxsvc.exe -- (Fax)
SRV - [2003/06/19 14:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- J:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
SRV - [2003/06/19 14:05:04 | 000,022,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- J:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2003/06/19 07:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- J:\WINNT\system32\hidserv.exe -- (HidServ)
SRV - [1999/12/07 07:00:00 | 000,034,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- J:\WINNT\system32\iprip.dll -- (Iprip)
SRV - [1999/12/07 07:00:00 | 000,025,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- J:\WINNT\system32\tcpsvcs.exe -- (SimpTcp)


========== Driver Services (SafeList) ==========

DRV - [2010/04/19 18:01:12 | 000,006,520 | ---- | M] () [Kernel | Auto | Running] -- J:\WINNT\system32\drivers\ghstwall.sys -- (ghstwall)
DRV - [2010/04/12 18:34:51 | 000,242,696 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- J:\WINNT\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/04/12 18:34:49 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- J:\WINNT\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/04/12 18:34:49 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- J:\WINNT\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/02/17 12:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- J:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 12:15:58 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- J:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 12:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- J:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/12/21 18:32:14 | 000,024,576 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Running] -- J:\Program Files\GameTap Web Player\bin\release\X4HSX32.sys -- (X4HSX32)
DRV - [2009/11/13 21:04:56 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- J:\WINNT\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/04/28 15:20:06 | 000,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- J:\WINNT\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2009/04/28 15:20:06 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- J:\WINNT\system32\drivers\cdr4_2K.sys -- (Cdr4_2K)
DRV - [2007/04/09 10:56:22 | 000,021,248 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- J:\WINNT\system32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2007/04/09 10:55:08 | 000,022,912 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- J:\WINNT\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2007/04/09 10:53:24 | 000,012,672 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- J:\WINNT\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2006/01/24 22:52:31 | 001,478,656 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- J:\WINNT\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/01/05 21:24:48 | 000,166,400 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- J:\WINNT\system32\drivers\atinevxx.sys -- (atinevxx)
DRV - [2006/01/05 21:23:42 | 000,015,360 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- J:\WINNT\system32\drivers\atinmdxx.sys -- (MVDCODEC)
DRV - [2004/07/09 02:58:10 | 000,015,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- J:\WINNT\system32\drivers\mpe.sys -- (MPE)
DRV - [2004/06/03 11:40:46 | 000,079,360 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- J:\WINNT\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2004/05/17 15:00:54 | 000,012,928 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- J:\WINNT\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2004/02/26 11:50:38 | 000,611,820 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- J:\WINNT\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/02/23 22:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- J:\WINNT\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2004/01/28 11:56:58 | 000,033,536 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- J:\WINNT\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2003/10/29 14:02:00 | 000,021,120 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- J:\WINNT\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2003/07/21 10:28:44 | 000,011,776 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- J:\WINNT\system32\drivers\gemwdm.sys -- (gemwdm) AMD PowerNow! ™
DRV - [2003/06/19 14:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled | Stopped] -- J:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/19 14:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- J:\WINNT\System32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/19 14:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- J:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/19 14:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- J:\WINNT\system32\drivers\efs.sys -- (EFS)
DRV - [2003/06/19 14:05:04 | 000,024,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- J:\WINNT\system32\drivers\openhci.sys -- (openhci)
DRV - [2003/06/19 14:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- J:\WINNT\system32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/19 14:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- J:\WINNT\System32\drivers\dmload.sys -- (dmload)
DRV - [2003/06/19 07:05:04 | 000,049,776 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- J:\WINNT\system32\drivers\usbhub20.sys -- (usbhub20)
DRV - [1999/12/07 07:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- J:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [1999/12/07 07:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- J:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.com/preferences?hl={SUB_RFC1766}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie?hl={SUB_RFC1766}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-861567501-1757981266-839522115-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = J:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-861567501-1757981266-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 48
FF - prefs.js..extensions.enabledItems: GameTapPlayer@gametap.com:4.3.0.57
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.783

FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: J:\Program Files\AVG\AVG9\Firefox [2010/04/12 18:33:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: J:\Program Files\Mozilla Firefox\components [2010/04/07 19:21:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: J:\Program Files\Mozilla Firefox\plugins [2010/04/03 16:27:18 | 000,000,000 | ---D | M]

[2009/10/02 21:05:34 | 000,000,000 | ---D | M] -- J:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2010/04/17 23:56:05 | 000,000,000 | ---D | M] -- J:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wol6rvg8.default\extensions
[2010/02/19 19:10:14 | 000,000,000 | ---D | M] (Adblock Plus) -- J:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wol6rvg8.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/10/02 18:49:04 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- J:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wol6rvg8.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/02/21 03:03:33 | 000,000,000 | ---D | M] -- J:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wol6rvg8.default\extensions\GameTapPlayer@gametap.com
[2009/09/19 18:36:22 | 000,000,000 | ---D | M] -- J:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([1999/12/07 07:00:00 | 000,000,734 | ---- | M]) - J:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - J:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (IeCatch2 Class) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - J:\Program Files\FlashGet\Jccatch.dll (Amaze Soft)
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - J:\WINNT\system32\msdxm.ocx ()
O3 - HKU\S-1-5-21-861567501-1757981266-839522115-1000\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [AVG9_TRAY] J:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [GhostWall] J:\Program Files\GhostWall\ghostwall.exe ()
O4 - HKLM..\Run: [itype] J:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMan] J:\WINNT\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKU\.DEFAULT..\RunOnce: [^SetupICWDesktop] J:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe (Microsoft Corporation)
O4 - Startup: J:\Documents and Settings\user\Start Menu\Programs\Startup\autoload.ahk ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-861567501-1757981266-839522115-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 176
O7 - HKU\S-1-5-21-861567501-1757981266-839522115-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-21-861567501-1757981266-839522115-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 96
O8 - Extra context menu item: Download All by FlashGet - J:\Program Files\FlashGet\jc_all.htm ()
O8 - Extra context menu item: Download using FlashGet - J:\Program Files\FlashGet\jc_link.htm ()
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - J:\WINNT\Web\RELATED.HTM ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - J:\WINNT\Web\RELATED.HTM ()
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\Program Files\FlashGet\flashget.exe (Amaze Soft)
O9 - Extra 'Tools' menuitem : &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\Program Files\FlashGet\flashget.exe (Amaze Soft)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - J:\WINNT\system32\rnr20.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - J:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - J:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - J:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - J:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - J:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - J:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - J:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - J:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - J:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1253384984671 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - J:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - J:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\application/octet-stream - No CLSID value found
O18 - Protocol\Filter\application/x-complus - No CLSID value found
O18 - Protocol\Filter\application/x-msdownload - No CLSID value found
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - J:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - J:\Program Files\SUPERAntiSpyware\SASWINLO.dll - J:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - J:\WINNT\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - J:\WINNT\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - J:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O24 - Desktop WallPaper: J:\Documents and Settings\user\My Documents\My Pictures\wall7-1280x1024.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - J:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [1999/12/07 07:00:00 | 000,000,045 | R--- | M] () - G:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2004/07/15 20:31:28 | 000,000,000 | -H-- | M] () - V:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/14 19:00:45 | 000,672,224 | ---- | C] (Ghost Security ) -- J:\Documents and Settings\user\Desktop\ghostwall_setup.exe
[2010/04/12 18:34:57 | 000,000,000 | -H-D | C] -- J:\$AVG
[2010/04/12 18:31:37 | 000,000,000 | -HSD | C] -- J:\Config.Msi
[2010/04/12 18:18:40 | 002,131,808 | ---- | C] (AVG Technologies) -- J:\Documents and Settings\user\Desktop\avg_free_stb_all_9_114_cnet.exe
[2010/04/07 19:39:56 | 001,840,232 | ---- | C] (Trend Micro) -- J:\Documents and Settings\user\Desktop\HousecallLauncher.exe
[2010/04/06 21:43:05 | 000,011,632 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\mouhid.sys
[2010/04/06 21:43:04 | 000,021,776 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\mouclass.sys
[2010/03/31 19:39:25 | 008,351,672 | ---- | C] (Mozilla) -- J:\Documents and Settings\user\Desktop\Firefox Setup 3.6.2.exe
[2010/03/31 00:46:41 | 002,942,952 | ---- | C] (Siber Systems) -- J:\Documents and Settings\user\Desktop\AiRoboForm-onema.exe
[2010/03/30 19:37:41 | 000,000,000 | ---D | C] -- J:\Documents and Settings\user\Desktop\gmer
[2010/03/28 03:06:58 | 000,562,176 | ---- | C] (OldTimer Tools) -- J:\Documents and Settings\user\Desktop\OTL.exe
[2010/03/28 02:26:59 | 001,154,064 | ---- | C] (Piriform Ltd) -- J:\Documents and Settings\user\Desktop\ccsetup229_slim.exe
[2010/03/28 01:49:12 | 016,258,848 | ---- | C] (Sun Microsystems, Inc.) -- J:\Documents and Settings\user\Desktop\jre-6u18-windows-i586.exe
[2010/03/28 01:34:39 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- J:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/03/28 01:34:37 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- J:\WINNT\System32\drivers\mbam.sys
[2010/03/27 19:40:32 | 000,024,848 | ---- | C] (Lucent Technologies) -- J:\WINNT\System32\dllcache\wvlan48.sys
[2010/03/27 19:40:32 | 000,017,168 | ---- | C] (US Robotics MCD (Megahertz)) -- J:\WINNT\System32\dllcache\xem336n5.sys
[2010/03/27 19:40:28 | 000,035,088 | ---- | C] (Raytheon Corp.) -- J:\WINNT\System32\dllcache\wlandrv2.sys
[2010/03/27 19:40:28 | 000,008,016 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\wmiacpi.sys
[2010/03/27 19:40:24 | 000,602,128 | ---- | C] (Conexant) -- J:\WINNT\System32\dllcache\winacpci.sys
[2010/03/27 19:40:23 | 000,041,552 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\weitekp9.dll
[2010/03/27 19:40:23 | 000,030,960 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\weitekp9.sys
[2010/03/27 19:40:22 | 000,088,576 | ---- | C] (Comtrol® Corporation) -- J:\WINNT\System32\dllcache\wcom32.exe
[2010/03/27 19:40:22 | 000,027,024 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\wdvga.sys
[2010/03/27 19:40:20 | 000,008,976 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\wangqic.sys
[2010/03/27 19:40:15 | 000,018,704 | ---- | C] (Winbond Electronics Corporation) -- J:\WINNT\System32\dllcache\w940nd.sys
[2010/03/27 19:40:15 | 000,017,264 | ---- | C] (Winbond Electronics Corporation) -- J:\WINNT\System32\dllcache\w926nd.sys
[2010/03/27 19:40:11 | 000,333,168 | ---- | C] (3Dfx Interactive, Inc.) -- J:\WINNT\System32\dllcache\voodoo3.dll
[2010/03/27 19:40:11 | 000,253,200 | ---- | C] (Comtrol® Corporation) -- J:\WINNT\System32\dllcache\vssetup.dll
[2010/03/27 19:40:11 | 000,053,008 | ---- | C] (3Dfx Interactive, Inc.) -- J:\WINNT\System32\dllcache\voodoo3.sys
[2010/03/27 19:40:11 | 000,048,304 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\w32.dll
[2010/03/27 19:40:10 | 000,022,416 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\viaagp.sys
[2010/03/27 19:40:05 | 000,022,768 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\usbser.sys
[2010/03/27 19:40:05 | 000,021,872 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\usbprint.sys
[2010/03/27 19:40:05 | 000,012,592 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\usbscan.sys
[2010/03/27 19:40:02 | 000,033,296 | ---- | C] (Promise Technology, Inc.) -- J:\WINNT\System32\dllcache\ultra66.sys
[2010/03/27 19:40:02 | 000,032,848 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\uhcd.sys
[2010/03/27 19:40:02 | 000,023,472 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\umaxpcls.sys
[2010/03/27 19:40:02 | 000,009,488 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\u1220usd.dll
[2010/03/27 19:40:02 | 000,008,976 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\umaxusd.dll
[2010/03/27 19:40:01 | 000,804,112 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\twrc200.dll
[2010/03/27 19:40:01 | 000,323,856 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\twui200.dll
[2010/03/27 19:40:01 | 000,165,648 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\twui120.dll
[2010/03/27 19:40:01 | 000,061,200 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\u1220_32.dll
[2010/03/27 19:40:00 | 000,523,408 | ---- | C] (Trident Microsystems Inc.) -- J:\WINNT\System32\dllcache\tridkb.dll
[2010/03/27 19:40:00 | 000,484,112 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\twrc120.dll
[2010/03/27 19:40:00 | 000,154,384 | ---- | C] (Trident Microsystems Inc.) -- J:\WINNT\System32\dllcache\tridkbm.sys
[2010/03/27 19:39:59 | 000,277,520 | ---- | C] (Trident Microsystems Inc.) -- J:\WINNT\System32\dllcache\trid3d.dll
[2010/03/27 19:39:59 | 000,191,888 | ---- | C] (Trident Microsystems Inc.) -- J:\WINNT\System32\dllcache\trid3dm.sys
[2010/03/27 19:39:59 | 000,086,288 | ---- | C] (IBM) -- J:\WINNT\System32\dllcache\tp4mon.exe
[2010/03/27 19:39:59 | 000,035,088 | ---- | C] (IBM) -- J:\WINNT\System32\dllcache\tp4.dll
[2010/03/27 19:39:59 | 000,034,576 | ---- | C] (Intel Corporation) -- J:\WINNT\System32\dllcache\tpro4.sys
[2010/03/27 19:39:59 | 000,028,672 | ---- | C] (IBM) -- J:\WINNT\System32\dllcache\tp4res.dll
[2010/03/27 19:39:58 | 000,242,256 | ---- | C] (Toshiba Corporation) -- J:\WINNT\System32\dllcache\tosdvd02.sys
[2010/03/27 19:39:58 | 000,231,408 | ---- | C] (Toshiba Corporation) -- J:\WINNT\System32\dllcache\tosdvd03.sys
[2010/03/27 19:39:58 | 000,033,552 | ---- | C] (TOSHIBA Corporation) -- J:\WINNT\System32\dllcache\tos4mu.sys
[2010/03/27 19:39:57 | 000,123,856 | ---- | C] (Tiger Jet Network) -- J:\WINNT\System32\dllcache\tjisdn.sys
[2010/03/27 19:39:56 | 000,141,136 | ---- | C] (Trident Microsystems Inc.) -- J:\WINNT\System32\dllcache\tgiulnt5.sys
[2010/03/27 19:39:56 | 000,079,024 | ---- | C] (Trident Microsystems Inc.) -- J:\WINNT\System32\dllcache\tgiul50.dll
[2010/03/27 19:39:56 | 000,072,784 | ---- | C] (M-Systems) -- J:\WINNT\System32\dllcache\tffsport.sys
[2010/03/27 19:39:53 | 000,029,872 | ---- | C] (Toshiba Corporation) -- J:\WINNT\System32\dllcache\tbatm155.sys
[2010/03/27 19:39:52 | 000,251,312 | ---- | C] (Number Nine Visual Technology) -- J:\WINNT\System32\dllcache\t2r4disp.dll
[2010/03/27 19:39:52 | 000,037,104 | ---- | C] (Number Nine Visual Technology Corp.) -- J:\WINNT\System32\dllcache\t2r4mini.sys
[2010/03/27 19:39:52 | 000,007,344 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\tandqic.sys
[2010/03/27 19:39:49 | 000,346,624 | ---- | C] (Digi International Inc.) -- J:\WINNT\System32\dllcache\syncprop.dll
[2010/03/27 19:39:49 | 000,097,936 | ---- | C] (Specialix International Ltd. ) -- J:\WINNT\System32\dllcache\sx.sys
[2010/03/27 19:39:49 | 000,027,120 | ---- | C] (LSI Logic) -- J:\WINNT\System32\dllcache\symc8xx.sys
[2010/03/27 19:39:49 | 000,021,136 | ---- | C] (Symbios Inc.) -- J:\WINNT\System32\dllcache\sym_hi.sys
[2010/03/27 19:39:49 | 000,016,624 | ---- | C] (Symbios Logic Inc.) -- J:\WINNT\System32\dllcache\symc810.sys
[2010/03/27 19:39:48 | 000,060,176 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\sw_wheel.dll
[2010/03/27 19:39:48 | 000,045,328 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\sw_effct.dll
[2010/03/27 19:39:47 | 000,186,640 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\stivs32.dll
[2010/03/27 19:39:46 | 000,016,400 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\stcusb.sys
[2010/03/27 19:39:42 | 000,025,872 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\srusd.dll
[2010/03/27 19:39:28 | 000,010,160 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\spctramc.sys
[2010/03/27 19:39:27 | 000,019,376 | ---- | C] (Adaptec, Inc.) -- J:\WINNT\System32\dllcache\sparrow.sys
[2010/03/27 19:39:25 | 000,063,024 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\solo.sys
[2010/03/27 19:39:25 | 000,012,432 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\sonymc.sys
[2010/03/27 19:39:25 | 000,006,256 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\sonyait.sys
[2010/03/27 19:39:23 | 000,009,776 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\snyaitmc.sys
[2010/03/27 19:39:04 | 000,036,112 | ---- | C] (SMC) -- J:\WINNT\System32\dllcache\smcirda.sys
[2010/03/27 19:39:04 | 000,023,824 | ---- | C] (Standard Microsystems Corporation) -- J:\WINNT\System32\dllcache\smc8000n.sys
[2010/03/27 19:39:04 | 000,021,008 | ---- | C] (SMC Networks, Inc.) -- J:\WINNT\System32\dllcache\smcpwr2n.sys
[2010/03/27 19:39:04 | 000,006,576 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\smbhc.sys
[2010/03/27 19:39:03 | 000,190,512 | ---- | C] (Silicon Integrated Systems Corporation) -- J:\WINNT\System32\dllcache\sis300v.dll
[2010/03/27 19:39:03 | 000,091,920 | ---- | C] (SysKonnect, a business unit of Schneider & Koch & Co. Datensysteme GmbH.) -- J:\WINNT\System32\dllcache\sk98win.sys
[2010/03/27 19:39:03 | 000,052,736 | ---- | C] (Symbol Technologies) -- J:\WINNT\System32\dllcache\slant.sys
[2010/03/27 19:39:03 | 000,027,376 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\smbbatt.sys
[2010/03/27 19:39:03 | 000,019,728 | ---- | C] (MicroGate Corporation) -- J:\WINNT\System32\dllcache\slpp.dll
[2010/03/27 19:39:03 | 000,006,096 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\smbclass.sys
[2010/03/27 19:39:02 | 000,052,272 | ---- | C] (Silicon Integrated Systems Corporation) -- J:\WINNT\System32\dllcache\sis300p.sys
[2010/03/27 19:38:57 | 000,493,424 | ---- | C] (Trident Microsystems Inc.) -- J:\WINNT\System32\dllcache\sgiul50.dll
[2010/03/27 19:38:57 | 000,097,808 | ---- | C] (Trident Microsystems Inc.) -- J:\WINNT\System32\dllcache\sgiulnt5.sys
[2010/03/27 19:38:57 | 000,009,136 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\sglfb.dll
[2010/03/27 19:38:57 | 000,006,992 | ---- | C] (SGI) -- J:\WINNT\System32\dllcache\sglfb.sys
[2010/03/27 19:38:54 | 000,006,736 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\serscan.sys
[2010/03/27 19:38:53 | 000,017,136 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\sermouse.sys
[2010/03/27 19:38:49 | 000,010,576 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\scsiscan.sys
[2010/03/27 19:38:49 | 000,009,392 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\seaddsmc.sys
[2010/03/27 19:38:48 | 000,011,632 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\scsiprnt.sys
[2010/03/27 19:38:46 | 000,016,976 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\scmstcs.sys
[2010/03/27 19:38:45 | 000,246,256 | ---- | C] (S3 Incorporated) -- J:\WINNT\System32\dllcache\s3sav4.dll
[2010/03/27 19:38:45 | 000,065,072 | ---- | C] (S3 Incorporated) -- J:\WINNT\System32\dllcache\s3sav4m.sys
[2010/03/27 19:38:45 | 000,062,960 | ---- | C] (S3 Incorporated) -- J:\WINNT\System32\dllcache\s3sav3dm.sys
[2010/03/27 19:38:45 | 000,035,760 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\sbp2port.sys
[2010/03/27 19:38:45 | 000,016,048 | ---- | C] (DigitalScape) -- J:\WINNT\System32\dllcache\s53c885.sys
[2010/03/27 19:38:44 | 000,304,688 | ---- | C] (S3 Incorporated) -- J:\WINNT\System32\dllcache\s3mvirge.dll
[2010/03/27 19:38:44 | 000,293,456 | ---- | C] (S3 Incorporated) -- J:\WINNT\System32\dllcache\s3mt3d.dll
[2010/03/27 19:38:44 | 000,213,776 | ---- | C] (S3 Incorporated) -- J:\WINNT\System32\dllcache\s3sav3d.dll
[2010/03/27 19:38:44 | 000,168,112 | ---- | C] (S3 Incorporated) -- J:\WINNT\System32\dllcache\s3m.sys
[2010/03/27 19:38:44 | 000,065,456 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\s3legacy.sys
[2010/03/27 19:38:44 | 000,064,624 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\s3legacy.dll
[2010/03/27 19:38:44 | 000,061,968 | ---- | C] (S3 Incorporated) -- J:\WINNT\System32\dllcache\s3mtrio.dll
[2010/03/27 19:38:44 | 000,041,008 | ---- | C] (S3 Incorporated) -- J:\WINNT\System32\dllcache\s3mt3d.sys
[2010/03/27 19:38:38 | 000,071,216 | ---- | C] (Comtrol Corporation) -- J:\WINNT\System32\dllcache\rocket.sys
[2010/03/27 19:38:38 | 000,037,808 | ---- | C] (RadioLAN) -- J:\WINNT\System32\dllcache\rlnet5.sys
[2010/03/27 19:38:38 | 000,036,480 | ---- | C] (RNS, a division of Meret Communications, Inc.) -- J:\WINNT\System32\dllcache\rnsfnet.sys
[2010/03/27 19:38:34 | 000,012,560 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\reg32.dll
[2010/03/27 19:38:30 | 000,041,776 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\qv.dll
[2010/03/27 19:38:30 | 000,028,592 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\qv.sys
[2010/03/27 19:38:30 | 000,020,240 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\qvusd.dll
[2010/03/27 19:38:24 | 000,064,400 | ---- | C] (QLogic Corporation) -- J:\WINNT\System32\dllcache\ql2100.sys
[2010/03/27 19:38:24 | 000,040,592 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\ql1240.sys
[2010/03/27 19:38:24 | 000,040,464 | ---- | C] (QLogic Corporation) -- J:\WINNT\System32\dllcache\ql1080.sys
[2010/03/27 19:38:24 | 000,033,488 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\ql10wnt.sys
[2010/03/27 19:38:24 | 000,010,768 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\qlstrmc.sys
[2010/03/27 19:38:24 | 000,008,848 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\qntmmc.sys
[2010/03/27 19:38:24 | 000,005,008 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\qic157.sys
[2010/03/27 19:38:07 | 000,016,240 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\pscr.sys
[2010/03/27 19:38:06 | 000,016,048 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\ppa3.sys
[2010/03/27 19:38:05 | 000,149,264 | ---- | C] (Comtrol® Corporation) -- J:\WINNT\System32\dllcache\portmon.exe
[2010/03/27 19:38:05 | 000,017,520 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\ppa.sys
[2010/03/27 19:38:04 | 000,011,120 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\plasmc.sys
[2010/03/27 19:38:04 | 000,009,808 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\pnrmc.sys
[2010/03/27 19:37:57 | 000,142,320 | ---- | C] (Microsoft Corp., 3Dlabs Inc. Ltd.) -- J:\WINNT\System32\dllcache\perm2dll.dll
[2010/03/27 19:37:57 | 000,077,072 | ---- | C] (PHILIPS ) -- J:\WINNT\System32\dllcache\philcam1.sys
[2010/03/27 19:37:57 | 000,040,720 | ---- | C] ( ) -- J:\WINNT\System32\dllcache\philcam1.dll
[2010/03/27 19:37:57 | 000,026,576 | ---- | C] (Microsoft Corp., 3Dlabs Inc. Ltd.) -- J:\WINNT\System32\dllcache\perm2.sys
[2010/03/27 19:37:56 | 000,108,304 | ---- | C] (Comtrol® Corporation) -- J:\WINNT\System32\dllcache\peer.exe
[2010/03/27 19:37:56 | 000,054,224 | ---- | C] (Digi International, Inc.) -- J:\WINNT\System32\dllcache\pcimac.sys
[2010/03/27 19:37:56 | 000,035,088 | ---- | C] (Aironet Wireless Communications Inc.) -- J:\WINNT\System32\dllcache\pcx500.sys
[2010/03/27 19:37:56 | 000,029,968 | ---- | C] (AMD Inc.) -- J:\WINNT\System32\dllcache\pcntn5m.sys
[2010/03/27 19:37:56 | 000,028,944 | ---- | C] (AMD Inc.) -- J:\WINNT\System32\dllcache\pcntn5hl.sys
[2010/03/27 19:37:56 | 000,024,016 | ---- | C] (Linksys) -- J:\WINNT\System32\dllcache\pc100nds.sys
[2010/03/27 19:37:55 | 000,056,592 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\p6xx_32.dll
[2010/03/27 19:37:55 | 000,009,488 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\p6xxusd.dll
[2010/03/27 19:37:54 | 000,054,960 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\opl3sax.sys
[2010/03/27 19:37:49 | 000,175,376 | ---- | C] (Olicom A/S ) -- J:\WINNT\System32\dllcache\oct3xnd5.sys
[2010/03/27 19:37:49 | 000,065,808 | ---- | C] (Olicom A/S ) -- J:\WINNT\System32\dllcache\oct4pnd5.sys
[2010/03/27 19:37:49 | 000,057,936 | ---- | C] (Olicom A/S ) -- J:\WINNT\System32\dllcache\oce5xnd5.sys
[2010/03/27 19:37:49 | 000,031,984 | ---- | C] (Olicom A/S ) -- J:\WINNT\System32\dllcache\oce4xnd5.sys
[2010/03/27 19:37:48 | 000,041,648 | ---- | C] (Olicom A/S ) -- J:\WINNT\System32\dllcache\oca2pnd5.sys
[2010/03/27 19:37:48 | 000,038,960 | ---- | C] (Olicom A/S ) -- J:\WINNT\System32\dllcache\oca1pnd5.sys
[2010/03/27 19:37:48 | 000,035,600 | ---- | C] (Olicom A/S ) -- J:\WINNT\System32\dllcache\oce2xnd5.sys
[2010/03/27 19:37:48 | 000,023,824 | ---- | C] (Olicom A/S ) -- J:\WINNT\System32\dllcache\oce3xnd5.sys
[2010/03/27 19:37:47 | 000,530,192 | ---- | C] (NVidia Corporation) -- J:\WINNT\System32\dllcache\nv4.dll
[2010/03/27 19:37:47 | 000,345,040 | ---- | C] (NVIDIA Corporation) -- J:\WINNT\System32\dllcache\nv4.sys
[2010/03/27 19:37:47 | 000,201,328 | ---- | C] (NVIDIA Corporation) -- J:\WINNT\System32\dllcache\nv3.sys
[2010/03/27 19:37:47 | 000,125,680 | ---- | C] (NVIDIA Corporation) -- J:\WINNT\System32\dllcache\nv3.dll
[2010/03/27 19:37:46 | 000,028,240 | ---- | C] (Digi International Inc.) -- J:\WINNT\System32\dllcache\ntxall.sys
[2010/03/27 19:37:46 | 000,026,480 | ---- | C] (Digi International Inc.) -- J:\WINNT\System32\dllcache\ntxem.sys
[2010/03/27 19:37:18 | 000,028,816 | ---- | C] (Digi International Inc.) -- J:\WINNT\System32\dllcache\ntepc.sys
[2010/03/27 19:34:44 | 000,039,680 | ---- | C] (Silicom Ltd.) -- J:\WINNT\System32\dllcache\cb325.sys
[2010/03/27 19:34:44 | 000,031,888 | ---- | C] (BreezeCOM) -- J:\WINNT\System32\dllcache\brzwlan.sys
[2010/03/27 19:34:44 | 000,017,168 | ---- | C] (AmbiCom, Inc.) -- J:\WINNT\System32\dllcache\amb8002.sys
[2010/03/27 19:34:44 | 000,007,440 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\af450.dll
[2010/03/27 19:33:39 | 000,801,072 | ---- | C] (U.S. Robotics, Inc.) -- J:\WINNT\System32\dllcache\3cpciadi.sys
[2010/03/27 19:33:39 | 000,774,928 | ---- | C] (U.S. Robotics, Inc.) -- J:\WINNT\System32\dllcache\3cisati.sys
[2010/03/27 19:33:39 | 000,091,920 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\acq32.dll
[2010/03/27 19:33:39 | 000,038,320 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\8514a.dll
[2010/03/27 19:33:39 | 000,010,928 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\4mmdat.sys
[2010/03/27 19:33:38 | 000,792,176 | ---- | C] (U.S. Robotics, Inc.) -- J:\WINNT\System32\dllcache\3cisaadi.sys
[2010/03/27 19:33:38 | 000,763,024 | ---- | C] (3Com, Inc.) -- J:\WINNT\System32\dllcache\3cwmcru.sys
[2010/03/27 19:33:38 | 000,022,992 | ---- | C] (Microsoft Corporation) -- J:\WINNT\System32\dllcache\15_16wdm.sys
[2010/03/27 16:35:10 | 000,000,000 | ---D | C] -- J:\WINNT\System32\LogFiles
[4 J:\WINNT\*.tmp files -> J:\WINNT\*.tmp -> ]
[2 J:\WINNT\System32\*.tmp files -> J:\WINNT\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/19 19:10:50 | 001,392,640 | -H-- | M] () -- J:\Documents and Settings\user\NTUSER.DAT
[2010/04/19 18:29:48 | 000,562,176 | ---- | M] (OldTimer Tools) -- J:\Documents and Settings\user\Desktop\OTL.exe
[2010/04/19 18:01:34 | 000,016,384 | ---- | M] () -- J:\WINNT\System32\Perflib_Perfdata_3f0.dat
[2010/04/19 18:01:12 | 000,006,520 | ---- | M] () -- J:\WINNT\System32\drivers\ghstwall.sys
[2010/04/19 18:00:32 | 000,000,006 | -H-- | M] () -- J:\WINNT\tasks\SA.DAT
[2010/04/19 18:00:30 | 000,016,384 | ---- | M] () -- J:\WINNT\System32\Perflib_Perfdata_2f0.dat
[2010/04/18 22:42:01 | 059,034,248 | ---- | M] () -- J:\WINNT\System32\drivers\Avg\incavi.avm
[2010/04/18 18:33:17 | 000,939,756 | -H-- | M] () -- J:\WINNT\ShellIconCache
[2010/04/18 12:32:02 | 000,016,384 | ---- | M] () -- J:\WINNT\System32\Perflib_Perfdata_3f4.dat
[2010/04/18 12:30:58 | 000,016,384 | ---- | M] () -- J:\WINNT\System32\Perflib_Perfdata_120.dat
[2010/04/14 19:43:48 | 000,002,151 | ---- | M] () -- J:\Documents and Settings\user\Desktop\Attach.zip
[2010/04/14 19:43:44 | 000,001,726 | ---- | M] () -- J:\Documents and Settings\user\Desktop\ark.zip
[2010/04/14 19:20:59 | 000,284,915 | ---- | M] () -- J:\Documents and Settings\user\Desktop\gmer.zip
[2010/04/14 19:08:08 | 000,525,824 | ---- | M] () -- J:\Documents and Settings\user\Desktop\dds.scr
[2010/04/14 19:06:06 | 000,001,600 | ---- | M] () -- J:\WINNT\System32\ghstwall.fir
[2010/04/14 19:01:15 | 000,000,593 | ---- | M] () -- J:\Documents and Settings\user\Desktop\GhostWall.lnk
[2010/04/14 19:00:45 | 000,672,224 | ---- | M] (Ghost Security ) -- J:\Documents and Settings\user\Desktop\ghostwall_setup.exe
[2010/04/14 18:25:08 | 000,000,020 | ---- | M] () -- J:\Documents and Settings\user\defogger_reenable
[2010/04/14 18:24:05 | 000,050,477 | ---- | M] () -- J:\Documents and Settings\user\Desktop\Defogger.exe
[2010/04/14 00:33:50 | 000,000,178 | -HS- | M] () -- J:\Documents and Settings\user\ntuser.ini
[2010/04/13 22:12:28 | 000,490,232 | ---- | M] () -- J:\Documents and Settings\user\Desktop\HelpAsst_mebroot_fix.exe
[2010/04/13 18:34:46 | 000,485,896 | ---- | M] () -- J:\Documents and Settings\user\Desktop\HAMeb_check.exe
[2010/04/12 18:34:52 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- J:\WINNT\System32\avgrsstx.dll
[2010/04/12 18:34:52 | 000,001,374 | ---- | M] () -- J:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/04/12 18:34:51 | 000,242,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- J:\WINNT\System32\drivers\avgtdix.sys
[2010/04/12 18:34:49 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- J:\WINNT\System32\drivers\avgldx86.sys
[2010/04/12 18:34:49 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- J:\WINNT\System32\drivers\avgmfx86.sys
[2010/04/12 18:34:47 | 000,113,461 | ---- | M] () -- J:\WINNT\System32\drivers\Avg\iavichjw.avm
[2010/04/12 18:18:41 | 002,131,808 | ---- | M] (AVG Technologies) -- J:\Documents and Settings\user\Desktop\avg_free_stb_all_9_114_cnet.exe
[2010/04/10 15:08:20 | 000,077,312 | ---- | M] () -- J:\Documents and Settings\user\Desktop\mbr.exe
[2010/04/07 20:05:19 | 000,000,036 | ---- | M] () -- J:\Documents and Settings\user\Local Settings\Application Data\housecall.guid.cache
[2010/04/07 19:40:03 | 001,840,232 | ---- | M] (Trend Micro) -- J:\Documents and Settings\user\Desktop\HousecallLauncher.exe
[2010/04/07 19:39:30 | 001,074,232 | ---- | M] () -- J:\Documents and Settings\user\Desktop\RootkitBuster_2.80.1077.zip
[2010/04/07 18:58:48 | 018,499,623 | ---- | M] () -- J:\Documents and Settings\user\Desktop\vlc-1.0.5-win32.exe
[2010/04/07 18:25:07 | 000,000,679 | ---- | M] () -- J:\Documents and Settings\user\Desktop\StreamTorrent 1.0.lnk
[2010/04/07 18:24:26 | 001,245,385 | ---- | M] () -- J:\Documents and Settings\user\Desktop\StreamTorrent10Build0075.zip
[2010/04/07 18:16:21 | 003,005,440 | ---- | M] () -- J:\Documents and Settings\user\Desktop\TvantsSetup.exe
[2010/04/07 17:38:39 | 000,078,352 | ---- | M] () -- J:\WINNT\System32\FNTCACHE.DAT
[2010/04/06 21:43:05 | 000,001,733 | ---- | M] () -- J:\Documents and Settings\All Users\Desktop\Microsoft Mouse.lnk
[2010/04/03 17:52:22 | 000,000,665 | ---- | M] () -- J:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/03 17:45:29 | 007,976,992 | ---- | M] () -- J:\Documents and Settings\user\Desktop\SUPERAntiSpyware.exe
[2010/04/03 17:34:00 | 000,000,408 | ---- | M] () -- J:\WINNT\win.ini
[2010/04/02 18:49:47 | 000,000,575 | ---- | M] () -- J:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/31 19:39:33 | 008,351,672 | ---- | M] (Mozilla) -- J:\Documents and Settings\user\Desktop\Firefox Setup 3.6.2.exe
[2010/03/31 00:46:48 | 002,942,952 | ---- | M] (Siber Systems) -- J:\Documents and Settings\user\Desktop\AiRoboForm-onema.exe
[2010/03/30 01:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- J:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/03/30 01:45:52 | 000,019,160 | ---- | M] (Malwarebytes Corporation) -- J:\WINNT\System32\drivers\mbam.sys
[2010/03/28 03:15:52 | 000,000,522 | ---- | M] () -- J:\Documents and Settings\user\Desktop\fix.bat
[2010/03/28 02:27:36 | 000,001,429 | ---- | M] () -- J:\Documents and Settings\user\Desktop\CCleaner.lnk
[2010/03/28 02:27:00 | 001,154,064 | ---- | M] (Piriform Ltd) -- J:\Documents and Settings\user\Desktop\ccsetup229_slim.exe
[2010/03/28 01:53:48 | 000,756,952 | ---- | M] () -- J:\Documents and Settings\user\Desktop\sys23004.exe
[2010/03/28 01:52:11 | 000,077,312 | ---- | M] () -- J:\mbr.exe
[2010/03/28 01:49:32 | 016,258,848 | ---- | M] (Sun Microsystems, Inc.) -- J:\Documents and Settings\user\Desktop\jre-6u18-windows-i586.exe
[2010/03/27 19:28:04 | 000,016,384 | ---- | M] () -- J:\WINNT\System32\Perflib_Perfdata_494.dat
[2010/03/27 17:10:45 | 000,016,384 | ---- | M] () -- J:\WINNT\System32\Perflib_Perfdata_928.dat
[2010/03/27 17:10:05 | 000,016,384 | ---- | M] () -- J:\WINNT\System32\Perflib_Perfdata_8bc.dat
[2010/03/27 16:37:18 | 000,016,384 | ---- | M] () -- J:\WINNT\System32\Perflib_Perfdata_4b8.dat
[2010/03/27 16:36:55 | 000,016,384 | ---- | M] () -- J:\WINNT\System32\Perflib_Perfdata_3dc.dat
[2010/03/27 14:45:32 | 000,016,384 | ---- | M] () -- J:\WINNT\System32\Perflib_Perfdata_3e8.dat
[2010/03/26 19:06:07 | 000,016,384 | ---- | M] () -- J:\WINNT\System32\Perflib_Perfdata_3d4.dat
[4 J:\WINNT\*.tmp files -> J:\WINNT\*.tmp -> ]
[2 J:\WINNT\System32\*.tmp files -> J:\WINNT\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/19 18:01:34 | 000,016,384 | ---- | C] () -- J:\WINNT\System32\Perflib_Perfdata_3f0.dat
[2010/04/19 18:00:30 | 000,016,384 | ---- | C] () -- J:\WINNT\System32\Perflib_Perfdata_2f0.dat
[2010/04/18 12:32:02 | 000,016,384 | ---- | C] () -- J:\WINNT\System32\Perflib_Perfdata_3f4.dat
[2010/04/18 12:30:58 | 000,016,384 | ---- | C] () -- J:\WINNT\System32\Perflib_Perfdata_120.dat
[2010/04/14 19:43:48 | 000,002,151 | ---- | C] () -- J:\Documents and Settings\user\Desktop\Attach.zip
[2010/04/14 19:43:44 | 000,001,726 | ---- | C] () -- J:\Documents and Settings\user\Desktop\ark.zip
[2010/04/14 19:08:09 | 000,525,824 | ---- | C] () -- J:\Documents and Settings\user\Desktop\dds.scr
[2010/04/14 19:01:17 | 000,006,520 | ---- | C] () -- J:\WINNT\System32\drivers\ghstwall.sys
[2010/04/14 19:01:17 | 000,001,600 | ---- | C] () -- J:\WINNT\System32\ghstwall.fir
[2010/04/14 19:01:15 | 000,000,593 | ---- | C] () -- J:\Documents and Settings\user\Desktop\GhostWall.lnk
[2010/04/14 18:25:06 | 000,000,020 | ---- | C] () -- J:\Documents and Settings\user\defogger_reenable
[2010/04/14 18:24:10 | 000,050,477 | ---- | C] () -- J:\Documents and Settings\user\Desktop\Defogger.exe
[2010/04/13 22:12:28 | 000,490,232 | ---- | C] () -- J:\Documents and Settings\user\Desktop\HelpAsst_mebroot_fix.exe
[2010/04/13 18:34:46 | 000,485,896 | ---- | C] () -- J:\Documents and Settings\user\Desktop\HAMeb_check.exe
[2010/04/12 18:34:52 | 000,001,374 | ---- | C] () -- J:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/04/07 20:05:19 | 000,000,036 | ---- | C] () -- J:\Documents and Settings\user\Local Settings\Application Data\housecall.guid.cache
[2010/04/07 19:39:29 | 001,074,232 | ---- | C] () -- J:\Documents and Settings\user\Desktop\RootkitBuster_2.80.1077.zip
[2010/04/07 18:53:38 | 018,499,623 | ---- | C] () -- J:\Documents and Settings\user\Desktop\vlc-1.0.5-win32.exe
[2010/04/07 18:25:07 | 000,000,679 | ---- | C] () -- J:\Documents and Settings\user\Desktop\StreamTorrent 1.0.lnk
[2010/04/07 18:24:24 | 001,245,385 | ---- | C] () -- J:\Documents and Settings\user\Desktop\StreamTorrent10Build0075.zip
[2010/04/07 18:15:56 | 003,005,440 | ---- | C] () -- J:\Documents and Settings\user\Desktop\TvantsSetup.exe
[2010/04/06 21:43:05 | 000,001,733 | ---- | C] () -- J:\Documents and Settings\All Users\Desktop\Microsoft Mouse.lnk
[2010/04/03 17:52:22 | 000,000,665 | ---- | C] () -- J:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/03 17:44:37 | 007,976,992 | ---- | C] () -- J:\Documents and Settings\user\Desktop\SUPERAntiSpyware.exe
[2010/04/02 01:59:28 | 000,939,756 | -H-- | C] () -- J:\WINNT\ShellIconCache
[2010/03/30 19:37:11 | 000,284,915 | ---- | C] () -- J:\Documents and Settings\user\Desktop\gmer.zip
[2010/03/28 03:16:42 | 000,077,312 | ---- | C] () -- J:\mbr.exe
[2010/03/28 03:14:40 | 000,000,522 | ---- | C] () -- J:\Documents and Settings\user\Desktop\fix.bat
[2010/03/28 01:53:43 | 000,756,952 | ---- | C] () -- J:\Documents and Settings\user\Desktop\sys23004.exe
[2010/03/28 01:52:10 | 000,077,312 | ---- | C] () -- J:\Documents and Settings\user\Desktop\mbr.exe
[2010/03/28 01:34:42 | 000,000,575 | ---- | C] () -- J:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/27 19:40:34 | 000,107,792 | ---- | C] () -- J:\WINNT\System32\dllcache\xlog.exe
[2010/03/27 19:40:11 | 000,080,304 | ---- | C] () -- J:\WINNT\System32\dllcache\vslinka.sys
[2010/03/27 19:34:44 | 000,042,192 | ---- | C] () -- J:\WINNT\System32\dllcache\atibt829.sys
[2010/03/27 19:34:44 | 000,016,976 | ---- | C] () -- J:\WINNT\System32\dllcache\atitvsnd.sys
[2010/03/27 19:28:04 | 000,016,384 | ---- | C] () -- J:\WINNT\System32\Perflib_Perfdata_494.dat
[2010/03/27 17:10:45 | 000,016,384 | ---- | C] () -- J:\WINNT\System32\Perflib_Perfdata_928.dat
[2010/03/27 17:10:05 | 000,016,384 | ---- | C] () -- J:\WINNT\System32\Perflib_Perfdata_8bc.dat
[2010/03/27 16:37:18 | 000,016,384 | ---- | C] () -- J:\WINNT\System32\Perflib_Perfdata_4b8.dat
[2010/03/27 16:36:55 | 000,016,384 | ---- | C] () -- J:\WINNT\System32\Perflib_Perfdata_3dc.dat
[2010/03/27 14:45:32 | 000,016,384 | ---- | C] () -- J:\WINNT\System32\Perflib_Perfdata_3e8.dat
[2010/03/26 19:06:07 | 000,016,384 | ---- | C] () -- J:\WINNT\System32\Perflib_Perfdata_3d4.dat
[2009/11/13 22:16:32 | 000,001,558 | ---- | C] () -- J:\Documents and Settings\user\.recently-used.xbel
[2009/10/11 23:45:37 | 000,057,344 | ---- | C] () -- J:\WINNT\System32\ff_vfw.dll
[2009/09/19 22:38:52 | 000,000,023 | ---- | C] () -- J:\WINNT\BlendSettings.ini
[2009/09/19 14:55:23 | 000,354,816 | ---- | C] () -- J:\WINNT\System32\psisdecd.dll
[2009/09/19 14:51:28 | 000,000,127 | ---- | C] () -- J:\Documents and Settings\user\Local Settings\Application Data\fusioncache.dat
[2009/09/19 13:17:47 | 000,000,164 | ---- | C] () -- J:\WINNT\avrack.ini
[2009/09/19 13:17:46 | 000,155,648 | ---- | C] () -- J:\WINNT\System32\RTLCPAPI.dll
[2009/09/19 12:34:32 | 000,002,334 | RHS- | C] () -- J:\Documents and Settings\All Users\ntuser.pol
[2009/09/19 12:34:32 | 000,000,178 | -HS- | C] () -- J:\Documents and Settings\user\ntuser.ini
[2009/09/19 12:34:31 | 001,392,640 | -H-- | C] () -- J:\Documents and Settings\user\NTUSER.DAT
[2009/09/19 12:34:31 | 000,001,024 | -H-- | C] () -- J:\Documents and Settings\user\ntuser.dat.LOG
[2009/09/19 12:29:38 | 000,021,952 | -H-- | C] () -- J:\Program Files\folder.htt
[1999/12/07 07:00:00 | 000,176,400 | ---- | C] () -- J:\WINNT\System32\qcut.dll
[1999/12/07 07:00:00 | 000,033,552 | ---- | C] () -- J:\WINNT\System32\efsadu.dll
[1999/12/07 07:00:00 | 000,007,265 | ---- | C] () -- J:\WINNT\System32\iasperf.ini
[1999/12/07 07:00:00 | 000,001,505 | ---- | C] () -- J:\WINNT\System32\faxperf.ini
[1999/12/07 07:00:00 | 000,000,023 | ---- | C] () -- J:\WINNT\welcome.ini
[1999/09/25 05:36:24 | 000,088,816 | ---- | C] () -- J:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 05:36:22 | 000,017,424 | ---- | C] () -- J:\WINNT\System32\drivers\lvsound.sys

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2005/09/23 06:03:26 | 001,120,016 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- J:\WINNT\system32\webvw.dll
[2 J:\WINNT\system32\*.tmp files -> J:\WINNT\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >


< MD5 for: AGP440.SYS >
[2003/06/19 14:05:04 | 006,553,075 | ---- | M] () .cab file -- J:\WINNT\Driver Cache\i386\sp4.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2003/06/19 14:05:04 | 006,553,075 | ---- | M] () .cab file -- J:\WINNT\Driver Cache\i386\sp4.cab:atapi.sys
[2003/06/19 14:05:04 | 000,086,672 | ---- | M] (Microsoft Corporation) MD5=8C718AA8C77041B3285D55A0CE980867 -- J:\WINNT\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2003/06/19 14:05:04 | 000,047,888 | ---- | M] (Microsoft Corporation) MD5=5738D5804F61A1D30D86FA24DEE56E0C -- J:\WINNT\$NtUpdateRollupPackUninstall$\eventlog.dll
[2005/04/08 06:54:32 | 000,049,424 | ---- | M] (Microsoft Corporation) MD5=E7F03344AE103B02135C20112B557051 -- J:\WINNT\system32\dllcache\EVENTLOG.DLL
[2005/04/08 06:54:32 | 000,049,424 | ---- | M] (Microsoft Corporation) MD5=E7F03344AE103B02135C20112B557051 -- J:\WINNT\system32\EVENTLOG.DLL

< MD5 for: NETLOGON.DLL >
[2003/06/19 14:05:04 | 000,371,984 | ---- | M] (Microsoft Corporation) MD5=11B91C26925F56F577089FF88AA0BEC0 -- J:\WINNT\$NtUpdateRollupPackUninstall$\netlogon.dll
[2005/04/07 18:24:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- J:\WINNT\$NtUninstallKB954600_WM41$\netlogon.dll
[2005/04/08 06:54:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- J:\WINNT\$NtUninstallKB957097$\netlogon.dll
[2005/04/07 15:24:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- J:\WINNT\$NtUninstallKB960803$\netlogon.dll
[2005/04/07 18:24:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- J:\WINNT\$NtUninstallKB960859$\netlogon.dll
[2005/04/08 06:54:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- J:\WINNT\system32\dllcache\NETLOGON.DLL
[2005/04/07 18:24:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- J:\WINNT\system32\NETLOGON.DLL

< MD5 for: NVATABUS.SYS >
[2004/06/03 11:40:46 | 000,079,360 | R--- | M] (NVIDIA Corporation) MD5=46DEED4C6C5FA765F9A2C723BE60348D -- J:\WINNT\system32\drivers\nvatabus.sys

< MD5 for: SCECLI.DLL >
[2005/01/12 14:39:44 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=6FCCE1622E75C7DC46509F7EC4B314A3 -- J:\WINNT\system32\dllcache\scecli.dll
[2005/01/12 14:39:44 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=6FCCE1622E75C7DC46509F7EC4B314A3 -- J:\WINNT\system32\scecli.dll
[2003/06/19 14:05:04 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=FF11B32A906D75CD96957B66E318DAD0 -- J:\WINNT\$NtUpdateRollupPackUninstall$\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >
[/codebox]

And here is the Extras file:

[codebox]OTL Extras logfile created on: 3/30/2010 6:43:08 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = J:\Documents and Settings\user\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 439.00 Mb Available Physical Memory | 43.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): J:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = J: | %SystemRoot% = J:\WINNT | %ProgramFiles% = J:\Program Files
Drive C: | 232.88 Gb Total Space | 45.82 Gb Free Space | 19.68% Space Free | Partition Type: NTFS
Drive D: | 97.66 Gb Total Space | 0.67 Gb Free Space | 0.69% Space Free | Partition Type: NTFS
Drive E: | 79.47 Gb Total Space | 0.02 Gb Free Space | 0.03% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 494.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 14.12 Gb Total Space | 0.99 Gb Free Space | 7.00% Space Free | Partition Type: NTFS
Drive K: | 48.83 Gb Total Space | 12.81 Gb Free Space | 26.25% Space Free | Partition Type: NTFS
Drive L: | 50.11 Gb Total Space | 14.37 Gb Free Space | 28.67% Space Free | Partition Type: NTFS
Drive M: | 50.05 Gb Total Space | 0.34 Gb Free Space | 0.68% Space Free | Partition Type: NTFS
Drive Q: | 9.77 Gb Total Space | 0.01 Gb Free Space | 0.14% Space Free | Partition Type: NTFS
Drive V: | 9.77 Gb Total Space | 0.53 Gb Free Space | 5.38% Space Free | Partition Type: NTFS

Computer Name: FLOYD
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- J:\Program Files\Avant Browser\avant.exe (Avant Force)
.url [@ = InternetShortcut] -- J:\Program Files\Avant Browser\avant.exe (Avant Force)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "J:\Program Files\Avant Browser\avant.exe" %1 (Avant Force)
htmlfile [opennew] -- "J:\Program Files\Avant Browser\avant.exe" %1 (Avant Force)
http [open] -- "J:\Program Files\Avant Browser\avant.exe" %1 (Avant Force)
https [open] -- "J:\Program Files\Avant Browser\avant.exe" %1 (Avant Force)
InternetShortcut [open] -- "J:\Program Files\Avant Browser\avant.exe" %1 (Avant Force)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Dimin.Viewer5] -- "Q:\emulation\sms\programs\DIMIN\Viewer5\imgview5.exe" -dir "%1" (DIMIN Software)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "J:\Programs\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "J:\Programs\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "J:\Programs\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"6481:TCP" = 6481:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"9926:TCP" = 9926:TCP:*:Enabled:Services
"9927:TCP" = 9927:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"6481:TCP" = 6481:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"9926:TCP" = 9926:TCP:*:Enabled:Services
"9927:TCP" = 9927:TCP:*:Enabled:Services

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{09F4655B-C804-4AD0-B7DF-078E338F8F85}" = League of Legends
"{118B9B3E-F425-4A11-B640-1C743DD10128}" = Puerto Rico
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{2C3738C9-56FA-410A-BCB5-79C5DFD238F0}" = TuneUp Utilities 2004
"{55638DD9-D5A9-11D3-B74B-204C4F4F5020}" = AMD's Cool'n'Quiet ™ Technology Version 1.0.1
"{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{8270831B-8F2F-4B65-8E2C-9712054C38D1}" = ATI Catalyst Control Center
"{8E49C988-C8F1-4197-AA6B-94E49751F5D7}" = Microsoft IntelliType Pro 6.3
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{C7DDA8E7-AD3D-4F51-AC1E-B0FF57002192}" = Microsoft IntelliPoint 6.3
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AutoHotkey" = AutoHotkey 1.0.48.03
"AvantBrowser" = Avant Browser (remove only)
"AVG8Uninstall" = AVG Free 8.5
"CCleaner" = CCleaner
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"ESET Online Scanner" = ESET Online Scanner v3
"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
"FlashGet(JetCar)" = FlashGet(JetCar)
"Garena" = Garena
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"MultiRes (remove only)" = MultiRes (remove only)
"NVIDIA Drivers" = NVIDIA Drivers
"OpenSource Flash Video Splitter" = OpenSource Flash Video Splitter (remove only)
"Q818043" = Windows 2000 Hotfix (SP5) Q818043
"Q828026" = Windows Media Player Hotfix [See Q828026 for more information]
"RealMedia" = RealMedia (remove only)
"RToolDS" = RToolDS v0.3.1382
"Runic Games Torchlight" = Torchlight
"Update Rollup 1" = Update Rollup 1 for Windows 2000 SP4
"uTorrent" = µTorrent
"Winamp" = Winamp
"WinGimp-2.0_is1" = GIMP 2.6.7
"WinRAR archiver" = WinRAR archiver
"WMP7" = Windows Media Player system update (9 Series)
"Yahoo! Companion" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/27/2010 6:14:53 PM | Computer Name = FLOYD | Source = Perflib | ID = 1015
Description = The timeout waiting for the performance data collection function "PerfProc"
in
the "J:\WINNT\system32\perfproc.dll" Library to finish has expired. There may be
a problem with this extensible counter or the service it is collecting data from
or the system may have been very busy when this call was attempted.

Error - 3/27/2010 6:14:54 PM | Computer Name = FLOYD | Source = Perflib | ID = 1015
Description = The timeout waiting for the performance data collection function "PerfProc"
in
the "J:\WINNT\system32\perfproc.dll" Library to finish has expired. There may be
a problem with this extensible counter or the service it is collecting data from
or the system may have been very busy when this call was attempted.

Error - 3/27/2010 8:27:44 PM | Computer Name = FLOYD | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "J:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

Error - 3/28/2010 2:27:06 AM | Computer Name = FLOYD | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "J:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

Error - 3/28/2010 3:38:21 AM | Computer Name = FLOYD | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 3/28/2010 3:40:08 AM | Computer Name = FLOYD | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "J:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

Error - 3/28/2010 11:23:34 PM | Computer Name = FLOYD | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 3/28/2010 11:25:24 PM | Computer Name = FLOYD | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "J:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

Error - 3/29/2010 2:31:15 AM | Computer Name = FLOYD | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 3/30/2010 8:25:34 PM | Computer Name = FLOYD | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "J:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

[ System Events ]
Error - 10/29/2009 12:32:10 AM | Computer Name = FLOYD | Source = Service Control Manager | ID = 7031
Description = The HID Input Service service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
No action.

Error - 11/8/2009 6:23:25 PM | Computer Name = FLOYD | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
NOTEBOOK that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{BE1EBAB5-F7E9-474F-. The master browser is stopping or an election
is being forced.

Error - 11/10/2009 7:49:13 PM | Computer Name = FLOYD | Source = Service Control Manager | ID = 7031
Description = The HID Input Service service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
No action.

Error - 11/20/2009 10:09:47 PM | Computer Name = FLOYD | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 11/22/2009 6:01:19 PM | Computer Name = FLOYD | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 11/22/2009 10:09:41 PM | Computer Name = FLOYD | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 11/28/2009 12:57:47 PM | Computer Name = FLOYD | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 12/9/2009 12:12:46 PM | Computer Name = FLOYD | Source = Removable Storage Service | ID = 262260
Description = RSM could not identify the media in drive Drive 0 of library SONY
DVD-ROM DDU1621. An error was encountered while attempting to read data from the
media.

Error - 12/9/2009 3:01:44 PM | Computer Name = FLOYD | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
NOTEBOOK that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{BE1EBAB5-F7E9-474F-. The master browser is stopping or an election
is being forced.

Error - 12/14/2009 8:55:03 PM | Computer Name = FLOYD | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.


< End of report >
[/codebox]

There is one other odd thing about my computer. Recently, every time I start it and move the mouse I get an error message telling
me that hidserv.exe has generated errors and has closed. I have the most current drivers for my mouse, so I'm not sure why this is
happening. I don't know if this has any relevance to this rootkit, but I thought it could possibly be related. If not, it is of little
consequence to me, as my mouse and keyboard both continue to work fine.

Thanks again, accuno

Edited by accuno, 19 April 2010 - 07:43 PM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:29 PM

Posted 20 April 2010 - 01:33 PM

Hi,
Let's check how much of the infection is present. It isn't made for Windows 2000

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    termsrv.dll
    termsrv32.dll
    :reg
    HKLM\SYSTEM\CurrentControlSet\Services\TermService /s
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

Please try to run profiles.exe as well and post the log:
http://noahdfear.net/downloads/profiles.exe

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 accuno

accuno
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 20 April 2010 - 06:11 PM

SystemLook ran fine, but profiles.exe would instantly pop up a blank text file named prof.txt when I would run it.
Here is the SystemLook log:

[codebox]SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:05 on 20/04/2010 by user (Administrator - Elevation successful)

========== filefind ==========

Searching for "termsrv.dll"
No files found.

Searching for "termsrv32.dll"
No files found.

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
(Unable to open key - key not found)

-=End Of File=-[/codebox]

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:29 PM

Posted 21 April 2010 - 04:46 AM

Hi,

this is looking good. I assume you have'nt installed the Terminal Services? (If you don't know what this is, it means no. wink.gif)

Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -f >"C:\mbr.log"
    Note: There is a blanke between mbr.exe and -t.
  • press Enter.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\). The file will not open automatically, you need to go to C:\mbr.log yourself and open it.
  • Copy and paste the results of the mbr.log in your next reply.

Then open Notepad and copy/paste the code box below into a new text file.
CODE
@echo off
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
  • Save the file as regquery.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "regquery.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).
  • It will open a text file, please copy the content in your next reply.

Do you have a Windows CD close by?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 accuno

accuno
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 21 April 2010 - 08:52 PM

OK, I ran mbr.exe as you said, and this is what was in the log:

[codebox]Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully[/codebox]

This is exactly how it responded the previous times that I ran it. Oddly, the only time I saw anything different was when I ran the HAMeb_check.exe program that quietman7 told me to run in my original thread in the "Am I Infected?" forum. When I ran the batch file a command prompt window opened and closed, but no text file was created and nothing else seemed to happen. I changed all three instances of "C:\" to "J:\" as that is where my OS is installed, but maybe there was something I missed. I'm curious if by not allowing the HelpAssistant account to be created on boot up I am undermining some of these tests.

As far as the Windows CD goes, I do have a Windows 2000 install disk that I created with service pack 4 integrated, but I long ago lost the original CD. This CD seems to behave abnormally when I try to use it to fix an installation, as I will constantly be asked to put the Windows disk in the drive, so I'm not sure if it works correctly for that purpose. I would have access to an XP install disk, if that would help.

I'm really sorry if this is turning into more of a difficulty than you had expected, but I am really grateful for your trying to help me.

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:29 PM

Posted 24 April 2010 - 03:14 PM

Hi,

please let me know if the folder is still being created on startup. It is possible that mbr.exe can not fix the infection, then we will need your W2K CD to fix it from recovery console. Your CD will be fine for that.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 accuno

accuno
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 24 April 2010 - 07:05 PM

Yes, it will still create if I allow it to.

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:29 PM

Posted 25 April 2010 - 06:11 AM

Hi,

ok, then please do the following:
  • Insert the Windows W2K CD-ROM into the CD-ROM drive, and then restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your XP-CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
  • Into that command prompt type fixmbr and hit enter.
  • Then type exit and hit enter to leave.

Once in normal mode again, please run this batch again:

CODE
@echo off
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r J:\docume~\HelpAssistant\* /s /d
del /s/q J:\docume~\HelpAssistant\*.*
rmdir /s/q J:\docume~\HelpAssistant


Reboot once more and let me know if the folder gets recreated.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 accuno

accuno
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 25 April 2010 - 10:55 PM

When I try and use the fixmbr command I get a warning that says "This computer appears to have a non-standard or invalid master boot record. FIXMBR may damage your partition tables if you proceed." I was afraid of something like this, the last time I re-installed my OS I was prevented from using C: as the drive letter of my new installation. Unless there is no other way to proceed I could try and risk it, but if there are any other options I would prefer to try them first.

Thanks again

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:29 PM

Posted 26 April 2010 - 02:31 PM

Hi,

normally this should be fine. A custom MBR may offer additional options, eg the particularities of a DELL MBR that I have mentioned previously. Another reason not to run fixmbr would be if you are using encrypted partitions.
For Dell users, fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

What happens when you run fixmbr is that you overwrite the current MBR with the default MBR from Microsoft. If you don't have encryption active, this should not be a problem at all. This is currently the only possibility to clean the MBR, if you do not want to do this the only other solution is to reformat.
The letter for your partition is not relevant for the MBR. It does not look at the name, but only at the location of the partition.

regards myrti


Edited by myrti, 26 April 2010 - 02:32 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 accuno

accuno
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 27 April 2010 - 08:21 PM

After backing up files from my drive I went ahead and ran the fixmbr command, and upon re-booting the HelpAssistant account and folder had both been re-created. I ran the batch file, deleted the folder and restarted, but the account had been re-enabled and the folder was there again.

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:29 PM

Posted 29 April 2010 - 03:13 AM

Hi,

I believe that fixmbr did not target the correct disk, could you please run the following command from your CD:

fixmbr \device\harddisk5

Afterwards please run the batch once more and let me know if the helpassistant account still gets recreated.

regards myreti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 accuno

accuno
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 01 May 2010 - 02:31 PM

Sorry for the delay, I did as you said and on restart the folder was not created. I ran the batch and restarted, and there was still no folder created. Thank you again for all your help (and patience), I had considered trying the fixmbr command before I came here, but I would have never known that it could possibly target the wrong drive.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users